The Rise of Destructive Modern Bombs Used in

Thomas ROCCIA Security Researcher, Advanced Threat Research Whoami

Thomas ROCCIA

Security Researcher, Advanced Threat Research http://troccia.tdgt.org

@fr0gger_ Maker, Speaker Whatever…

CORIIN – Thomas Roccia – 2019 2 $300 Millions

CORIIN – Thomas Roccia – 2019 3 What is a Destructive Malware?

Destructive malware has the ability to destroy data, systems, to put out of service or to have a physical impact through digital actions.

Some are associated with propagation capabilities making the threat more destructive.

CORIIN – Thomas Roccia – 2019 4 Early Destructive Malware

Jerusalem Virus CIH Virus Infected every exe Erased flash ROM BIOS

1974 1991 2003

1987 1998

Rabbit Virus Michelangelo Virus Slammer Worm Bomb Virus DOS Attack

CORIIN – Thomas Roccia – 2019 5 Recent Destructive Attack TRITON First SIS Malware

DESTOVER NotPetya Sony Hack Pseudo

2012 2016 2018

2014 2017 v3 Wiper SHAMOON INDUSTROYER OlympicDestroyer Wiper Ukrainian Power Grid Olympic Game Attack VPNFILTER Largest DDOS Attack Malware CORIIN – Thomas Roccia – 2019 6 MIRAI: The Largest DDOS

DDOS for Hire Mirai is responsible of the largest ddos attack in 2016 on Brian Krebs website (660 GBps of traffic) BotMaster C&C Customer

IOT Botnet

Scanning weak IOT devices

DDOS Victim

Mirai was designed for DDOS attack

CORIIN – Thomas Roccia – 2019 7 NotPetya: The Pseudo Ransomware

Number of Encrypted files Cerber Wannacry 2016 NotPetya Number of File Types 187 381 176 228 65

PSEUDO-RANSOMWARE IS A DESTRUCTIVE ATTACK DISGUISED AS 1. Supply chain attack RANSOMWARE EITHER TO TAKE DOWN COMPANIES 2. Propagation (exploit, credentials) OR TO KEEP THE IT-DEPARTMENT BUSY. 3. Encrypts files and erases MBR

-- CHRISTIAAN BEEK, LEAD SCIENTIST MCAFEE

NotPetya was designed for IT destruction

CORIIN – Thomas Roccia – 2019 8 TRITON: The First SIS Malware

An essential danger in this threat is that it moves from mere digital damage to risking human lives.

Customer Network

SIS Engineering Physical Workstation Tristation Protocol UDP 1502 TRITON TRITON

Trilog.exe SIS Controllers Launch Cyberattack? IT DCS/ICS Triton was designed to target systems that protect human life

CORIIN – Thomas Roccia – 2019 9 OlympicDestroyer: « Citius, Altius, Fortius »

Deletes all the Shadow Copies Deletes the catalog No repair possible from recovery console

Deletes System and Security event logs

OlympicDestroyer was designed for disruption

CORIIN – Thomas Roccia – 2019 10 VPNFilter: TimeBomb

VPNFilter

VPNFilter targets networking devices TimeBomb Data Collection Distributed Proxy Network Overwrites the first 5000 Espionage It has the ability to perform intelligence bytes of /dev/mtdblock0 • Sniff traffic with zeros • MITM • collection and destructive attack • Deliver Exploits • DDOS • Redirect Traffic VPNFilter has the ability to act as a bomb

CORIIN – Thomas Roccia – 2019 11 Shamoon V3: Back to the Future

Shamoon Wiper first appears in 2012, back in 2016 then in 2018 • Uses the raw disk driver • Overwrite every files Another .Net wiper has been discovered • Change creation, write, and access date and time to 01/01/3000 at 12:01:01 for each files • Overwrite 2 times each files

sc create hdv_725x type= kernel start= demand binpath= WINDOWS\hdv_725x.sys 2>&1 >nul Shamoon was designed for destruction and ideology

CORIIN – Thomas Roccia – 2019 12

Destructive Techniques 4

2 3 5 1

Wiper Anti-forensic Physical Impact DoS • Sdelete.exe • Rewrites MBR • Removes Event Logs Modify internal behavior • /Exploits • Overwriting files • Encrypts Data • Deletes backups Uses exploits • Advanced persistent • Deletes MBR • Encrypts System • Disables services Sabotage or Destruction DoS • DDoS

Often designed with spreading techniques Highly targeted for Usually DDOS for Hire To be more efficient, they rarely overwrite the entire hard disk. critical infrastructures

CORIIN – Thomas Roccia – 2019 13 Propagation Mechanisms

• Some destructive malware need to be as fast as possible

Replication Usage of legitimate tools make it harder to detect and Lateral Movements

Credential • Psexec, Wmic… Harvesting • Mimikatz, exploits…

Exploit

CORIIN – Thomas Roccia – 2019 14 Classification

VPNFilter Destructive Botnet Mirai Less Destructive Reaper

Disruptor Olympic Destroyer Propagation Mechanisms

Wannacry Pseudo-Ransomware NotPetya Hermes Shamoon Wiper Destover More Destructive Physical Destroyer Industroyer Triton

CORIIN – Thomas Roccia – 2019 15 Business &

We offer services to eliminate the sites and forums of your competitors using

Our service is a quick solution to your problems with competitors and enemies.

- Low prices (from $ 50) - 24-hour order taking - Hour monitoring of all attacked resources

Attacked resources during the attack do not show signs of life, as is often the case

- Day - from $ 50 - Week - from $ 300 - Month - from $ 1000

CORIIN – Thomas Roccia – 2019 16 Business & Cybercrime

• DDOS As A Service, Powered by Bushido Botnet • Authors claimed 500 Gbps of Power

Source: https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by-bushido-botnet-.html

CORIIN – Thomas Roccia – 2019 17 Motivation behind such attacks

Financial

Terrorists Ideology APT Hacktivists Script Kiddies Competition

Nation State Organized Crime Insider Terrorism

Revenge

CORIIN – Thomas Roccia – 2019 18 Ransomware for Destruction and Distraction

• Taiwan Bank Hacked in 2017

• Cybercriminals attempted to wire US$60 million

• Remote access via on endpoints

• The backdoor contained a copy of the HERMES Ransomware in its resources.

• The ransomware encrypted the files but no ransom note was printed

CORIIN – Thomas Roccia – 2019 19 Motivation behind such attacks

• CyanWeb has been targeted in June 2018

• The company experienced a DDOS attack as a lure

• In a same time and after gaining access, attackers delivered a malware wiper to destroy all the data.

CORIIN – Thomas Roccia – 2019 20 Motivation behind such attacks: SHAMOON

• Shamoon authors have let political messages in each waves: SHAMOON v1 – 2012 • Shamoon v1: Burned American flag • Shamoon v2: Syrian refugee • Shamoon v3: Phrase from the Quran (Surah Masad, Ayat 1 [111:1]) “perish the hands of the Father of flame” SHAMOON v2 – 2016 SHAMOON v3 – 2018

CORIIN – Thomas Roccia – 2019 21 What to do?

Destructive Malware are an aggressive threat that need to be addressed seriously!

Network and User Segregation

Increase awareness of systems that can be utilized as a gateway to pivot (lateral movement)

Patch Management by Prioritization

Backup

Incident Response Plan

CORIIN – Thomas Roccia – 2019 22 What to expect in the future?

• Destructive malware will continue to evolve and be used as economical and political weapons against states and organizations.

• Supply-chain attack as spreading technique will become more common.

• DDOS botnet will become more powerful.

• Targeted attack on critical assets will be more sophisticated.

CORIIN – Thomas Roccia – 2019 23 Take Away

Destructive Malware used several techniques.

Some of them used propagation mechanisms.

Motivation and actors are different.

Destructive Malware are a serious threat that can take down a whole company or a country.

CORIIN – Thomas Roccia – 2019 24 References

https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/ https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of- attacks-on-industrial-systems/ https://blog.talosintelligence.com/2018/02/olympic-destroyer.html https://blog.talosintelligence.com/2018/05/VPNFilter.html https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle- east-europe/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe- infected-systems/ https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by-bushido-botnet-.html https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html Icon: https://www.flaticon.com

CORIIN – Thomas Roccia – 2019 25 Thank You Thomas ROCCIA

Security Researcher, Advanced Threat Research https://securingtomorrow.mcafee.com/author/thomas-roccia/

@fr0gger_ /A

CORIIN – Thomas Roccia – 2019 26 McAfee, the McAfee logo and [insert ] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others. Copyright © 2017 McAfee LLC.

CORIIN – Thomas Roccia – 2019 272 7