Hackers Wiped Out Casino Computers 10min

http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/

A very interesting story of Iranian hackers (whether government sponsored or sanctioned does not matter) attacked and deleted a lot of files using Visual Basic.  (I know from 2014 attack – but that is when we get the most amount of data sometimes…)

Apparently the billionaire owner pissed off some hacktivists in Iran after he made a statement of “nuking Iran”. The Las Vegas Sands hotels and casinos were attacked at the weakest place a hotel in Bethlehem, PA. And from there they were able to obtain an admin userid/pw combo that had access to the main casinos in Las Vegas.

Once accessing the main network, they installed malware built with Visual Basic.

Lasvegassands-palazzo

The Palazzo is in http://www.sands.com/united-states.html  Las Vegas.

Hackers used the open source tool mimikatz

https://github.com/gentilkiwi/mimikatz

 

Here is a tutorial on the pentestlab blog

mimikatz can get more passwords from the targeted machine quickly.

 

Threatpost has some details of the malware that wipes hard drives.

https://threatpost.com/details-emerge-on-sony-wiper-malware-destover/109727/

As mentioned, Cryptolocker  is also software that destroys files (or renders them unusable)   http://oversitesentry.com/unplug-your-synology-devices-cryptolocker-ransomware-will-encrypt/

This analysis of the

Darkseoul-Jokra malware https://www.fidelissecurity.com/sites/default/files/FTA%201008%20-%20Darkseoul-Jokra%20Analysis%20and%20Recovery.pdf

darkseoul-jakramalware

This is the most interesting portion in my opinion:

{ The malware shuts the system down quickly after initial execution, it was found to finish wiping in ten to fifteen minutes in our tests. Due to the speed of the wiping it was very easy to find that the malware did not actually wipe all the data on the computer. It wiped just enough to make the machine unusable after the operation was complete. This is notable and can be seen in the operation of the malware as it makes sure to overwrite the VBR first then continue overwriting the MBR and other files. }
You may not be 100% certain that we need to defend our systems with as much as possible efforts, but this malware would argue that it can wipe quite a bit of files within 10-15 minutes.
 Quick review:
Main network hacked with a weakness in the weaker ancillary location, access to main network gained with no defense in depth and no 2FA. Malware installed with no defense in depth available(NGFW).

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.