Attacks/Breaches
12/1/2016
02:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Organizations In Saudi Arabia Reportedly Hit In Destructive New Shamoon Attacks

Thousands of computers at country's main civil aviation authority and other entities rendered unusable by same malware that destroyed 30,000 computers at Aramco in 2012.

Thousands of computers belonging to Saudi Arabia’s General Authority of Civil Aviation and at least five other organizations in the country have reportedly been rendered unusable in a destructive wave of cyber attacks in November.

The attacks involved the use of Shamoon, a malware tool that made headlines four years ago for erasing the hard disks of more than 30,000 computers at petroleum giant Saudi Aramco. Though few details of the latest attacks are publicly available, early signs point to Iran as the source of the attacks. But motives remain unclear, Bloomberg News said in a report Thursday, quoting unnamed sources.

The malware, that some have dubbed Shamoon 2, has caused extensive damage at four of the targeted organizations, but defensive measures prevented a similar outcome at the other two organizations, the report said. The attack on Saudi Arabia’s central aviation authority did not cause disruptions to air travel or operational systems, and was confined only to the agency’s office administration systems, Bloomberg added.

Several security vendors this week described the version of Shamoon that was used in the recent attacks as identical to the one that was used in the 2012 attacks on Aramco. The only significant difference is that the images of a burning American flag that were left behind on computers destroyed in the 2012 Shamoon attacks have been replaced by a photo of the body of Alan Kurdi, a 3-year old Syrian refugee who drowned in the Mediterranean in September 2015.

Shamoon, which some vendors refer to also as Disttrack, is malware designed to erase a computer’s Master Boot Record and Volume Boot Record thereby rendering the system unusable.  Some experts believed that Iran commissioned the Shamoon attacks on Saudi Aramco to deter Saudi Arabia from increasing its oil output to compensate for falling deliveries from Iran (which were falling due to US-led sanctions).

Bloomberg’s sources this week speculated that the attack might have something to do with the nuclear accord that the US and other major powers reached with Iran last year and which President-elect Donald Trump has threatened to revoke.

Palo Alto Networks said in alert Wednesday that the malware itself consists of three components: a dropper, a communications piece, and the disk wiper. It is designed to spread to as many systems as possible on a local network, typically using stolen credentials belonging to network and system administrators at the target organizations.

As with the 2012 version of Shamoon, the fact that administrator credentials and internal domain names of the targeted organization were embedded in the recent malware attacks as well, suggests the credentials were stolen before the tool was created, Palo Alto Networks threat analyst Robert Falcone said in the blog post.

“This is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in advance of the attacks were also hard-coded into the malware to aid in its propagation,” Falcone said.

The new version of Shamoon also has the same commercial disk driver that was used for disk wiping purposes in the original version down to the same trial license key, said vendors that reviewed the new version this week. Since that original trial key only had a 30-day validity period in August 2012, the new malware resets systems' clocks on infected systems back to August 2012 so the wiper can work.

In 2012, the threat actors behind the Saudi Aramco attack launched it during Ramadan, Islam’s holy month, because few IT staffers would be around to quickly respond. Whoever is behind the new Shamoon attacks appear to have adopted a similar tactic by launching the attack on late Thursday, the start of the weekend in Saudi Arabia, Symantec’s threat response team said this week.

Ryan Olson, intelligence director of Unit 42, Palo Alto Networks says his company’s review of Shamoon 2 shows little has changed from the original version four years ago. But little other information is presently available, he says.

“For this research, we don’t have information on the attackers, victims, or motives other than the evidence we have that strongly links these attacks and attackers to the 2012 attacks,” Olson says.

Orla Cox, director of Symantec security response, says the company can confirm only one infected organization at this time. She identifies the organization as being based in Saudi Arabia, but was unwilling to share any details on the nature or scope of the damage that might have been caused.

An executive from FireEye says the company first discovered the new Shamoon attacks about three weeks ago while investigating a breach for a client. But like the other vendors, the FireEye executive too says the company is unable to disclose any details of the victim organization or the breach.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.