Attacks/Breaches
9/12/2012
04:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Data-Annihilation Attack Is Back

Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery

The data-destroying Shamoon malware and recent wave of aggressive targeted attacks against utilities in the Middle East should serve as a wake-up call for all types of organizations to be prepared for a whole other aspect of a breach -- losing data and systems to destructive hacks.

Data-destruction attacks are not new, but have been rare in the past decade or so as financially motivated cybercrime and cyberespionage have been at the forefront of threats mainly focused on monetizing stolen information. Hacktivists, meanwhile, have employed data-wiping from time to time, but not in the volume or mass approach that Shamoon can accomplish.

Richard Bejtlich, chief security officer at Mandiant, says these recent attacks should serve as a cautionary tale for all types of organizations. "This is something everybody should worry about ... This ability to destroy people's computers and wipe them clean has been around a couple of decades, but it has taken mass events, probably caused by the Iranian government and its proxies, to wake people up," he says. "Utilities are just one victim, chosen for economic and political reasons: It could be anybody."

And Shamoon already is being repurposed for attacking additional victims: Seculert has discovered Shamoon variants already. "We've seen variants with different internal-machine IP addresses used for proxy to send information," says Aviv Raff, co-founder and CTO at Seculert. It's likely the Shamoon attackers because the malware is the same, but with new internal IP addresses, he says. Raff was unable to comment on who the next targets may be, however.

Shamoon, which has been unofficially linked to a recent breach at oil giant Saudi Aramco that took down 30,000 of its workstations, doesn't spy or steal information -- it deletes it, wiping files and data and crippling the infected machines themselves by overwriting the victim machine's master boot record, which disables it altogether. It also includes a reporting feature that logs the progress of the attack for the attacker.

Despite its nasty effects, Shamoon is actually a fairly rudimentary piece of malware. Researchers from AlienVault Labs and Kaspersky Lab separately have analyzed the code and concluded that it's likely the work of amateur coders. There are errors in the code that aren't characteristic of seasoned programmers.

Dmitry Tarakanov, a Kaspersky Lab Expert, says the way Shamoon is constructed makes it relatively simple to tweak and reuse against another target. "We can single out three objects in Shamoon malware that could be taken as some sort of configuration. They are killer time, address of CNC [command and control], and network range from where Shamoon tries infecting computers," he says. "The first two parameters can be easily reconfigured, whilst the last one requires rewriting [the Shamoon code] a little bit. So [an] attacker can adjust those settings, recompile [the] program, and reuse it against new target."

The wiper component could easily be packaged with other malware since it doesn't rely on the Shamoon code, says Jaime Blasco, manager of AlienVault Labs. But attackers may instead want to roll their own data-annihilation malware since Shamoon is now on the radar of most antivirus products: "On the other hand, it will be better to write your own code using the main idea of Shamoon rather than using the actual components due to the high antivirus detection ratio for Shamoon," Blasco says.

Most organizations probably aren't thinking they could be the next victim of a Shamoon or Shamoon-type attack. Neither Saudi Aramco nor Qatar's RasGas -- which was hit by a similar attack late last month -- have said their data was wiped in the attacks, nor have either pointed to Shamoon as the culprit.

Mandiant's Bejtlich says he doubts many organizations have considered the possibility of the widespread destruction of computers in their incident response plan. "In my last job, we didn't have that. What if tens of thousands of machines were bleeding? That would have swamped our help desk and IT department. I'm not sure how IT would have supported getting people back online while having to do their regular business" of handling the enterprise servers and network, he says.

The scorched-earth-type attack would pose a big challenge for most IT departments, he says. IT departments would have to deal with getting the company's critical servers cleaned and back online, for example, potentially leaving end users to fend for themselves. Trying to restore tens of thousands of user machines to a "gold" image would be problematic, he says, especially if users tried to do it themselves.

[ Containing the attacker in today's persistent threat environment. See Damage Mitigation As The New Defense. ]

"They might not get patched, or need to have their own data restored," Bejtlich says. "I get scared just thinking about it."

It takes a comprehensive IR plan that goes hand-in-hand with a disaster recovery plan, he says. "And you need a program out there for finding these guys before they execute their mission: If their mission is to destroy [data], you've got to get ahead of that mission. I'm still an advocate for fast detection and response," Bejtlich says.

Even once a machine is cleaned up and restored, the attacker could still be inside and just start all over again, deleting and destroying. So an organizations need to determine whether the attackers are still inside, and what they used to gain access in the first place, he says.

AlienVault's Blasco recommends that enterprises use the same security technologies they use for detecting other malware, but also ensure they have a proper backup system in place in case they are hit with a data-deleting attack. "You also have to have backup systems so you can recover the data in case malware is able to remove the data from your systems," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.