Attacks/Breaches
9/12/2012
04:35 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

The Data-Annihilation Attack Is Back

Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery

The data-destroying Shamoon malware and recent wave of aggressive targeted attacks against utilities in the Middle East should serve as a wake-up call for all types of organizations to be prepared for a whole other aspect of a breach -- losing data and systems to destructive hacks.

Data-destruction attacks are not new, but have been rare in the past decade or so as financially motivated cybercrime and cyberespionage have been at the forefront of threats mainly focused on monetizing stolen information. Hacktivists, meanwhile, have employed data-wiping from time to time, but not in the volume or mass approach that Shamoon can accomplish.

Richard Bejtlich, chief security officer at Mandiant, says these recent attacks should serve as a cautionary tale for all types of organizations. "This is something everybody should worry about ... This ability to destroy people's computers and wipe them clean has been around a couple of decades, but it has taken mass events, probably caused by the Iranian government and its proxies, to wake people up," he says. "Utilities are just one victim, chosen for economic and political reasons: It could be anybody."

And Shamoon already is being repurposed for attacking additional victims: Seculert has discovered Shamoon variants already. "We've seen variants with different internal-machine IP addresses used for proxy to send information," says Aviv Raff, co-founder and CTO at Seculert. It's likely the Shamoon attackers because the malware is the same, but with new internal IP addresses, he says. Raff was unable to comment on who the next targets may be, however.

Shamoon, which has been unofficially linked to a recent breach at oil giant Saudi Aramco that took down 30,000 of its workstations, doesn't spy or steal information -- it deletes it, wiping files and data and crippling the infected machines themselves by overwriting the victim machine's master boot record, which disables it altogether. It also includes a reporting feature that logs the progress of the attack for the attacker.

Despite its nasty effects, Shamoon is actually a fairly rudimentary piece of malware. Researchers from AlienVault Labs and Kaspersky Lab separately have analyzed the code and concluded that it's likely the work of amateur coders. There are errors in the code that aren't characteristic of seasoned programmers.

Dmitry Tarakanov, a Kaspersky Lab Expert, says the way Shamoon is constructed makes it relatively simple to tweak and reuse against another target. "We can single out three objects in Shamoon malware that could be taken as some sort of configuration. They are killer time, address of CNC [command and control], and network range from where Shamoon tries infecting computers," he says. "The first two parameters can be easily reconfigured, whilst the last one requires rewriting [the Shamoon code] a little bit. So [an] attacker can adjust those settings, recompile [the] program, and reuse it against new target."

The wiper component could easily be packaged with other malware since it doesn't rely on the Shamoon code, says Jaime Blasco, manager of AlienVault Labs. But attackers may instead want to roll their own data-annihilation malware since Shamoon is now on the radar of most antivirus products: "On the other hand, it will be better to write your own code using the main idea of Shamoon rather than using the actual components due to the high antivirus detection ratio for Shamoon," Blasco says.

Most organizations probably aren't thinking they could be the next victim of a Shamoon or Shamoon-type attack. Neither Saudi Aramco nor Qatar's RasGas -- which was hit by a similar attack late last month -- have said their data was wiped in the attacks, nor have either pointed to Shamoon as the culprit.

Mandiant's Bejtlich says he doubts many organizations have considered the possibility of the widespread destruction of computers in their incident response plan. "In my last job, we didn't have that. What if tens of thousands of machines were bleeding? That would have swamped our help desk and IT department. I'm not sure how IT would have supported getting people back online while having to do their regular business" of handling the enterprise servers and network, he says.

The scorched-earth-type attack would pose a big challenge for most IT departments, he says. IT departments would have to deal with getting the company's critical servers cleaned and back online, for example, potentially leaving end users to fend for themselves. Trying to restore tens of thousands of user machines to a "gold" image would be problematic, he says, especially if users tried to do it themselves.

[ Containing the attacker in today's persistent threat environment. See Damage Mitigation As The New Defense. ]

"They might not get patched, or need to have their own data restored," Bejtlich says. "I get scared just thinking about it."

It takes a comprehensive IR plan that goes hand-in-hand with a disaster recovery plan, he says. "And you need a program out there for finding these guys before they execute their mission: If their mission is to destroy [data], you've got to get ahead of that mission. I'm still an advocate for fast detection and response," Bejtlich says.

Even once a machine is cleaned up and restored, the attacker could still be inside and just start all over again, deleting and destroying. So an organizations need to determine whether the attackers are still inside, and what they used to gain access in the first place, he says.

AlienVault's Blasco recommends that enterprises use the same security technologies they use for detecting other malware, but also ensure they have a proper backup system in place in case they are hit with a data-deleting attack. "You also have to have backup systems so you can recover the data in case malware is able to remove the data from your systems," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.