Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/1/2016
02:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Organizations In Saudi Arabia Reportedly Hit In Destructive New Shamoon Attacks

Thousands of computers at country's main civil aviation authority and other entities rendered unusable by same malware that destroyed 30,000 computers at Aramco in 2012.

Thousands of computers belonging to Saudi Arabia’s General Authority of Civil Aviation and at least five other organizations in the country have reportedly been rendered unusable in a destructive wave of cyber attacks in November.

The attacks involved the use of Shamoon, a malware tool that made headlines four years ago for erasing the hard disks of more than 30,000 computers at petroleum giant Saudi Aramco. Though few details of the latest attacks are publicly available, early signs point to Iran as the source of the attacks. But motives remain unclear, Bloomberg News said in a report Thursday, quoting unnamed sources.

The malware, that some have dubbed Shamoon 2, has caused extensive damage at four of the targeted organizations, but defensive measures prevented a similar outcome at the other two organizations, the report said. The attack on Saudi Arabia’s central aviation authority did not cause disruptions to air travel or operational systems, and was confined only to the agency’s office administration systems, Bloomberg added.

Several security vendors this week described the version of Shamoon that was used in the recent attacks as identical to the one that was used in the 2012 attacks on Aramco. The only significant difference is that the images of a burning American flag that were left behind on computers destroyed in the 2012 Shamoon attacks have been replaced by a photo of the body of Alan Kurdi, a 3-year old Syrian refugee who drowned in the Mediterranean in September 2015.

Shamoon, which some vendors refer to also as Disttrack, is malware designed to erase a computer’s Master Boot Record and Volume Boot Record thereby rendering the system unusable.  Some experts believed that Iran commissioned the Shamoon attacks on Saudi Aramco to deter Saudi Arabia from increasing its oil output to compensate for falling deliveries from Iran (which were falling due to US-led sanctions).

Bloomberg’s sources this week speculated that the attack might have something to do with the nuclear accord that the US and other major powers reached with Iran last year and which President-elect Donald Trump has threatened to revoke.

Palo Alto Networks said in alert Wednesday that the malware itself consists of three components: a dropper, a communications piece, and the disk wiper. It is designed to spread to as many systems as possible on a local network, typically using stolen credentials belonging to network and system administrators at the target organizations.

As with the 2012 version of Shamoon, the fact that administrator credentials and internal domain names of the targeted organization were embedded in the recent malware attacks as well, suggests the credentials were stolen before the tool was created, Palo Alto Networks threat analyst Robert Falcone said in the blog post.

“This is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in advance of the attacks were also hard-coded into the malware to aid in its propagation,” Falcone said.

The new version of Shamoon also has the same commercial disk driver that was used for disk wiping purposes in the original version down to the same trial license key, said vendors that reviewed the new version this week. Since that original trial key only had a 30-day validity period in August 2012, the new malware resets systems' clocks on infected systems back to August 2012 so the wiper can work.

In 2012, the threat actors behind the Saudi Aramco attack launched it during Ramadan, Islam’s holy month, because few IT staffers would be around to quickly respond. Whoever is behind the new Shamoon attacks appear to have adopted a similar tactic by launching the attack on late Thursday, the start of the weekend in Saudi Arabia, Symantec’s threat response team said this week.

Ryan Olson, intelligence director of Unit 42, Palo Alto Networks says his company’s review of Shamoon 2 shows little has changed from the original version four years ago. But little other information is presently available, he says.

“For this research, we don’t have information on the attackers, victims, or motives other than the evidence we have that strongly links these attacks and attackers to the 2012 attacks,” Olson says.

Orla Cox, director of Symantec security response, says the company can confirm only one infected organization at this time. She identifies the organization as being based in Saudi Arabia, but was unwilling to share any details on the nature or scope of the damage that might have been caused.

An executive from FireEye says the company first discovered the new Shamoon attacks about three weeks ago while investigating a breach for a client. But like the other vendors, the FireEye executive too says the company is unable to disclose any details of the victim organization or the breach.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.