Attacks/Breaches
12/1/2016
02:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Organizations In Saudi Arabia Reportedly Hit In Destructive New Shamoon Attacks

Thousands of computers at country's main civil aviation authority and other entities rendered unusable by same malware that destroyed 30,000 computers at Aramco in 2012.

Thousands of computers belonging to Saudi Arabia’s General Authority of Civil Aviation and at least five other organizations in the country have reportedly been rendered unusable in a destructive wave of cyber attacks in November.

The attacks involved the use of Shamoon, a malware tool that made headlines four years ago for erasing the hard disks of more than 30,000 computers at petroleum giant Saudi Aramco. Though few details of the latest attacks are publicly available, early signs point to Iran as the source of the attacks. But motives remain unclear, Bloomberg News said in a report Thursday, quoting unnamed sources.

The malware, that some have dubbed Shamoon 2, has caused extensive damage at four of the targeted organizations, but defensive measures prevented a similar outcome at the other two organizations, the report said. The attack on Saudi Arabia’s central aviation authority did not cause disruptions to air travel or operational systems, and was confined only to the agency’s office administration systems, Bloomberg added.

Several security vendors this week described the version of Shamoon that was used in the recent attacks as identical to the one that was used in the 2012 attacks on Aramco. The only significant difference is that the images of a burning American flag that were left behind on computers destroyed in the 2012 Shamoon attacks have been replaced by a photo of the body of Alan Kurdi, a 3-year old Syrian refugee who drowned in the Mediterranean in September 2015.

Shamoon, which some vendors refer to also as Disttrack, is malware designed to erase a computer’s Master Boot Record and Volume Boot Record thereby rendering the system unusable.  Some experts believed that Iran commissioned the Shamoon attacks on Saudi Aramco to deter Saudi Arabia from increasing its oil output to compensate for falling deliveries from Iran (which were falling due to US-led sanctions).

Bloomberg’s sources this week speculated that the attack might have something to do with the nuclear accord that the US and other major powers reached with Iran last year and which President-elect Donald Trump has threatened to revoke.

Palo Alto Networks said in alert Wednesday that the malware itself consists of three components: a dropper, a communications piece, and the disk wiper. It is designed to spread to as many systems as possible on a local network, typically using stolen credentials belonging to network and system administrators at the target organizations.

As with the 2012 version of Shamoon, the fact that administrator credentials and internal domain names of the targeted organization were embedded in the recent malware attacks as well, suggests the credentials were stolen before the tool was created, Palo Alto Networks threat analyst Robert Falcone said in the blog post.

“This is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in advance of the attacks were also hard-coded into the malware to aid in its propagation,” Falcone said.

The new version of Shamoon also has the same commercial disk driver that was used for disk wiping purposes in the original version down to the same trial license key, said vendors that reviewed the new version this week. Since that original trial key only had a 30-day validity period in August 2012, the new malware resets systems' clocks on infected systems back to August 2012 so the wiper can work.

In 2012, the threat actors behind the Saudi Aramco attack launched it during Ramadan, Islam’s holy month, because few IT staffers would be around to quickly respond. Whoever is behind the new Shamoon attacks appear to have adopted a similar tactic by launching the attack on late Thursday, the start of the weekend in Saudi Arabia, Symantec’s threat response team said this week.

Ryan Olson, intelligence director of Unit 42, Palo Alto Networks says his company’s review of Shamoon 2 shows little has changed from the original version four years ago. But little other information is presently available, he says.

“For this research, we don’t have information on the attackers, victims, or motives other than the evidence we have that strongly links these attacks and attackers to the 2012 attacks,” Olson says.

Orla Cox, director of Symantec security response, says the company can confirm only one infected organization at this time. She identifies the organization as being based in Saudi Arabia, but was unwilling to share any details on the nature or scope of the damage that might have been caused.

An executive from FireEye says the company first discovered the new Shamoon attacks about three weeks ago while investigating a breach for a client. But like the other vendors, the FireEye executive too says the company is unable to disclose any details of the victim organization or the breach.

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.