Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2019
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shades of Shamoon: New Disk-Wiping Malware Targets Middle East Orgs

'ZeroCleare' shares some of the same features as its more notorious predecessor, IBM Security says.

Threat actors believed to be operating out of Iran are once again targeting energy and industrial-sector organizations in the Middle East with a destructive disk-wiping malware similar to "Shamoon," which destroyed more than 35,000 Windows systems at Saudi Aramco a few years ago.

Researchers from IBM's X-Force team who have been tracking the new malware have dubbed the malware "ZeroCleare." In a report this week, the vendor described ZeroCleare as similar to Shamoon in some ways, but sufficiently different enough from it in other ways to be considered a completely new threat.

"Our reverse engineers performed a comparative analysis of the two attacks, which showed that they do not appear to be related at a code level," says Limor Kessem, global executive security adviser at IBM.

As with Shamoon, the new malware is designed to overwrite the master boot record (MBR) and disk partitions on Windows systems. Also like its predecessor, ZeroCleare uses EldoS RawDisk, a legitimate toolkit, to carry out its mission. MITRE describes EldoS as a driver for interacting with files, disks, and partitions. It allows users to circumvent Windows OS security features and directly modify data on a computer, making it attractive to attackers.

Available evidence suggests that ITG13, a threat group also known as APT34/OilRig, and at least one other Iran-based group is behind the attacks. ITG13's mission appears to be to enable initial access to targeted systems. One or more other Iran-based groups have then been deploying the disk-wiping ZeroCleare on them. The attacks appear to be targeted and designed specifically to disrupt operations at critical infrastructure organizations in multiple Middle East countries.

Kessem says there are a variety of reasons why nation-states might want to target the natural resource infrastructure of another country. "The repercussions of attacks on the oil industry specifically span issues related to money, trading, transportation, and geo-political tension that could be building up in a region," she says.

Kessem estimates the ZeroCleare attacks have impacted thousands of devices in the oil and gas sector in the Middle East. "We don't know the exact number of organizations that were impacted," Kessem says. "However, we do know that at least 1,400 hosts were affected by ZeroCleare."

Shamoon, which first surfaced in 2012, is believed to have infected many more systems. The last time security researchers observed the malware being used was in December 2018, when it suddenly re-emerged after a two-year hiatus. Symantec and others that tracked the attacks described them as being targeted once again at Middle East organizations. The attacks involved a new wiper that deleted files from infected systems before Shamoon then wiped the master boot record.

A Multifaceted Threat
According to IBM, the new ZeroCleare threat is designed to work on both 32-bit and 64-bit Windows systems, but the manner in which it deploys on each is different.

Because 64-bit Windows systems only allow Microsoft-signed drivers to run on the device, the EldoS RawDisk driver, which is unsigned, cannot run on them by default. To overcome this obstacle, ZeroCleare first loads a signed, but vulnerable, driver on the targeted system and then exploits the vulnerability to load the unsigned EldoS driver, IBM said. Once installed, the RawDisk driver proceeds to wipe the master boot record clean.

Destructive attacks like ZeroCleare are growing, Kessem says. The number of cases that IBM has responded to, where disk-wiping and other destructive malware was involved, has jumped 200% in just the past six months, she says.

"These attacks can be launched to fulfill everything from financial gain to military objectives," Kessem notes. "The effects can be crippling, especially as attackers target specific sectors that countries heavily rely on."

Most destructive malware attacks so far have focused on organizations in the Middle East. Motivations have ranged from financial — pressuring victims to pay by threatening to wipe their systems clean — to the geo-political. Some nation-state campaigns, for instance, have had military objectives, such as denying access to critical systems, degrading or disrupting operational capabilities, and destroying devices and data, IBM said.

Significantly, these campaigns pose a threat to organizations in any country. "US organizations need to be cognitive of their security preparedness," Kessem says. This means testing incident response plans, reassessing access management controls, and ensuring proper data backup and recovery processes are in place.

In many of these attacks, threat actors have exploited weakly protected access credentials and privileged accounts to gain an initial foothold on a target network and to then expand their access on it. So controls such as multifactor authentication, strong passwords, and least-privileged access are critical, IBM said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.