Privacy News Phishing Attack Hits Saudi Govt Networks With Disk-Wiping Malware

Tony Cole

Level 27
Thread author
Verified
May 11, 2014
1,639
falcon_overwatch.jpg



Hackers penetrated into six Saudi Arabian government agencies including its General Authority of Civil Aviation, and bricked thousands of computers with the well-known Shamoon disk-wiper malware. Saudi's Central Bank denies it was hit despite earlier reports that it was one of the victims.

Bloomberg reports that an investigation into the breach, which is still in its early stages, is currently underway, citing two anonymous sources briefed on the investigation and pointed at Iran as the likely culprit. This attack is very similar to the 2012 incident that destroyed 35,000 machines at the Saudi state oil company Saudi Aramco. The malware was installed using passwords that appear to have been accessed through spear-phishing emails.

"The attackers appear to have done a significant amount of preparatory work for the operation," the Symantec Security Response team wrote on its blog. "The malware was configured with passwords that appear to have been stolen from the targeted organizations and were likely used to allow the threat to spread across a targeted organization's network."

Multiple security firms noted that the malware triggered the disk-wiping to commence at 8:45PM local time on Thursday (17 November), which is the end of the Saudi business week, in order to avoid discovery and inflict maximum damage. "Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice," the blog read.

Motive

Crowdstrike Co-founder and CTO Dmitri Alperovitch speculated that the current geopolitical situation may have sparked the recent Shamoon attacks. He said in a blog: "While the precise motives in this most recent November incident are currently unclear, the attacks coincide with multiple geopolitical events impacting the Gulf countries, as well as recent industry developments within Saudi Arabia itself." It's well known that Saudi Arabia and Iran are not the best of friends.

Alperovitch continued: "This new variant of Shamoon kept many of its original tactics, down to the commercial raw disk ElDos driver that was used for disk wiping (including the original trial license key for this driver) that had been used in the original attacks. That ElDos trial key was only valid for 30 days and expired by September 2012. In order to continue to use the key, the wiper now has to reset the Windows system clock back to August 2012 to manipulate the license validation process."

How it happened

According to Symantec, the new variant of Shamoon shares several similarities with the original strain. Like its predecessor, Shamoon 2.0 also uses stolen administrative credentials to gain entry and attempts to spread across other devices in the network. According to Palo Alto security researchers, this technique "suggests that the threat actors had previous access to the network or carried out successful phishing attacks prior to the attack".

What to do about It

It looks clear that higher-quality intrusion detection software should have been used, and that employees should have been stepped through awareness training to identify phishing red flags. There are other steps that can and should be taken as well, but these two are obvious and have fast ROI.

Bad guys generally get into their target banks with spear-phishing attacks to get credentials so they can penetrate the target network. New-school security awareness training is an effective way to block those attacks.

Find out how affordable this is for your organization and be pleasantly surprised.

Get A Quote: Find Out How Affordable This Is

Blog post with links to sources:
Phishing Attack Hits Saudi Govt Networks With Disk-Wiping Malware
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top