Shamoon 2 Distributing DistTrack Wiper in Saudi Arabia
Marina Kidron Jan 25, 2017
Who doesn’t love a sequel? In this case, the Saudis (they weren’t too hot on the original either).
The sophisticated, possibly nation-state-sponsored Shamoon attack that destroyed systems of state-run oil company Saudi Aramco in 2012 is rearing its head again, the Gulf kingdom has warned. Saudi television reported on January 23 that at least one major petrochemical company – Sadara – has been hit by Shamoon 2, causing it to shut down its computer network. Other comments in the announcement suggest that 15 private institutions and government agencies, including the Saudi Labor Ministry, have been affected.
Shamoon is a complex, multi-step attack that seems to focus on Saudi energy companies. As a worm, it propagates itself in the internal network via legitimate credentials and the file sharing mechanism. Here’s the basics of how it plays out:
- Step 1: Steal legitimate passwords (perhaps the work of the Greenbug group via the custom info-stealing RAT, Trojan.Ismdoor)
- Step 2: Launch a targeted email campaign
- Step 3: Distribute the DistTrack payload (a wiper and communications module) via the local network and ultimately a denial-of-service attack
- Step 4: Wipe data and systems – even on some recovery systems including Huawei’s virtualized desktop infrastructure (VDI) products, such as FusionCloud
Back in 2012, Shamoon completely compromised and wiped more than 50 percent of Aramco’s Windows systems. In order to contain the attack, the oil giant disconnected far-reaching systems including phones, email and payment systems. Overnight, the company responsible for one tenth of the world’s oil production became entirely dependent on fax machines.
So how can you be proactive against this advanced threat? Here’s four steps Skybox users can take right now to stay safe:
- Make sure IPSs are properly configured. Certain signatures are able to prevent this attack. Make sure these and all recommended signatures are enabled using the IPS modeling feature Skybox® Firewall Assurance.
- Assess the risk of all vulnerabilities to proactively mitigate the most critical risks identified. Skybox® Vulnerability Control can also use patch and asset management systems to identify unpatched vulnerabilities and provide remediation alternatives, if patching isn’t an option.
- Perform a comprehensive network audit. With Skybox® Network Assurance and Firewall Assurance, audit the entire network to identify the poorly configured network devices and firewalls with overly permissive rules.
- Identify all the ingress points within the network and ensure they are appropriately secured. Use Network Assurance to analyze firewall and network access compliance. Improve firewall and network perimeter device usage to block incoming connections from the internet to the organizational network, but allow those in use by the organizational infrastructure.