Blog

Shamoon 2 Distributing DistTrack Wiper in Saudi Arabia

Marina Kidron Jan 25, 2017

Who doesn’t love a sequel? In this case, the Saudis (they weren’t too hot on the original either).

The sophisticated, possibly nation-state-sponsored Shamoon attack that destroyed systems of state-run oil company Saudi Aramco in 2012 is rearing its head again, the Gulf kingdom has warned. Saudi television reported on January 23 that at least one major petrochemical company – Sadara – has been hit by Shamoon 2, causing it to shut down its computer network. Other comments in the announcement suggest that 15 private institutions and government agencies, including the Saudi Labor Ministry, have been affected.

Shamoon is a complex, multi-step attack that seems to focus on Saudi energy companies. As a worm, it propagates itself in the internal network via legitimate credentials and the file sharing mechanism. Here’s the basics of how it plays out:

  • Step 1: Steal legitimate passwords (perhaps the work of the Greenbug group via the custom info-stealing RAT, Trojan.Ismdoor)
  • Step 2: Launch a targeted email campaign
  • Step 3: Distribute the DistTrack payload (a wiper and communications module) via the local network and ultimately a denial-of-service attack
  • Step 4: Wipe data and systems – even on some recovery systems including Huawei’s virtualized desktop infrastructure (VDI) products, such as FusionCloud

Back in 2012, Shamoon completely compromised and wiped more than 50 percent of Aramco’s Windows systems. In order to contain the attack, the oil giant disconnected far-reaching systems including phones, email and payment systems. Overnight, the company responsible for one tenth of the world’s oil production became entirely dependent on fax machines.

So how can you be proactive against this advanced threat? Here’s four steps Skybox users can take right now to stay safe:

  1. Make sure IPSs are properly configured. Certain signatures are able to prevent this attack. Make sure these and all recommended signatures are enabled using the IPS modeling feature Skybox® Firewall Assurance.
  1. Assess the risk of all vulnerabilities to proactively mitigate the most critical risks identified. Skybox® Vulnerability Control can also use patch and asset management systems to identify unpatched vulnerabilities and provide remediation alternatives, if patching isn’t an option.
  1. Perform a comprehensive network audit. With Skybox® Network Assurance and Firewall Assurance, audit the entire network to identify the poorly configured network devices and firewalls with overly permissive rules.
  1. Identify all the ingress points within the network and ensure they are appropriately secured. Use Network Assurance to analyze firewall and network access compliance. Improve firewall and network perimeter device usage to block incoming connections from the internet to the organizational network, but allow those in use by the organizational infrastructure.

 

Resources

Staying Safe from Shamoon 2 and DistTrack Wiper

Life After Breach: 5 steps to recover from a cyber attack

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Why Attacks on Critical Infrastructure are Increasing and How to Protect Against Them
Read More
Why We’re Going to See More Than 20,000 New Vulnerabilities in 2020
Read More
2020 Vulnerability and Threat Trends Report Mid-Year Update: Key Findings
Read More
Why Cybersecurity Investments Fail: The Pitfalls of ROI-Focused Strategies
Read More
Valak has a New Form: Why Businesses Should Fear Evolving Malware
Read More
Salt Vulnerabilities Exploited with Targeted Cryptomining Attack on DigiCert
Read More