Saudi Arabia Issues Shamoon 2 Alert

A new variant of the Shamoon data-wiping malware—whose previous greatest hits include taking down Saudi Aramco in 2012—is again attacking various high-level Saudi organizations.

An alert issued by the telecom authority of Saudi Arabia said that Shamoon 2 is behind new attacks on the labor ministry and a chemicals firm, reports Reuters.

At the end of last year, security firm CrowdStrike noted that Shamoon was back, with the Iranian government likely behind it.

“This new variant of Shamoon kept many of its original tactics, down to the commercial raw disk ElDos driver that was used for disk wiping (including the original trial license key for this driver) that had been used in the original attacks,” the firm noted in a blog. “That ElDos trial key was only valid for 30 days and expired by September 2012. In order to continue to use the key, the wiper now has to reset the Windows system clock back to August 2012 to manipulate the license validation process.”

And indeed, in December, Saudi Arabia's state news agency confirmed that a cyberattack had recently occurred "on various government institutions and agencies,” and that "the attacks aimed at disabling all equipment and services that were being provided. The attackers were stealing data from the system and were planting viruses.”

Now, Jubail-based Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and Dow Chemical, has confirmed a network disruption earlier this week, and said it was working to resolve the issue. And it’s not alone: Sources told Reuters that other companies headquartered in Jubail—the Kingdom’s petrochemical hub—have also been taken offline (as a precaution against the virus) after network incidents likely tied to Shamoon 2.

It’s a disturbing state of affairs considering that Shamoon (aka DistTrack) has destroyed, per TrapX Security research, more than 30,000 systems. The newest version of Shamoon spreads and destroys data even faster than before, the firm added.

“Shamoon’s malevolent objective is simple: Shamoon is designed to infect and destroy the maximum number of systems in a target organization,” said Moshe Ben-Simon, co-founder and vice president of TrapX Security.

Using high level administrator credentials, likely stolen during earlier reconnaissance cyber efforts, Shamoon is able to propagate rapidly through the network, identifying targets, gaining control and then destroying them. As it spreads to each new target it disables existing User Account Control (UAC) credentials as it destroys all data.

“Shamoon and other recent cyber-attack tools are, simply put, advanced form of weaponized malware,” Ben-Simon said. “Shamoon is part of the larger trend we see for nation-states and politically motivated groups to release purpose specific weaponized malware to stop the ongoing operation of targeted military and government agencies by destroying their IT infrastructure.”

Shamoon, like many other sophisticated weaponized attack tools, has been crafted to hide from discovery and protect itself from standard cyber defense such as sandbox analysis.

Ben-Simon added, “New best practices and the technologies that support them, such as the use of deception, are required to detect and observe Shamoon’s lateral movement early in the attack cycle. Once the weaponized Shamoon malware is identified, then your network access control (NAC) can immediately isolate offending endpoints and compromised resources.

What’s Hot on Infosecurity Magazine?