The ever-destructive Shamoon has returned. This time around, the malware took aim at companies in Saudi Arabia, including the General Authority of Civil Aviation in the Kingdom of Saudi Arabia. We spoke to regional industry experts to get their views on the attacks and ways to keep such attacks at bay
It was in 2012 that security firms such as Websense (now called Forcepoint), Seculert, and Kaspersky threw some light on the malware. At that point in time, Shamoon, also known as Disttrack, attacked the infrastructure of Aramco. The malware family is specialised in wiping data from hard drives.
Post attack, the state-run Saudi Press Agency, citing a government statement, reported that the national cybersecurity department had detected what officials called a systemic attack on crucial government agencies. The attack was also aimed at the country’s transportation sector.
The attacks were focused on halting operations, stealing data and planting viruses, the news agency reported. According to industry experts, the attackers had configured the malware to wipe data on computers and rewrite the hard drive MBR (Master Boot Record) with an image that depicted a three-year-old Syrian boy named Alan Kurdi that lay dead on a Turkish beach.
Malware Almost Identical to the 2012 Version
Channel Post spoke to many regional industry experts, who believe the 2016-version of the malware was almost identical to the one used in the 2012 attack. “Based on published reports from various news agencies, the malware variant used in this attack is almost identical to the version used in the Iranian-linked attack against Saudi Aramco in 2012,” explains Anthony Di Bello, the Senior Director and Security Strategist at Guidance Software.
Mohammad Amin Hasbini, the Senior Security Researcher at Kaspersky Lab also confirms that “Shamoon 2.0” is the updated version of the malware used in the August 2012 attacks. “Shamoon is developed to wipe all data on affected hosts. The scale of the actual damage is still unknown, though rumours talk about thousands of irrecoverable machines. Damage impact comes in different forms: productivity, reputational, financial, or even in the form of sanctions,” he adds.
Nicolai Solling, the CTO at Help AG, further adds that while the organizations that have fallen victim to the attack have revealed little information, vendors such as a Palo Alto Networks and Symantec have stated that they have seen multiple instances of such attacks in the last couple of months. “That being said, these attacks appear to have been highly targeted rather than widely spread,” he says.
The Shamoon 2.0 attack in November leverages very similar methods and tools to the original Shamoon attack in 2012. According to Stuart Davis, the Mandiant Director for META at FireEye, one of the first companies to identify the attacks, the wiper malware in Shamoon 2.0 is intended to destroy system data across large networks through the use of a legitimate raw disk driver. “However whilst the malware is similar and there are key overlaps between the original 2012 attack and the attacks last month, FireEye cannot yet say they are the same attack group. As investigations continue, we hope to continue to make progress in our assessment,” he explains.
Amit Roy, the Executive Vice President and Regional Head for EMEA at Paladion, says that Shamoon had the capability to collect and send data to the attacker and erased them from its original location. “This is a critical threat because businesses can lose proprietary and classified information permanently from their records. As for the perpetrators, experts from several sources believe the attack originated from outside the country, similar to the 2012 attack, but we do not have enough data to say if the both the attacks were from the same source,” he adds.
Extent of Damage
As a malware, Shamoon contained three key components: a dropper, communications, and wiper components. The dropper was an executable component that extracted the additional components from embedded resources and launched them into execution. Support was included for both 32-bit and 64-bit architectures.
The communications component assured the ability to talk to a remote, online command and control server. This server would allow attackers to deploy new components or change the date at which the attack takes place. In the 2016 attack, this component was neutered, being configured with the IP 1.1.1.1, that didn’t or never hosted any type of Shamoon C&C server infrastructure.
This what seems to be a random IP means the attackers had no intentions of changing the deployment date or aborting the attack. The third component is the actual hard drive wiper, which is powered by the EldoS RawDisk driver, a utility that grants the malware access to the hard drive without needing to interact with the Windows OS.
“In terms of recovery from such an attack, the extent of the damage is severe because it can take weeks if not months to recover,” adds Roy. “As for the number of organizations that were affected, MSS providers are bound not to reveal
the names of clients that are affected. Although several MSS providers have admitted that their customers are affected.”
Davis meanwhile adds that the damage caused by Shamoon 2.0 is very extensive at this point and continues to affect more organizations. “The original incident in 2012 was targeted primarily at one large organization. However, the Shamoon 2.0 campaign seems to have a much larger base of targets, primarily focused in the GCC. There are a number of organizations that have been affected. Some have been more affected more heavily than others. The reason for this varies based on existing security controls that might have been in place to slow the attack or the ability to recover quicker,” Davis says.
Solling believes that the attackers appear to have been very well prepared as previously stolen credentials were hardcoded into the malware. “This meant that once inside, the malware aggressively spread though the local network, infecting as many systems as possible. From what we know, Shamoon 2 made no attempt to steal information, but rather focused on damaging as many systems as possible by erasing their Master Boot Records and Volume Boot Records thereby rendering them unusable,” he explains.
Keeping Such Threats at Bay
Threats such as Shamoon, ransomware, leakware, and others that immediately do harm at the time of execution are difficult to mitigate without preventing or blocking the malicious executable from running in the first place. “However, Endpoint Detection and Response (EDR) solutions can be used to mitigate an attack from malware like Shamoon,” explains Di Bello. “This can be done by giving security teams the ability to hunt for threats on machines that have bypassed prevention technologies but have not yet detonated to prevent further infection across the network.”
Solling further adds that there are a number of things that need to be done to protect against such attacks. “It starts with understanding business continuity requirements, IT and business risks and then selection, deployment and management of the correct technical solution which mitigates the identified risks,” he adds.
According to Davis, organizations need to have in place a set of security tools to monitor for the unusual activity outlined by security vendors. “This includes the necessity to have a SIM which logs from Active Directory and others sources. In addition, customers need endpoint visibility. Organizations need a method by which they can search for these indicators at scale, at an enterprise level. Companies also need to follow security vendors’ guidance around mitigating inter-server communication and inter-workstation communication,” he adds.
Paladion’s Roy says that configuring your SIEM with custom made use cases for these types of attacks, continuous integration of threat intelligence and implement triaging and prioritization rules are the need of the hour. “We use a combination of threat patterns and expert driven analysis to monitor our customer environments for similar attacks. It’s critical for every organization to continuously look out for attack patterns, fine-tune the SIEM and respond quickly to contain and prevent such attacks. Threat Intel teams should work round the clock in analyzing new malware, developing IOCs, and quickly rolling it out to monitoring teams,” Roy adds.
Solution Providers Working with Customers to Minimize Damage
It is critical that vendors, security solution providers, partners and customers work in tandem in order to minimize the damage of such security threats. “Our Threat Intel team has released the list of Indicators of Compromise (IOCs) for Disttrack Droppers, Communication Components, Wiper Components, EldoS RawDisk Samples for both 32-bit and 64-bit machines,” explains Roy. “We have rolled out these across all our customers and analyzed historical data/ to detect any traces of Shamoon. Our breach detection experts are on standby to detect any traces of IOCs in customer environment and help implement preventive measures to detect and respond faster.”
Solling adds that Help AG Middle East has been present in Saudi with its own office since 2015. “One observation is that there is a lot of ambition and motivation to fundamentally change the security robustness in organizations,” he explains. “I think organizations are slowly coming to the conclusion that the correct product is only half the solution, but that there also needs to be focus on how the solution is deployed, used and managed.”
Davis meanwhile says that FireEye has been sharing as much information as we can through resources such as blogs, emails and presentations. “Responding to these large incidents gives FireEye an advantage because we are aware of the wider methodology, how these systems look when infected or destroyed, and not just what the file is called and what it does. This deeper expertise helps our customers build better policies to detect and mitigate the affects of these attacks,” he says. “We have been working with our partners to ensure we can help our clients proactively check for indicators of these attacks at scale.”
Hasbini explains that Kaspersky has been continuously trying to keep regional governments and law enforcement agencies informed about the happenings we find or detect in our research, through private or exclusive intelligence reports. “We offer intelligence to our partners and customers on a regular basis as well. In addition to these, our products already have the right signatures and preventive measures in place for detecting and blocking the malware,” he adds.
Perimeter security – be that antivirus, or new EPP solutions – is absolutely essential, but unfortunately entirely inadequate, according to Di Bello. “Perimeter security must be combined with EDR solutions to defend against external threats to the network, as well as internal threats or threats that bypass the first layer of defense. Forensic security solutions from Guidance Software are 100% focused on the latter. We work with our customers’ existing security solutions to find threats that evade prevention technologies, automate the incident response process, and thoroughly remediate threats. EDR requires a focus on sophisticated techniques and remediation technology designed to find unknown threats,” he concludes.
