Shamoon returns to wipe out Saudi virtual desktops

News by Rene Millman

Malware that wiped data from 30,000 Saudi desktops re-emerges to kill VMs

A new variant of Shamoon, the malware responsible for the deletion of data on 30,000 systems at Saudi Arabia's state-owned oil company four years ago, has been discovered.

According to researcher Robert Falcone from Palo Alto Networks, the new variant of Shamoon has the added ability of obliterating server-hosted virtual desktops.  This latest attack potentially materially impacts one of the primary countermeasures employed against wiper attacks: Virtual Desktop Interface snapshots.

Similar malware was deployed against Sony Pictures Entertainment in the US and in 2013 against several banks and broadcasting firms in South Korea. In 2012, it was used against computers at Saudi Aramco and infected other systems on a local network using stolen credentials. It resurfaced in November last year in another campaign against Saudi Arabian firms, this time exhibiting slightly different behaviours and contained hardcoded account credentials specific to the newly targeted organisation. 

However, the latest sample contains several usernames and passwords from official Huawei documentation related to its virtual desktop infrastructure (VDI) solutions, such as FusionCloud. Falcone said that VDI solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems. 

“The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organisation to increase the impact of their destructive attack. If true, this is a major development and organisations should consider adding additional safeguards in protecting the credentials related to their VDI deployment,” he said in a blog post.

Researchers were unable to tell whether the attackers got these credentials from a prior attack or included these default usernames and passwords as an attempt to guess the login credentials to the VDI infrastructure.

Falcone said the wiper was set to begin overwriting systems on 29 November 2016 at 1:30 am, “which aligns with the Shamoon actor's tactic to maximise its impact by attacking at a time when the targeted organisation would have less staff and resources available onsite.”

Vince Warrington, founder of Protective Intelligence, told SCMedia that while Shamoon has roots in Iran and has been used in attacks against Saudi Arabia, there's no reason why similar attacks could not be undertaken on the UK – the most likely target would be oil and gas production, where the virus was originally intended to operate.

“It's not really out in the wild, though – it's of no real use to cyber-criminals attempting to monetise the virus in the same way that ransomware is, probably because it's too destructive for their purposes. It's fairly likely that it's in the arsenal of Nation State actors, though, given that it's an effective cyber-espionage tool as well as a means to cripple an organisation,” he said.

Warrington added that Iran's willingness to use Shamoon and its derivatives in destructive cyber-attacks against companies linked to its regional opponents “will likely be tested further if Donald Trump's incoming US administration takes an increasingly aggressive stance against the country's nuclear programme.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews