Shamoon, A Malware That Wipes Hard Drives, Has Returned; Is Now Targeting Virtual Desktops
A new version of Shamoon, the malware that wiped data from 30,000 computers at Saudi Arabia's state-owned oil company four years ago, has been identified. According to researcher Robert Falcone from Palo Alto Networks, the new variant of Shamoon has the added ability of nuking server-hosted virtual desktops.
PC World notes that Shamoon, which is part of a group of cyber sabotage programs known as disk wipers, is similar to the tools that were used in the 2014 hacking of Sony Pictures Entertainment and in the 2013 South Korea cyberattack that targeted banks and TV stations.
Shamoon was first observed in a cyber attack campaign in 2012 against Saudi Aramco and again in November 2016, when it was used in another campaign against targets in Saudi Arabia. The disk-wiping malware spreads to other computers on local networks by utilizing stolen credentials and sets off its disk-wiping magic on preconfigured dates. In the second cyber attack campaign, Shamoon was configured to begin wiping data on hard disk drives on Nov. 17 at 8:45 p.m. PC World notes that the activation date was set for a time when most workers in Saudi Arabia were about to begin their weekend, thus maximizing the malware's opportunity to wreak havoc.
According to Falcone, the new version of Shamoon that has been detected can cause an even bigger headache than before. On top of wiping hard drives, this new Shamoon variant targets and can potentially destroy virtual machines. Falcone notes that the new version has been updated with legitimate credentials and that some of these can reportedly be used to access virtual desktop infrastructure (VDI) products from Huawei, such as FusionCloud.
"The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack," Falcone wrote. "If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment."
"The targeting of VDI solutions with legitimate, stolen or default credential represents an escalation in tactics that administrators should be aware of and take immediate steps to evaluate and address," he added.