Tag Archive for: Shamoon
Shamoon disk-wiping attackers can now destroy virtual desktops, too
Enlarge / A computer infected by Shamoon System is unable to find its operating system. (credit: Palo Alto Networks)
There’s a new variant of the Shamoon disk-wiping malware that was originally unleashed on Saudi Arabia’s state-owned oil company in 2012, and it has a newly added ability to destroy virtual desktops, researchers said.
The new strain is at least the second Shamoon variant to be discovered since late November, when researchers detected the return of disk-wiping malware after taking a more than four-year hiatus. The variant was almost identical to the original one except for the image that was left behind on sabotaged computers. Whereas the old one showed a burning American flag, the new one displayed the iconic photo of the body of Alan Kurdi, the three-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece. Like the original Shamoon, which permanently destroyed data on more than 30,000 work stations belonging to Saudi Aramco, the updates also hit one or more Saudi targets that researchers have yet to name.
According to a blog post published Monday night by researchers from Palo Alto Networks, the latest variant has been updated to include legitimate credentials to access virtual systems, which have emerged as a key protection against Shamoon and other types of disk-wiping malware. The actor involved in this attack could use these credentials to manually log into so-called virtual management infrastructure management systems to attack virtual desktop products from Huawei, which can protect against destructive malware through its ability to load snapshots of wiped systems.
Read 5 remaining paragraphs | Comments
Shamoon wiper malware returns with a vengeance
Enlarge
A new variant of Shamoon, the malware that wiped hard drives at Saudi Aramco and other energy companies in 2012, has struck multiple organizations in Saudi Arabia in a new campaign that researchers call a “carefully planned operation.” The new variant, which is almost identical to the version used in the 2012 attacks, has replaced the message it previously displayed—which included an image of a burning American flag—with the photo of the body of Alan Kurdi, the 3-year-old Syrian refugee boy who drowned as his family tried to cross from Turkey to Greece.
Bloomberg reports that digital forensics by Saudi officials indicated that the attacks were launched from Iran. Several Saudi government agencies were among the organizations attacked.
New versions of Shamoon, also known as Disttrack, have been detected by multiple information security companies, including McAfee, Symantec, Palo Alto Networks, and FireEye. It isn’t yet clear how the malware’s “dropper” has gotten into the networks it has attacked. But once on a victim’s Windows system, it determines whether to install a 32-bit or 64-bit version of the malware. According to a report from Symantec, the latest Shamoon attack was configured to automatically start wiping the disk drives of computers it had infected at 8:45am local time on November 17.
Read 3 remaining paragraphs | Comments
Kaspersky: Shamoon malware nothing more than ‘quick and dirty’ – ZDNet
|
Kaspersky: Shamoon malware nothing more than 'quick and dirty'
ZDNet shamoon malware quick dirty analysis. The lab's researcher Dmitry Tarakanov posted an analysis of the malware after pulling apart its code, and the analysis puts sophisticated coding including Stuxnet and Flame into an entirely different league. A … "Shamoon" Cyberweapon the Work of Amateurs, Kaspersky Says |