Security researchers have identified a second wave of Shamoon 2 PC-wiping attacks against a further target in Saudi Arabia last November. The new research shows hackers upping the ante and developing more sophisticated, multi-stage attacks.
The original Shamoon attack hobbled the network of Saudi Aramco in 2012.
Similar destructive attacks against a civil aviation agency and other Gulf state organisations in Saudi Arabia re-emerged in November 2016.
United States intel officials blame Iran for the Shamoon attacks, partly on the basis of geopolitical motives as well as the nature of the attack. The technical evidence isn't conclusive either way but certainly doesn't rule out Iran as a strong suspect.
Phase one of the latest assaults were designed to wipe systems at one particular target on November 17, researchers at Palo Alto Networks previously reported. They have since discovered another, similar payload targeted against a second unnamed organisation in Saudi Arabia.
This malware variant was configured to wipe systems on November 29, eight days after the previous attacks. This second-wave attack was designed to take out one of the primary countermeasures employed against wiper attacks, Virtual Desktop Interface (VDI) snapshots.
The second malware payload contained hardcoded account credentials specific to the newly targeted organisation. These met Windows password complexity requirements, which suggests that hackers obtained the credentials through a previous, separate attack, similar to the November 17 attack. That's where the similarities stop.
"The most notable thing about this latest sample is that it contains several usernames and passwords from official Huawei documentation related to their VDI solutions, such as FusionCloud," Palo Alto researchers explained.
VDI solutions can provide some protection against destructive malware – such as the Disttrack wiper dropped on systems infected by Shamoon – through the ability to load snapshots of wiped systems. The hacking crew behind the Shamoon attacks obtained usernames and passwords for VDI systems prior to launching their malware-based attack in an apparent attempt to thwart a important line of defence. Organisations should consider adding additional safeguards in protecting credentials related to their VDI deployment as a potential countermeasure against the new tactic, Palo Alto advises.
Details of the login-snatching attack ahead of the Shamoon 2 assault remain unclear.
"At this time, we have no details of the attack we believe preceded this Shamoon attack to obtain credentials," according to Palo Alto. "We also have no details on the delivery method used to deliver the new, similar, but different Disttrack payload in this attack."
More details on what's known so far about the Shamoon 2 attacks can be found in a detailed blog post by Palo Alto researcher Robert Falcone here. ®