Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2019
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shades of Shamoon: New Disk-Wiping Malware Targets Middle East Orgs

'ZeroCleare' shares some of the same features as its more notorious predecessor, IBM Security says.

Threat actors believed to be operating out of Iran are once again targeting energy and industrial-sector organizations in the Middle East with a destructive disk-wiping malware similar to "Shamoon," which destroyed more than 35,000 Windows systems at Saudi Aramco a few years ago.

Researchers from IBM's X-Force team who have been tracking the new malware have dubbed the malware "ZeroCleare." In a report this week, the vendor described ZeroCleare as similar to Shamoon in some ways, but sufficiently different enough from it in other ways to be considered a completely new threat.

"Our reverse engineers performed a comparative analysis of the two attacks, which showed that they do not appear to be related at a code level," says Limor Kessem, global executive security adviser at IBM.

As with Shamoon, the new malware is designed to overwrite the master boot record (MBR) and disk partitions on Windows systems. Also like its predecessor, ZeroCleare uses EldoS RawDisk, a legitimate toolkit, to carry out its mission. MITRE describes EldoS as a driver for interacting with files, disks, and partitions. It allows users to circumvent Windows OS security features and directly modify data on a computer, making it attractive to attackers.

Available evidence suggests that ITG13, a threat group also known as APT34/OilRig, and at least one other Iran-based group is behind the attacks. ITG13's mission appears to be to enable initial access to targeted systems. One or more other Iran-based groups have then been deploying the disk-wiping ZeroCleare on them. The attacks appear to be targeted and designed specifically to disrupt operations at critical infrastructure organizations in multiple Middle East countries.

Kessem says there are a variety of reasons why nation-states might want to target the natural resource infrastructure of another country. "The repercussions of attacks on the oil industry specifically span issues related to money, trading, transportation, and geo-political tension that could be building up in a region," she says.

Kessem estimates the ZeroCleare attacks have impacted thousands of devices in the oil and gas sector in the Middle East. "We don't know the exact number of organizations that were impacted," Kessem says. "However, we do know that at least 1,400 hosts were affected by ZeroCleare."

Shamoon, which first surfaced in 2012, is believed to have infected many more systems. The last time security researchers observed the malware being used was in December 2018, when it suddenly re-emerged after a two-year hiatus. Symantec and others that tracked the attacks described them as being targeted once again at Middle East organizations. The attacks involved a new wiper that deleted files from infected systems before Shamoon then wiped the master boot record.

A Multifaceted Threat
According to IBM, the new ZeroCleare threat is designed to work on both 32-bit and 64-bit Windows systems, but the manner in which it deploys on each is different.

Because 64-bit Windows systems only allow Microsoft-signed drivers to run on the device, the EldoS RawDisk driver, which is unsigned, cannot run on them by default. To overcome this obstacle, ZeroCleare first loads a signed, but vulnerable, driver on the targeted system and then exploits the vulnerability to load the unsigned EldoS driver, IBM said. Once installed, the RawDisk driver proceeds to wipe the master boot record clean.

Destructive attacks like ZeroCleare are growing, Kessem says. The number of cases that IBM has responded to, where disk-wiping and other destructive malware was involved, has jumped 200% in just the past six months, she says.

"These attacks can be launched to fulfill everything from financial gain to military objectives," Kessem notes. "The effects can be crippling, especially as attackers target specific sectors that countries heavily rely on."

Most destructive malware attacks so far have focused on organizations in the Middle East. Motivations have ranged from financial — pressuring victims to pay by threatening to wipe their systems clean — to the geo-political. Some nation-state campaigns, for instance, have had military objectives, such as denying access to critical systems, degrading or disrupting operational capabilities, and destroying devices and data, IBM said.

Significantly, these campaigns pose a threat to organizations in any country. "US organizations need to be cognitive of their security preparedness," Kessem says. This means testing incident response plans, reassessing access management controls, and ensuring proper data backup and recovery processes are in place.

In many of these attacks, threat actors have exploited weakly protected access credentials and privileged accounts to gain an initial foothold on a target network and to then expand their access on it. So controls such as multifactor authentication, strong passwords, and least-privileged access are critical, IBM said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 12:08:26 AM
Shades of Shamoon
I hate it when the comment's section is so overwhelmed with spam content that it takes a mighty eyesore before I find the relevant ones. pressure washing Orlando
How Attackers Could Use Azure Apps to Sneak into Microsoft 365
Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
Malicious USB Drive Hides Behind Gift Card Lure
Dark Reading Staff 3/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-10940
PUBLISHED: 2020-03-27
Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
CVE-2020-10939
PUBLISHED: 2020-03-27
Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
CVE-2020-6095
PUBLISHED: 2020-03-27
An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
CVE-2020-10817
PUBLISHED: 2020-03-27
The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
CVE-2020-10952
PUBLISHED: 2020-03-27
GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.