Shamoon malware targets Gulf organisations
The malware has made a comeback and was used in a fresh wave of attacks against targets in Saudi Arabia
Shamoon, which is an aggressive disc-wiping malware, has made a comeback and is spreading a wave destructive cyberattacks in the GCC states.
In 2012, a suspected Iranian hacker group dubbed as the ‘cutting Sword of Justice' used this malware to target energy companies in the Middle East, with reports stating it was once used to attack the Saudi energy sector.
According to Symantec, the malware is unchanged from the version used four years ago. However one noticeable change saw that in 2012 infected computers had their master boot records wiped and replaced with an image of a burning US flag. This year, the attackers used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean last year.
Furthermore, the malware was configured with passwords that appear to have been stolen from the targeted organisations and were likely used to allow the threat to spread across a targeted organization's network.
In light of these attacks, FireEye has strongly recommended that critical infrastructure organisations and government agencies, especially within the GCC region, should review and test their disaster recovery plans for their critical systems within their environment. The security firm also suggests, if a breach has been suspected then client-to-client communication should be stopped to slow down the spread of malware.
FireEye added that the credentials of all privileged accounts should be changed and local administrator passwords per system should be unique.
While it is widely believed that Iran-based threat actors launched the Shamoon attacks of 2012, it is still unclear who was behind the recent incident or the extent of compromise.