Palo Alto Networks discover second variant of Shamoon 2
Experts suspect Shamoon, which paralysed Saudi Aramco operations in 2012, to be responsible
The Shamoon saga continues to cause havoc as security experts from Palo Alto Networks have discovered a second strain of the Shamoon 2 malware.
ITP.net reported earlier that the Saudi government and petrochemicals organisations have come under cyber attacks by malware suspected to be Shamoon. However, Palo Alto Networks found that this second variant targets virtualisation products.
In December, both Palo Alto Networks and Symantec discovered the first variant of Shamoon 2, which was used against single Saudi organization, the Saudi Arabia's General Authority of Civil Aviation (GACA). This variant enabled a disc-wiping component at 8.45.p.m. local Saudi Arabia time on Thursday 17 November.
Since finding Shamoon 2, Palo Alto Networks found it had been configured to begin wiping infected systems at 1.30.a.m. local Saudi Arabia time on Wednesday 29 November; a time where most employees would be at home.
According to Palo Alto Networks, the second variant included credentials for virtualisation products from Huawei, it targeted virtual desktop infrastructure (VDI) products such as FusionCloud. From this the security experts believe that the attackers were aware that the target organisation used this specific virtualisation product.
The hackers used default credentials reported in the product official documentation, this means they were hoping that the targeted organisations had not changed them. According to the experts, threat actors may have had access to appliances hosting the infrastructure.