25 January 2017

By Layan Damanhouri

JEDDAH – Industry sources revealed that some 5 to 10 public and private organizations have been impacted by the second Shamoon virus attack, a aggressive disk-wiping malware, on Monday.

Research shows the attack took place at 4 a.m.

While it’s not confirmed that this is the same variant of the Shamoon malware which attacked Saudi Arabian organizations in the past, the infection patterns, file creation and lateral movement is identical to the pattern documented by Palo Alto Networks in those previous instances, sources said.

The initial infection came through an email attachment.

The malware infected systems, possibly via stolen or weak credentials, and then stayed dormant for some time until it was capable of causing maximum damage.

The virus follows the same destructive pattern as in the past where machines have their partition tables deleted and only a complete system restore will be able to recover the IT environment.

“Email has always been a major infection vector and organizations need to implement technologies and also enforce policies that safeguard against malicious email attachments,” said Nicolai Solling, CTO at Help AG, a cyber security services, solutions and consultancy provider.

“Similar to the attack that occurred in December 2016, this malware lay dormant and executed at 4 a.m., when most in-house IT teams aren’t at work. This highlights the need for 24×7 monitoring of security events so as to react to and tackle them as soon as possible thereby mitigating their impact,” he added.

“A successful defense is to utilize solutions such as OPSWAT Metadefender which secures emails by utilizing multiple malware inspection engines and reconstructs data without potential weaponized document features,” he explained. “As an example, it could remove macro’s, scripts or calls to external applications from inside an Office document.”

Warnings circulated on social media since Monday about banks, ministries and private entities under cyber attack.

However, software company Symantec revealed a new cyberespionage group called Greenbug that targets Middle East organizations to have possible links to Shamoon during investigations.

Symantec further noted that investigations reveal a possibility Greenbug could be responsible for getting Shamoon the stolen credentials enabling the attack.

According to research, the group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations.

Links were not fully confirmed, however.

As threats arise, CEOs and organization leaders in the region will revamp and boost their cyber security strategies, according to Charles Habak head of financial services at Booz Allen Hamilton who predicted digital bank trends for 2017.

“Financial institutions that are ahead of the curve and effectively embed cyber security into their risk frameworks will invest significantly in building the right capabilities and governance structures,” he said.

“These, in turn, will equip them to preemptively address incidents that could potentially damage their operations as well as reputation.”

The last Shamoon attack took place last November and the major attack before that took place in Saudi Arabia’s energy sector in 2012.

One expert as cited on Alekhbariya local news network said such cyber attacks could cost the Kingdom SR2.8 billion in losses.

© The Saudi Gazette 2017