Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2019
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shades of Shamoon: New Disk-Wiping Malware Targets Middle East Orgs

'ZeroCleare' shares some of the same features as its more notorious predecessor, IBM Security says.

Threat actors believed to be operating out of Iran are once again targeting energy and industrial-sector organizations in the Middle East with a destructive disk-wiping malware similar to "Shamoon," which destroyed more than 35,000 Windows systems at Saudi Aramco a few years ago.

Researchers from IBM's X-Force team who have been tracking the new malware have dubbed the malware "ZeroCleare." In a report this week, the vendor described ZeroCleare as similar to Shamoon in some ways, but sufficiently different enough from it in other ways to be considered a completely new threat.

"Our reverse engineers performed a comparative analysis of the two attacks, which showed that they do not appear to be related at a code level," says Limor Kessem, global executive security adviser at IBM.

As with Shamoon, the new malware is designed to overwrite the master boot record (MBR) and disk partitions on Windows systems. Also like its predecessor, ZeroCleare uses EldoS RawDisk, a legitimate toolkit, to carry out its mission. MITRE describes EldoS as a driver for interacting with files, disks, and partitions. It allows users to circumvent Windows OS security features and directly modify data on a computer, making it attractive to attackers.

Available evidence suggests that ITG13, a threat group also known as APT34/OilRig, and at least one other Iran-based group is behind the attacks. ITG13's mission appears to be to enable initial access to targeted systems. One or more other Iran-based groups have then been deploying the disk-wiping ZeroCleare on them. The attacks appear to be targeted and designed specifically to disrupt operations at critical infrastructure organizations in multiple Middle East countries.

Kessem says there are a variety of reasons why nation-states might want to target the natural resource infrastructure of another country. "The repercussions of attacks on the oil industry specifically span issues related to money, trading, transportation, and geo-political tension that could be building up in a region," she says.

Kessem estimates the ZeroCleare attacks have impacted thousands of devices in the oil and gas sector in the Middle East. "We don't know the exact number of organizations that were impacted," Kessem says. "However, we do know that at least 1,400 hosts were affected by ZeroCleare."

Shamoon, which first surfaced in 2012, is believed to have infected many more systems. The last time security researchers observed the malware being used was in December 2018, when it suddenly re-emerged after a two-year hiatus. Symantec and others that tracked the attacks described them as being targeted once again at Middle East organizations. The attacks involved a new wiper that deleted files from infected systems before Shamoon then wiped the master boot record.

A Multifaceted Threat
According to IBM, the new ZeroCleare threat is designed to work on both 32-bit and 64-bit Windows systems, but the manner in which it deploys on each is different.

Because 64-bit Windows systems only allow Microsoft-signed drivers to run on the device, the EldoS RawDisk driver, which is unsigned, cannot run on them by default. To overcome this obstacle, ZeroCleare first loads a signed, but vulnerable, driver on the targeted system and then exploits the vulnerability to load the unsigned EldoS driver, IBM said. Once installed, the RawDisk driver proceeds to wipe the master boot record clean.

Destructive attacks like ZeroCleare are growing, Kessem says. The number of cases that IBM has responded to, where disk-wiping and other destructive malware was involved, has jumped 200% in just the past six months, she says.

"These attacks can be launched to fulfill everything from financial gain to military objectives," Kessem notes. "The effects can be crippling, especially as attackers target specific sectors that countries heavily rely on."

Most destructive malware attacks so far have focused on organizations in the Middle East. Motivations have ranged from financial — pressuring victims to pay by threatening to wipe their systems clean — to the geo-political. Some nation-state campaigns, for instance, have had military objectives, such as denying access to critical systems, degrading or disrupting operational capabilities, and destroying devices and data, IBM said.

Significantly, these campaigns pose a threat to organizations in any country. "US organizations need to be cognitive of their security preparedness," Kessem says. This means testing incident response plans, reassessing access management controls, and ensuring proper data backup and recovery processes are in place.

In many of these attacks, threat actors have exploited weakly protected access credentials and privileged accounts to gain an initial foothold on a target network and to then expand their access on it. So controls such as multifactor authentication, strong passwords, and least-privileged access are critical, IBM said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 12:08:26 AM
Shades of Shamoon
I hate it when the comment's section is so overwhelmed with spam content that it takes a mighty eyesore before I find the relevant ones. pressure washing Orlando
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.