Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/4/2019
03:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Shades of Shamoon: New Disk-Wiping Malware Targets Middle East Orgs

'ZeroCleare' shares some of the same features as its more notorious predecessor, IBM Security says.

Threat actors believed to be operating out of Iran are once again targeting energy and industrial-sector organizations in the Middle East with a destructive disk-wiping malware similar to "Shamoon," which destroyed more than 35,000 Windows systems at Saudi Aramco a few years ago.

Researchers from IBM's X-Force team who have been tracking the new malware have dubbed the malware "ZeroCleare." In a report this week, the vendor described ZeroCleare as similar to Shamoon in some ways, but sufficiently different enough from it in other ways to be considered a completely new threat.

"Our reverse engineers performed a comparative analysis of the two attacks, which showed that they do not appear to be related at a code level," says Limor Kessem, global executive security adviser at IBM.

As with Shamoon, the new malware is designed to overwrite the master boot record (MBR) and disk partitions on Windows systems. Also like its predecessor, ZeroCleare uses EldoS RawDisk, a legitimate toolkit, to carry out its mission. MITRE describes EldoS as a driver for interacting with files, disks, and partitions. It allows users to circumvent Windows OS security features and directly modify data on a computer, making it attractive to attackers.

Available evidence suggests that ITG13, a threat group also known as APT34/OilRig, and at least one other Iran-based group is behind the attacks. ITG13's mission appears to be to enable initial access to targeted systems. One or more other Iran-based groups have then been deploying the disk-wiping ZeroCleare on them. The attacks appear to be targeted and designed specifically to disrupt operations at critical infrastructure organizations in multiple Middle East countries.

Kessem says there are a variety of reasons why nation-states might want to target the natural resource infrastructure of another country. "The repercussions of attacks on the oil industry specifically span issues related to money, trading, transportation, and geo-political tension that could be building up in a region," she says.

Kessem estimates the ZeroCleare attacks have impacted thousands of devices in the oil and gas sector in the Middle East. "We don't know the exact number of organizations that were impacted," Kessem says. "However, we do know that at least 1,400 hosts were affected by ZeroCleare."

Shamoon, which first surfaced in 2012, is believed to have infected many more systems. The last time security researchers observed the malware being used was in December 2018, when it suddenly re-emerged after a two-year hiatus. Symantec and others that tracked the attacks described them as being targeted once again at Middle East organizations. The attacks involved a new wiper that deleted files from infected systems before Shamoon then wiped the master boot record.

A Multifaceted Threat
According to IBM, the new ZeroCleare threat is designed to work on both 32-bit and 64-bit Windows systems, but the manner in which it deploys on each is different.

Because 64-bit Windows systems only allow Microsoft-signed drivers to run on the device, the EldoS RawDisk driver, which is unsigned, cannot run on them by default. To overcome this obstacle, ZeroCleare first loads a signed, but vulnerable, driver on the targeted system and then exploits the vulnerability to load the unsigned EldoS driver, IBM said. Once installed, the RawDisk driver proceeds to wipe the master boot record clean.

Destructive attacks like ZeroCleare are growing, Kessem says. The number of cases that IBM has responded to, where disk-wiping and other destructive malware was involved, has jumped 200% in just the past six months, she says.

"These attacks can be launched to fulfill everything from financial gain to military objectives," Kessem notes. "The effects can be crippling, especially as attackers target specific sectors that countries heavily rely on."

Most destructive malware attacks so far have focused on organizations in the Middle East. Motivations have ranged from financial — pressuring victims to pay by threatening to wipe their systems clean — to the geo-political. Some nation-state campaigns, for instance, have had military objectives, such as denying access to critical systems, degrading or disrupting operational capabilities, and destroying devices and data, IBM said.

Significantly, these campaigns pose a threat to organizations in any country. "US organizations need to be cognitive of their security preparedness," Kessem says. This means testing incident response plans, reassessing access management controls, and ensuring proper data backup and recovery processes are in place.

In many of these attacks, threat actors have exploited weakly protected access credentials and privileged accounts to gain an initial foothold on a target network and to then expand their access on it. So controls such as multifactor authentication, strong passwords, and least-privileged access are critical, IBM said.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "A Cause You Care About Needs Your Cybersecurity Help."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Outdoor Lighting Lubbock
50%
50%
Outdoor Lighting Lubbock,
User Rank: Apprentice
3/31/2020 | 10:22:00 PM
Agree with the above
It's tough when there are a hundred others on the list ahead of you.  Certainly agree.  outdoor kitchen baton rouge.  All we can do is our best.
joshuaprice153
50%
50%
joshuaprice153,
User Rank: Apprentice
12/11/2019 | 12:08:26 AM
Shades of Shamoon
I hate it when the comment's section is so overwhelmed with spam content that it takes a mighty eyesore before I find the relevant ones. pressure washing Orlando
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13643
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be e...
CVE-2020-13644
PUBLISHED: 2020-05-28
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accord...
CVE-2020-13641
PUBLISHED: 2020-05-28
An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allow...
CVE-2020-13642
PUBLISHED: 2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be e...
CVE-2020-8603
PUBLISHED: 2020-05-27
A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or ...