UPDATED 21:44 EDT / DECEMBER 13 2018

SECURITY

New version of infamous Shamoon malware targets oil and gas industry

A new version of Shamoon, a form of malware that infamously caused damage to Saudi Aramco, Saudi Arabia’s largest oil producer in 2012, has been used in new attacks in the Middle East.

The new Shamoon attack was reported Thursday to have been detected on the network of Italian oil and gas contractor Saipem, where it destroyed files on about 10 percent of the company’s personal computers, primarily in the Middle East but also in Italy and Scotland.

A second attack at around the same time was later reported to have targeted a heavy-engineering company in the U.A.E.

Shamoon is different from regular malware attacks in that it does not attempt to steal information or ask for a ransom payment. Instead, it simply deletes data, causing chaos on every network it manages to infiltrate.

Mounir Hahad, head of the Juniper Threat Labs, told SiliconANGLE that the new version of the Shamoon “packs the same punch as previous attacks,” but was made more difficult to study because this time, no sign of the intended victim is present in the malware.

“This variation will render any system it infects unusable by overwriting a key hard drive section called the Master Boot Record with random data,” Hahad explained. “Unlike the previous variant, this one does not attempt to spread, which leads us to believe that the attack vector and the method of infecting more systems is yet to be discovered.”

Thomas Richards, associate principal consultant at Synopsys Inc., noted that the initial entry point is telling.

“With the recent releases of breaches involving passwords, it is a possibility that an employee used the same password in multiple locations which led to the attacker’s ability to compromise Saipem,” Richards said. “The Shamoon attack could also be predicated by a phishing campaign or other credential compromising event. This attack is most likely perpetrated by an advanced threat actor who was specifically targeting Saipem.”

Richards advised employers to state in their password policies that employees shouldn’t reuse corporate passwords on other systems. “Additionally, if an employee receives a suspicious email they should report it to their IT security group immediately,” he added.

Photo: Divulgação Petrobras/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU