A cybersabotage program that wiped data from 30,000 computers at Saudi Arabia’s national oil company in 2012 has returned and is able to target server-hosted virtual desktops.
The malware, known as Shamoon or Disttrack, is part of a family of destructive programs known as disk wipers. Similar tools were used in 2014 against Sony Pictures Entertainment in the U.S. and in 2013 against several banks and broadcasting organizations in South Korea.
Shamoon was first observed during the 2012 cyberattack against Saudi Aramco. It spreads to other computers on a local network by using stolen credentials and activates its disk-wiping functionality on a preconfigured date.
In November last year, security researchers from Symantec reported finding a new version of Shamoon that had been used in a fresh wave of attacks against targets in Saudi Arabia. The version was configured to start overwriting data on hard disk drives on Thursday, November 17 at 8:45 p.m. local time in Saudi Arabia, shortly after most workers in the country started their weekend.
Researchers from Palo Alto Networks found yet another Shamoon variant, different from the one seen by Symantec and likely used against a different target in Saudi Arabia. This third version had a kill date — the day when it was configured to start wiping data — of November 29 and contained hard-coded account credentials that were specific to the targeted organization, the Palo Alto researchers said Monday in a blog post.
Some of those credentials were for Windows domain accounts, but a few were default usernames and passwords for Huawei FusionCloud, a virtual desktop infrastructure (VDI) solution.
VDI products like Huawei FusionCloud let companies run multiple virtualized desktop installations inside a data center. Users then access these virtual PCs from thin clients, making workstation management across different branches and offices a lot easier.
Another benefit of VDI solutions is that they create regular snapshots of these virtualized desktops, allowing administrators to easily restore them to a known working state in case something goes wrong.
Apparently the attackers behind this latest Shamoon campaign were aware that the targeted organization used Huawei’s VDI product and realized that it wouldn’t be enough to just wipe virtual PCs using stolen Windows domain credentials.
“The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack,” the Palo Alto Networks researchers said. “If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment.”
While so far this technique has only been observed in a targeted cyberattack whose primary purpose was the destruction of data, it could easily be adopted by ransomware creators in the future. Some ransomware variants already attempt to delete certain types of backups before encrypting data, so targeting VDI snapshots would be a natural expansion of that tactic.
None of the targets in the November attacks were named by Symantec or Palo Alto Networks.