Shamoon malware reboots in Saudi Arabia

Shamoon malware is an aggressive disc-wiping virus which made a comeback end of November 2016 and is spreading a wave destructive cyberattacks in the GCC states, specially in Saudi Arabia Engery Sector Companies & Some Public Departments.

In 2012, a suspected Iranian hacker group dubbed as the ‘cutting Sword of Justice’ used this malware to target energy companies in the Middle East, with reports stating it was once used to attack the Saudi energy sector.

According to Symantec, the malware is unchanged from the version used four years ago. However one noticeable change saw that in 2012 infected computers had their master boot records wiped and replaced with an image of a burning US flag. This year, the attackers used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean last year.

Furthermore, the malware was configured with passwords that appear to have been stolen from the targeted organisations and were likely used to allow the threat to spread across a targeted organization’s network.

In light of these attacks, FireEye has strongly recommended that critical infrastructure organisations and government agencies, especially within the GCC region, should review and test their disaster recovery plans for their critical systems within their environment. The security firm also suggests, if a breach has been suspected then client-to-client communication should be stopped to slow down the spread of malware.

FireEye added that the credentials of all privileged accounts should be changed and local administrator passwords per system should be unique.

While it is widely believed that Iran-based threat actors launched the Shamoon attacks of 2012, it is still unclear who was behind the recent incident or the extent of compromise.