Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data-Wiping Malware Shamoon Destroys Files At Italian Oil and Gas Company; Other Energy Companies Operating in the Middle East Warned of Cyber Attacks (zdnet.com)

Posted by msmash on from the tussle-continues dept.

An anonymous reader writes: A new variant of the Shamoon malware was discovered on the network of an Italian and UAE oil and gas companies. While the damage at the UAE firm is currently unknown, the malware has been confirmed to have destroyed files on about ten percent of the Italian company's PC fleet.

Shamoon is one of the most dangerous strains of malware known to date. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Aramco, Saudi Arabia's largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images (burning US flag, body of Alan Kurdi). The 2012 attack was devastating in particular, with Shamoon wiping data on over 30,000 computers, crippling the company's activity for weeks. Historically, the malware has been tied to the Iranian regime, but it's unclear if Iranian hackers were behind this latest attacks. This new Shamoon version was revealed to the world when an Italian engineer uploaded the malware on VirusTotal, triggering detections at all major cyber-security firms across the globe.

22 comments

  1. Charming Kitten? by Anonymous Coward · · Score: 0

    https://www.cbsnews.com/news/iran-hacking-charming-kitten-targets-us-nuclear-officials-cybersecurity-certfa-2018-12-13/

    1. Re:Charming Kitten? by Anonymous Coward · · Score: 0

      Except UAE and Italy aren't "US nuclear officials" Most likely another group.

  2. Antivirus by Anonymous Coward · · Score: 0

    When I see articles like this, I wish they could reveal details like what antivirus and firewalls were used.

    1. Re:Antivirus by Anonymous Coward · · Score: 0

      Why don't you read articles? It's new malware, the 0-day = now. Virustotal didn't know about it. No malware apps detected it. A firewall isn't going to stop it either, in almost any case except some 1992 worm.

      NOW you can expect everyone to detect it and if they don't within the next 12 hours, you know you have extra shitty A/V software. That's about it.

    2. Re:Antivirus by nnull · · Score: 2

      We do, just the articles are lacking a lot of details. If they didn't mention RDP, I wouldn't have known if it was Windows or a Linux server. I had to basically google Shamoon just to see what systems are affected and learn that it's nothing we haven't seen in the past.

      But it does just verify what I've always known, these companies have seriously lacking computer security, lack of backups and no surprise these contractors lost their data, because I know how these people work and they don't even think about this stuff at all, no one does at these companies. I know how many have them use remote software for critical systems. They only complain after the fact.

    3. Re:Antivirus by Tough+Love · · Score: 2

      It's new malware

      Actually, it's old malware, goes by the name of Windows.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    4. Re: Antivirus by buggiebee · · Score: 1

      Itâ(TM)s true, the virus was first encountered in 2012, and also windows is a virus.

    5. Re:Antivirus by Anonymous Coward · · Score: 2, Insightful

      Posting AC because I did some consulting work in UAE, a gig that came about because the UAE was trying to avoid this specific thing.

      Big part of the problem in the UAE is that the country is trying very hard to educate the locals to be IT managers in charge of IT contractors who come and go as fast as they can (in accordance with other labor practices in the middle east). When you have IT managers who don't really want to be IT managers, and aren't very good at it, and look down at the people actually doing the work from multiple angles (financial, cultural, religious, etc.)...then you're eventually going to have a bad day, no matter how many security tools you buy.

  3. *cough*Israel*cough* by Anonymous Coward · · Score: 0

    ...

    1. Re: *cough*Israel*cough* by Anonymous Coward · · Score: 0

      Maaaayyyybe. These things are targeted weapons. I can't recall a time where this type if malware got into the wild and just stared taking out others.

      These aren't some criminals looking for Bitcoin ransoms or anything, but an attack.

    2. Re: *cough*Israel*cough* by Anonymous Coward · · Score: 0

      Apple is offering virus-resistant computers at a discount to Italian officials. Tim sends his best

  4. Fossil fuel hating nerds attack again! by Anonymous Coward · · Score: 0

    Got to figure this sort of thing comes from nerds who think everyone should ride a bicycle or ride a EV bus or buy a EV car if you must. Yes of course you inject malware and erase important files and they will just go away.

    1. Re:Fossil fuel hating nerds attack again! by Anonymous Coward · · Score: 0

      Well, I do think you should ride a bicycle, only I think your hands should be on the pedals and your face should go where a normal person's ass would be. You'll probably have more luck that way being a complete ass-face.

  5. And let me guess... by Anonymous Coward · · Score: 0

    The affected users didn't have backups, both on-site and remote... Typical.

    1. Re:And let me guess... by Anonymous Coward · · Score: 0

      The affected users didn't have backups, both on-site and remote... Typical.

      Well that's the story they will tell the judge that issued the subpoena for business records. ;-)

  6. What's the problem? by Anonymous Coward · · Score: 0

    Wipe the systems and restore backups.

    Annoying, not dangerous.

  7. was revealed to the world when ... by grep+-v+'.*'+* · · Score: 1

    was revealed to the world when an Italian engineer uploaded the malware on VirusTotal, triggering detections at all major cyber-security firms across the globe

    So at that time, all of the sirens in the AV companies went off exactly at the same time.

    There must have been some fun support phone calls there. Signatures are not a bad _first_ step, but really? That's the best we can mostly do??

    I had one once trigger on a BAT file I had just written. We had a support contact with an unnamed company, but our McAfee support rep was a bit confused. "How can you be confused? I'm using your predefined scan settings. I wrote it from scratch, so unless there's virus stenography hidden in the top bit of each byte it's NOT a virus. What, are you keying off file length?"

    But I always wanted to write a Virus.bat file that (a) you had to run manually, (b) prompted you to insert a new floppy to infect, and (c) give it to a friend and tell them to run the virus file. (Yep, it was that long ago.)

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    1. Re:was revealed to the world when ... by Anonymous Coward · · Score: 0

      You don't know that's the only way it was detected initially, heuristics may have stopped a few, we don't have that info. All we know is once it was reported to VT it became signature-searchable.

      The rest of your tripe goes downhill from that logical high point.

  8. Subpoena for business records by Anonymous Coward · · Score: 0

    No, the corporate executives learned of a subpoena for business records and mysteriously malware founds its way onto the corporate network and destroyed files. ;-)

  9. From the article... by nuckfuts · · Score: 2

    This version of Shamoon overwrites original files with garbage data. This garbage data might look like encrypted content to an untrained eye, but it's just random bits of information that can't be recovered with an encryption key.

    LOL. I'd like to meet the "trained eye" that can discern "random bits of information" from "encrypted content".

  10. Are there really... by puddingebola · · Score: 1

    Are there really that many computers at large multi-national corporations running the 32 bit NT kernel? Why? Answer in 100,000 words or less.

  11. Next news... by Anonymous Coward · · Score: 0

    Computers banned throughout the universe by Italian courts. All programmers to be detained indefinitedly for questioning. Mentions of the word "computer" punishable by a minimum 6 months prison sentence. #scienceisacrimeinitaly