Menu
Disk-wiping malware Shamoon targets virtual desktop infrastructure

Disk-wiping malware Shamoon targets virtual desktop infrastructure

The latest variant had default credentials for a Huawei desktop virtualization solution

A cybersabotage program that wiped data from 30,000 computers at Saudi Arabia's national oil company in 2012 has returned and is able to target server-hosted virtual desktops.

The malware, known as Shamoon or Disttrack, is part of a family of destructive programs known as disk wipers. Similar tools were used in 2014 against Sony Pictures Entertainment in the U.S. and in 2013 against several banks and broadcasting organizations in South Korea.

Shamoon was first observed during the 2012 cyberattack against Saudi Aramco. It spreads to other computers on a local network by using stolen credentials and activates its disk-wiping functionality on a preconfigured date.

In November last year, security researchers from Symantec reported finding a new version of Shamoon that had been used in a fresh wave of attacks against targets in Saudi Arabia. The version was configured to start overwriting data on hard disk drives on Thursday, November 17 at 8:45 p.m. local time in Saudi Arabia, shortly after most workers in the country started their weekend.

Researchers from Palo Alto Networks found yet another Shamoon variant, different from the one seen by Symantec and likely used against a different target in Saudi Arabia. This third version had a kill date -- the day when it was configured to start wiping data  -- of November 29 and contained hard-coded account credentials that were specific to the targeted organization, the Palo Alto researchers said Monday in a blog post.

Some of those credentials were for Windows domain accounts, but a few were default usernames and passwords for Huawei FusionCloud, a virtual desktop infrastructure (VDI) solution.

VDI products like Huawei FusionCloud let companies run multiple virtualized desktop installations inside a data center. Users then access these virtual PCs from thin clients, making workstation management across different branches and offices a lot easier.

Another benefit of VDI solutions is that they create regular snapshots of these virtualized desktops, allowing administrators to easily restore them to a known working state in case something goes wrong.

Apparently the attackers behind this latest Shamoon campaign were aware that the targeted organization used Huawei's VDI product and realized that it wouldn't be enough to just wipe virtual PCs using stolen Windows domain credentials.

"The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack," the Palo Alto Networks researchers said. "If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment."

While so far this technique has only been observed in a targeted cyberattack whose primary purpose was the destruction of data, it could easily be adopted by ransomware creators in the future. Some ransomware variants already attempt to delete certain types of backups before encrypting data, so targeting VDI snapshots would be a natural expansion of that tactic.

None of the targets in the November attacks were named by Symantec or Palo Alto Networks.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Kiwi channel debates GDPR as Reseller News Exchange hits Wellington

Kiwi channel debates GDPR as Reseller News Exchange hits Wellington

This exclusive Reseller News Exchange, in association with Arrow ECS ANZ, ForeScout and StorageCraft, went on the road to debate the early implications of GDPR in New Zealand, extracting opportunities while evaluating challenges for the channel in the year ahead.

Kiwi channel debates GDPR as Reseller News Exchange hits Wellington
Show Comments