Shamoon is back, although we are not entirely sure it ever left.
On Monday, Saudi Arabia warned organizations in the kingdom to be on alert for the Shamoon virus, which cripples computers by wiping their disks. The labor ministry said it had been attacked and a chemicals firm reported a network disruption. This has been dubbed Shamoon 2 by some news outlets.
Here is a simple explanation of what is likely to be happening.
The adversary is using a combination of social engineering and email phishing to infect one or a number of computers on an organization’s networks. Either downloading a file or clicking a link downloads an exploit kit.
The computers infected with the exploit kit rapidly perform port sweeps across the subnet to which hosts are connected. Using automated replication, it then attempts to move laterally via remote procedure calls (RPCs). To cover an organization’s entire network, the adversary needs to infect machines on many subnets.
Shamoon 2, like Shamoon that struck Saudi Aramco in 2012, moves extremely fast with the sole objective of destroying systems and bringing businesses to their knees.
So now what?
This isn’t new, but it still works. The good and bad news, depending on how you look at it, is that the attacker behavior is consistent with any type of attack, regardless of the severity of the outcome (e.g., destroying disks).
This makes detecting attacker behaviors on the internal network a natural way to expose the threat because if one behavior is missed, several others will be seen. This is something Vectra has learned through experience.
With perimeter detection, the attacker only has to get it right once while the defender has to be right every time. By monitoring the internal network for any and all attacker behaviors across the attack lifecycle, Vectra turns the tables on attackers. The attacker now has to get everything right every time and the defending organization only needs to see at least part of the attack to find it.
Shamoon reminds me a lot of what we are seeing with ransomware attacks. For example, sometimes there is no command-and-control (C&C) activity to trigger a detection because it is often disabled since the purpose is to destroy, not steal. This helps Shamoon to evade perimeter defenses.
Like ransomware, Shamoon also needs to propagate internally using account credentials. But the attack is so narrowly targeted that it does so with hard-coded accounts, including admin accounts which are needed to overwrite a disk.
The Vectra Threat Labs has researched this threat and determined that there is high confidence that the Vectra port sweep detection and automated replication detections will fire in networks that are infected as part of a Shamoon 2 attack.
In addition, experimental detection algorithms running in the background – specifically RPC-related detections – may fire as well, but the certainty of the detection is high even without running them.
Automating the response to the Shamoon 2 detection with one of the many enforcement mechanisms Vectra supports is an effective way to contain the damage to the initially infected computers and prevent rapid worm-like spreading throughout the organization.
There is a C&C channel in the malware that might be detectable and we are looking into it now. But the C&C channel is usually inactive in an attempt to evade detection. This means that traditional perimeter systems like firewalls, IDS/IPS and secure Web gateways may not be able to detect this malware and they certainly won’t be able to stop it once it starts.
The data science behind Vectra threat detections
Register for this white paper to learn how Vectra threat detection models blend human expertise with a broad set of data science and sophisticated machine learning techniques to identify threats like Shamoon 2.
Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs with nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles.