Shamoon returns with malware in hand to wipe hard drives, nuke virtual machines

Researcher Robert Falcone of the Palo Alto Networks said on Monday that the Shamoon attack campaign has returned again to cause even more headaches than before. The campaign was first conducted in 2012 against an organization in Saudi Arabia while the second didn’t take place until 2016. Both campaigns only sought to completely wipe PCs. However, this new third discovery aims to destroy virtual machines while wiping hard drives in the process.

For a better understanding, one of Huawei’s cloud computing products is FusionCloud Desktop, which places the computing and storage aspects of a PC in the data center. End users, such as employees of a huge corporation, use a lightweight device (aka thin client) to access a server-created cloud-residing PC sporting an installed operating system, programs, storage, and so on. It’s as if everything is installed and stored locally on the employee’s thin client.

Thus, with an authorized device, these end users can access the virtual machines from anywhere there is a secure wired or wireless connection. Even more, corporations have full control over these virtual machines and can instantly replace them with a snapshot if something goes wrong. This virtual PC method can’t be attacked by disk-wiping malware because the platform doesn’t reside on physical hardware.

So how is Shamoon attacking virtual machines? According to the report, the hackers behind the current campaign managed to grab usernames and passwords from official Huawei documentation.

“Virtual Desktop Infrastructure solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems,” Falcone reports. “The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack.”

The original Shamoon attack in August 2012 targeted a Saudi Arabian energy company. It delivered malware called Disttrack that spreads to other PCs across a local network using stolen administration credentials. The attack damaged more than 30,000 systems, destroying data and making systems utterly useless. The second attack arrived in November 2016 and was set to erase all infected PCs on November 17. That took place at the end of the work week in Saudi Arabia, thus the malware had all weekend to work its magic.

The Palo Alto Networks considers this latest discovery as the second wave of November’s campaign. It’s “similar but different” than what was used in the first wave, armed with a 64-bit variant of the Disttrack payload set to begin eating data on November 29. The executable file includes wiper and communications modules for cleaning off hard drives and connecting with the hacker’s command server.

The researchers found 16 account credentials within the latest Disttrack malware that are a mixture of individual user and administrator accounts. As previously noted, some of the usernames and passwords were found in Huawei’s documents, leading the researchers to believe that the organizations simply used these default credentials instead of creating new ones.

The good news is that FusionCloud systems run a Linux operating system whereas Disttrack only attacks Windows-based systems. However, the problem is that the hacker could log into the virtual desktop infrastructure backend to destroy virtual machine deployment and any stored snapshots. That is certainly bad news for organizations that deploy virtual machines to thin clients used by employees. Without snapshots and the ability to create these virtual machines, organizations are somewhat halted.

“The targeting of VDI solutions with legitimate, stolen or default credential represents an escalation in tactics that administrators should be aware of and take immediate steps to evaluate and address,” Falcone said.

Emerging Tech

A.I.-generated text is supercharging fake news. This is how we fight back

A new A.I. tool is reportedly able to spot passages of text written by algorithm. Here's why similar systems might prove essential in a world of fake news created by smart machines.
Smart Home

Is your Keurig making gross coffee? Might be time for a cleaning

No one likes a dirty, scaled, or smelly Keurig, but how are you supposed to clean them? Before you throw yours out the window, here is a quick guide on cleaning your machine out thoroughly.

This Bowflex promo code will save you up to $1,000 on training equipment

The Bowflex HVT machine is designed to fit anyone's needs. Whether you're getting back into shape or you train every day, Bowflex's HVT, which stands for hybrid velocity training, combines both cardio and working out in one machine. Now you…

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.

Give your discs some extra life by watching DVDs and Blu-rays on Windows 10

Popped a disc into your Windows machine but feel lost without Media Center? You're not alone. But don't fret, with just a few tips you can learn how to watch DVDs and Blu-rays for free in Windows 10 in no time.

Walmart slices price on Canon ImageClass MF232W Wi-Fi laser printer

If you don’t need color printing, a monochrome laser printer like the Canon ImageClass MF232W can save you a lot of time and money. This beefy all-in-one Wi-Fi printer is on sale from Walmart for almost half off, letting you score it for…
Emerging Tech

Awesome Tech You Can’t Buy Yet: Write music with your voice, make homemade cheese

Check out our roundup of the best new crowdfunding projects and product announcements that hit the web this week. You may not be able to buy this stuff yet, but it sure is fun to gawk!

Is 14 inches the perfect size for a laptop? These 4 laptops might convince you

If you're looking for the best 14-inch laptops, there are a number of factors to consider. You want good battery life, an attractive screen, solid performance, and a good build. Our favorites that do all that and more.

Get Corsair’s best mechanical keyboard at a decent discount

From March 17 to 23, you can get one of the best mechanical keyboards around at a great price. The Corsair K95 RGB Platinum is normally $200, but this week you can pick one up from Amazon for $160.

Need more from your conference white board? The Surface Hub 2 should have it

The Surface Hub 2 could be the most expensive whiteboard ever made, but it should be a powerful and capable one. With the ability to connect several of the 50-inch displays together, the picture at least, should be gorgeous.

Teens using Google Docs as the modern version of passing notes in class

Google Docs is reportedly being used by teens as a secret communications app. Instead of passing notes, students are now using the software's live chat function or comment boxes to talk with their friends while in the middle of classes.

Windows updates shouldn't cause problems, but if they do, here's how to fix them

Windows update not working? It's a more common problem than you might think. Fortunately, there are a few steps you can take to troubleshoot it and in this guide we'll break them down for you step by step.

Here’s how you can watch today’s Nvidia GTC 2018 keynote live

Nvidia's rumored 7nm Ampere graphics could debut soon. The company will be kicking off its GPU Technology conference at 2 p.m. PT today, Monday, March 18, and you can watch the opening keynote here.

After fourth attack, hacker puts personal records of 26M people up for sale

A serial hacker going by the name of Gnosticplayers is selling the personal data of 26 million people who have been using the services of six different companies from across the world.