Skip to main content

Shamoon returns with malware in hand to wipe hard drives, nuke virtual machines

researchers use ambient light sensor data to steal browser exhausted man computer problems desk hacking hackers malware frust
Shutterstock
Researcher Robert Falcone of the Palo Alto Networks said on Monday that the Shamoon attack campaign has returned again to cause even more headaches than before. The campaign was first conducted in 2012 against an organization in Saudi Arabia while the second didn’t take place until 2016. Both campaigns only sought to completely wipe PCs. However, this new third discovery aims to destroy virtual machines while wiping hard drives in the process.

For a better understanding, one of Huawei’s cloud computing products is FusionCloud Desktop, which places the computing and storage aspects of a PC in the data center. End users, such as employees of a huge corporation, use a lightweight device (aka thin client) to access a server-created cloud-residing PC sporting an installed operating system, programs, storage, and so on. It’s as if everything is installed and stored locally on the employee’s thin client.

Recommended Videos

Thus, with an authorized device, these end users can access the virtual machines from anywhere there is a secure wired or wireless connection. Even more, corporations have full control over these virtual machines and can instantly replace them with a snapshot if something goes wrong. This virtual PC method can’t be attacked by disk-wiping malware because the platform doesn’t reside on physical hardware.

So how is Shamoon attacking virtual machines? According to the report, the hackers behind the current campaign managed to grab usernames and passwords from official Huawei documentation.

“Virtual Desktop Infrastructure solutions can provide some protection against a destructive malware like Disttrack through the ability to load snapshots of wiped systems,” Falcone reports. “The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack.”

The original Shamoon attack in August 2012 targeted a Saudi Arabian energy company. It delivered malware called Disttrack that spreads to other PCs across a local network using stolen administration credentials. The attack damaged more than 30,000 systems, destroying data and making systems utterly useless. The second attack arrived in November 2016 and was set to erase all infected PCs on November 17. That took place at the end of the work week in Saudi Arabia, thus the malware had all weekend to work its magic.

The Palo Alto Networks considers this latest discovery as the second wave of November’s campaign. It’s “similar but different” than what was used in the first wave, armed with a 64-bit variant of the Disttrack payload set to begin eating data on November 29. The executable file includes wiper and communications modules for cleaning off hard drives and connecting with the hacker’s command server.

The researchers found 16 account credentials within the latest Disttrack malware that are a mixture of individual user and administrator accounts. As previously noted, some of the usernames and passwords were found in Huawei’s documents, leading the researchers to believe that the organizations simply used these default credentials instead of creating new ones.

The good news is that FusionCloud systems run a Linux operating system whereas Disttrack only attacks Windows-based systems. However, the problem is that the hacker could log into the virtual desktop infrastructure backend to destroy virtual machine deployment and any stored snapshots. That is certainly bad news for organizations that deploy virtual machines to thin clients used by employees. Without snapshots and the ability to create these virtual machines, organizations are somewhat halted.

“The targeting of VDI solutions with legitimate, stolen or default credential represents an escalation in tactics that administrators should be aware of and take immediate steps to evaluate and address,” Falcone said.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
This Lenovo ThinkPad is almost $1,800 off today!
A press photo of the ThinkPad X1 Carbon Gen 11.

One of the best laptops for a busy computer-heavy workplace is the Lenovo ThinkPad. For years, this tried and true laptop and 2-in-1 has delivered a fast and reliable Windows experience to many a 9 to 5 go-getter. Processor speed and power evolve year over year, and new features are added to these laptops all the time. This also means you’ll be able to find discounts on older machines, which is precisely what we came across while scouring through Lenovo ThinkPad deals:

Right now, as part of Lenovo’s doorbuster sale, you’ll save $1,800 on the purchase of a brand-new Lenovo ThinkPad X1 Carbon Gen 11 when you order through Lenovo.

Read more
Runway brings precise camera controls to AI videos
Gen-3 alpha advanced camera controls

Content creators will have more control over the look and feel of their AI-generated videos thanks to a new feature set coming to Runway's Gen-3 Alpha model.

Advanced Camera Control is rolling out on Gen-3 Alpha Turbo starting today, the company announced via a post on X (formerly Twitter).

Read more
Score the Dell XPS 15 for less than $1,000 during this sale
Dell XPS 15 9520 front view showing display and keyboard deck.

If you’ve been looking for laptop deals but feel disappointed with the results of your research, we know the pain. Searching for a new PC can take months, especially if you’ve got the time and energy to vet through numerous brands and models. Fortunately, there are a few tried and true PC names, one of which happens to be Dell. We see Dell laptop deals pretty regularly, but this one stopped us in our tracks:

Right now, when you order the Dell XPS 15 Laptop through the manufacturer, you’ll save $300. At full price, this model sells for $1,300.

Read more