Sign in / up

back to article Revealed: Web servers used by disk-nuking Shamoon cyberweapon

A detailed analysis of the Shamoon malware – which is playing a huge role in the cyberwar between Saudi Arabia and Iran – has identified servers used to spread the software nasty. Shamoon surfaced in 2012 when it infected 30,000 workstations in the world’s largest oil production firm, Saudi Aramco, wiped their hard drives, and …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. JosephEngels

    And all because

    Someone, somewhere, decided it would be a good idea if the program you use to write memos could run system level commands embedded in the text files you are editing?

    Seriously, it is high time this useful "feature" was removed.

    9 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: And all because

      Unluckily, they become "development platform" too. I knew a guy in a Swiss bank whose job was mostly to automate Office applications using VBA. It was mostly Excel stuff, but there was some Word one as well.

      I'm still surprised about sysadmins who don't bother to neuter macros for users who don't need them (hint: can be made through GPOs), or allowing only signed ones.

      5 0 Reply
    2. Version 1.0 Silver badge
      Reply Icon

      Re: And all because

      VBScript is designed to be a secure programming environment. It lacks various commands that can be potentially damaging if used in a malicious manner. This added security is critical in enterprise solutions.

      -- support.microsoft.com

      1 0 Reply
      1. bombastic bob Silver badge
        Reply Icon
        Trollface

        Re: And all because

        "VBScript is designed to be a secure programming environment"

        /me commences hysterical laughter

        it all reflects the _USUAL_ vulnerabilities in Micro-shaft software. The MS Word doc with the nasty payload, 'opened' by some low-level HR dweeb, or merely previewed in "Virus Outbreak" (aka 'MS Outlook'), sent by a spear-phisher with a fake identity, etc. taking over a windows box because the user is logged in with "admin" credentials for no good reason, because Micro-shaft sets the defaults "that way".

        1 1 Reply
      2. a_yank_lurker
        Reply Icon

        Re: And all because

        Slurp and security is like military intelligence.

        0 1 Reply
  2. Baldy50

    Disttrack.

    Reared it's ugly head again

    http://www.timesofisrael.com/blazes-at-iran-petrochemical-plants-raise-suspicions-of-cyberattack/

    Mishaps/fires are commonplace at these facilities.

    0 0 Reply
    1. Anonymous Blowhard
      Reply Icon

      Re: Disttrack.

      "Mishaps/fires are commonplace at these facilities."

      So no problem heating the popcorn then?

      0 0 Reply
    2. JCitizen
      Reply Icon
      Devil

      Re: Disttrack.

      You know, it would not surprise me at all, if the very malcode the Iranians meant for the Saudis, backfired and ended up on their own networks! HA! Kinda like Stuxnet ended up backfiring on the Americans.

      0 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Your network's mine...

    If you get a Shamoon infection, it's bad.

    It's bad, Shamoon, you know.

    6 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Who's bad?

      Black-hat hacker gradually transforming into a white-hat hacker?

      1 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Who's bad?

        With a dubious liking for script kiddies? Eventually taken down by too much anti-virus? You wanna be start-buttoning something?

        etc. :)

        0 0 Reply
  4. Amos1

    > a macro within the document executes two Powershell scripts

    > 139.59.46.154:3485/eiloShaegae1 via HTTP

    > 45.76.128.165:4443/0w0O6 via HTTP

    > 45.76.128.165:4443/0w0O6

    So four controls already used in security-conscious organizations, one where the system and network administrators do not administer security devices, would have worked perfectly.

    1. Block "PowerShell" in all proxy traffic if it shows up in the User-Agent

    2. Remove the ability to execute the two copies of PowerShell from non-administrative users and no, everyone does not have to be an admin.

    3. Review your proxy logs for the past several months with an eye towards the destination port. Allow all non-standard destination ports used for business-related sites and drop all others. And review that rule on occasion. You'll see how many bullets you dodged without even knowing it.

    4. Run man-in-the-middle HTTPS decryption and in #3 use separate port ranges, one for HTTP and one for HTTPS. None of those non-standard ports have ever been seen in business-related traffic for us, a large bank. 4443 has been seen but never for HTTP. That's a clear deception trick.

    Why did I single out "system and network administrators who run security devices"? Like in real estate, those poor people are graded by their management on three things: Availability, Availability and Availability. "I can't get to my cat website because you block dynamic DNS sites running on odd ports!"

    4 0 Reply
    1. mr. deadlift
      Reply Icon
      Pint

      yep you're right on that one.

      https inspection would have nixed that one.

      some good extension restrictions should have pinned it too, why are non it (presumably) users downloading .ps1 scripts, i suppose it could be a .txt and renamed but i am speculating on that.

      how are machines still getting pwnd by macroes?

      i find the PS vector quite intriguing, as i dont think the attackers have thought, lets try this and see how it goes, i am thinking someone was working there first and doing a little recon.

      someone must have known/done some footwork beforehand to prep for the social/phish engineering.

      i bet you there a little bit more to it yet.

      - why is the execution policy set to unrestricted?

      - are users admins on their machines?

      - where's the use of GP?

      - did they learn nothing from stuxnet/crypto outbreaks?

      enquiring minds want to know, as it seems like it admin 101.

      the simplicity of it all is quite astonishing.

      beer 'cause friday and i don't have to deal with it.

      0 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Intelligence?

    So the Xforce IRIS recommend blocking these malicious IP addresses.

    Yet search on Xforce Exchange

    https://exchange.xforce.ibmcloud.com/ip/139.59.46.154

    https://exchange.xforce.ibmcloud.com/ip/45.76.128.165

    and they are categorised as "unsuspisious"

    It's not intelligence unless it's actionable. It's not actionable unless it's automated.

    @IBM - don't publish a report telling me I've got to block addresses. Do what I'm paying you for and build it into the threat feeds to my defences.

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like