ICS-CERT Revises Recommendations to Avoid Shamoon Infections

ICS-CERT updates a number of recommendations for critical infrastructure operators to prevent infections from the Shamoon wiper malware. Shamoon struck Saudi oil company Aramco, destroying more than 30,000 workstations.

Most publicly known malware attacks are disruptive in nature, for example causing the interruption of online banking services or taking websites temporarily offline. Few attacks cause actual physical damage to computers where hard drives are damaged and data lost or destroyed.

The Shamoon virus is one notable exception. Considered a state-sponsored attack, Shamoon infected the Saudi oil production company Aramco and damaged upwards of 30,000 computers last August. The virus overwrote the Master Boot Record on tens of thousands of machines, rendering them useless.

While oil production was not impacted, the attack did cause a week of downtime and cost the plant significantly.

This week, ICS-CERT revised a bulletin originally issued in September, updating recommendations for industrial control system operators to avoid Shamoon infections. In addition to overwriting MBR, Shamoon also targets partition tables and files with random data; the files are then no longer recoverable. The malware also spreads via network shares, trying to hit other computers on the same network.

“Because of the highly destructive functionality of the Shamoon ‘Wiper’ module, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems,” ICS-CERT warned. “Actual impact to organizations vary, depending on the type and number of systems impacted.”

Most of the recommendations are common sense measures any enterprise should have in place already, including a handful around account privilege restrictions, enforcement of password policies, regular backups, log monitoring and analysis, patch management, and isolation of critical networks from business networks. ICS-CERT also recommends that enterprise servers and workstations be kept directly off the Internet, and that content filtering and firewalls should guard any proxy servers.

With phishing attacks the point of entry for targeted attacks, attackers are keen to mine social networks for any bits of data that can help them find viable targets or information that will help them craft convincing messages from supposedly trusted sources. The updated bulletin urges policy implementation and enforcement to limit the use of social networks such as Facebook and Twitter, as well as personal email and instant messaging.

“If a valid business case exists for use, implement a guidance/policy that reduces the risk of data loss and malware threats,” the ICS-CERT alert said.

Shamoon wasn’t the last instance of Wiper malware. In March, attacks against media outlets and a number of financial systems in South Korea were pinned on Wiper malware. More than 32,000 computers were overwritten with nonsense data rendering the computers unusable.

Suggested articles