Disk-wiping malware Shamoon targets virtual desktop infrastructure

The latest variant had default credentials for a Huawei desktop virtualization solution

A cybersabotage program that wiped data from 30,000 computers at Saudi Arabia's national oil company in 2012 has returned and is able to target server-hosted virtual desktops.

The malware, known as Shamoon or Disttrack, is part of a family of destructive programs known as disk wipers. Similar tools were used in 2014 against Sony Pictures Entertainment in the U.S. and in 2013 against several banks and broadcasting organizations in South Korea.

Shamoon was first observed during the 2012 cyberattack against Saudi Aramco. It spreads to other computers on a local network by using stolen credentials and activates its disk-wiping functionality on a preconfigured date.

In November last year, security researchers from Symantec reported finding a new version of Shamoon that had been used in a fresh wave of attacks against targets in Saudi Arabia. The version was configured to start overwriting data on hard disk drives on Thursday, November 17 at 8:45 p.m. local time in Saudi Arabia, shortly after most workers in the country started their weekend.

Researchers from Palo Alto Networks found yet another Shamoon variant, different from the one seen by Symantec and likely used against a different target in Saudi Arabia. This third version had a kill date -- the day when it was configured to start wiping data  -- of November 29 and contained hard-coded account credentials that were specific to the targeted organization, the Palo Alto researchers said Monday in a blog post.

Some of those credentials were for Windows domain accounts, but a few were default usernames and passwords for Huawei FusionCloud, a virtual desktop infrastructure (VDI) solution.

VDI products like Huawei FusionCloud let companies run multiple virtualized desktop installations inside a data center. Users then access these virtual PCs from thin clients, making workstation management across different branches and offices a lot easier.

Another benefit of VDI solutions is that they create regular snapshots of these virtualized desktops, allowing administrators to easily restore them to a known working state in case something goes wrong.

Apparently the attackers behind this latest Shamoon campaign were aware that the targeted organization used Huawei's VDI product and realized that it wouldn't be enough to just wipe virtual PCs using stolen Windows domain credentials.

"The fact that the Shamoon attackers had these usernames and passwords may suggest that they intended on gaining access to these technologies at the targeted organization to increase the impact of their destructive attack," the Palo Alto Networks researchers said. "If true, this is a major development and organizations should consider adding additional safeguards in protecting the credentials related to their VDI deployment."

While so far this technique has only been observed in a targeted cyberattack whose primary purpose was the destruction of data, it could easily be adopted by ransomware creators in the future. Some ransomware variants already attempt to delete certain types of backups before encrypting data, so targeting VDI snapshots would be a natural expansion of that tactic.

None of the targets in the November attacks were named by Symantec or Palo Alto Networks.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?