Malware like Shamoon is analogous to finding an unexploded WWII bomb in the ground. It’s been seemingly dormant for years, but when uncovered, it remains incredibly dangerous with the potential to devastate. Agile cyber attackers have become expert at reconstituting old weaponry for new attacks – we can expect this trend to continue throughout 2017.
While it’s natural to focus on the devastation malware like this can cause, understanding the pathway the malware had to travel is key to mitigation. According the reports, the malware contained embedded credentials that allowed the malware to surreptitiously move throughout the network and plant its logic bombs. In this case, the attack was likely initiated using a worm, which is how Shamoon operated historically. Propagation can occur by accessing shares in the network or through other remote access, using stolen credentials. Another possible way to gain this access network-wide is through group policy object (GPO) configuration from the Domain Controller that is distributed to domain-connected machines.
Frustratingly, this pattern of privileged credential compromise continues to be repeated – consider attacks like the ones impacting the Ukraine power grid, Bangladesh Bank, The Sands Hotel and more. Hijacked administrator credentials enable attackers to enter the network undetected and they continue to elevate those privileges until they find a landing point to inflict maximum damage.
When Shamoon first wreaked havoc on Saudi Aramco in 2012, ICS-CERT immediately issued strategic mitigation steps to specifically prevent Shamoon-based attacks. The mitigation strategies highlighted the importance of controlling access and management of privileged accounts. This is very similar to the alert the FBI recently issued that prioritized privileged credential protection.
These steps are known best practices in the security industry. The reality we face is that while we pay lip service to enacting security best practices, bad habits persist. Our recent research shows that as many as 40% of organizations still store privileged and admin passwords in word docs or spreadsheets. Failing to secure these accounts is an open door to attackers to unleash their malware across a network.
We can expect more attacks that reconstitute old malware, but we can’t persist in the same security mindset. We need to assume cyber attackers are already on the network and planning attacks with increasingly malicious intent. By shutting down the privileged pathway of malware like Shamoon, organizations can build virtual blast chambers that contain the damage a ‘digital bomb’ can cause.