Following recent cyberattacks on Sadara and Saudi Arabia’s labor ministry and human resources development fund, the country’s Computer Emergency Response Team has warned of the re-emergence of the Shamoon ransomware virus that partially wiped or destroyed 35,000 computers in 2012 – the most damaging cyberattack in history. Hitesh Sheth, CEO at Vectra Networks commented below.
Hitesh Sheth, CEO at Vectra Networks:
“The adversary is using a combination of social engineering and email phishing to infect one or a number of computers on an organisation’s networks. By downloading a file or clicking a link, employees may have unknowingly downloaded an exploit kit. Once infected, the computer rapidly performs port sweeps across the subnet and quickly spreads the malware to all hosts on the subnet. To inflict the most damage, the adversary will attempt to affect multiple computers in order to destroy data on every subnet across the network.
“Shamoon 2, like Shamoon that struck the oil company Saudi Aramco in 2012, moves extremely rapidly with the sole objective of destroying systems and bringing a business to its knees. Because the malware avoids using command and control communications, the only way to detect and respond in real time is to monitor the internal network for attacker behavior and traditional security such as firewalls, IDS/IPS and Web gateways are not effective.
“Aside from catching the culprits who engineered the attacks, the most effective way to stop further attacks is to deploy a solution that monitors the internal network, and detects and responds to attacker behavior in real time. Traditional perimeter systems like firewalls, IDS/IPS and secure Web gateways simply can’t stop the attack once it starts.”
“There is a command and control (C&C) channel in the malware that also needs to be addressed. Unfortunately, the C&C channels in most organisations are not always active and may therefore open up opportunities for the malware to evade detection. Traditional perimeter systems like firewalls, IDS/IPS and secure Web gateways are simply not enough to stop the attack once it starts.”