at March 04,2016
Interesting breakdown of the Shamoon malware. Clearly this malware was meant to cause destruction and was not focused on giving an attacker remote access or control. This is why I think this piece of malware is interesting as most often times you hear about malware giving someone access to a network/system but not much about destruction. And based on the fact that the malware erased the MBR makes it clear the attacker meant to do some serious damage. Surprising we do not hear more about destructive malware.
at March 08,2016
Dr. Ramzan provided a decent, high level overview of the Shamoon attack on Saudi Aramco. I'd agree that the level of sophistication of the attack was modest, but it appears that Iranian-based hackers, with likely tacit support from the government have continued to improve over time. Transitioning from DDOS and simple website defacements, Iranian hacker groups, such as the Ajax Security Team have successfully targeted the Navy/USMC Intranet and have transitioned to non-public tools. These efforts by the Iranians to improve their cyber capabilities are likely a result of the successful Stuxnet and Flame campaigns.
at March 10,2016
It’s interesting that it makes no attempt to spread. It basically just goes in and destroys the machine. Another fact that points to some kind of hacktivist group. It seems like this virus was designed for a targeted strike instead of something to spread around to anyone’s computer that it could find. Plus, destroying the master boot record was a nice finishing touch on the virus. It didn’t just want to delete the data, it wanted to make sure the computer was unusable.
at March 11,2016
I want to know if they were able to attribute the attack to a single user. The fortunate thing about an insider threat is that there is a finite number of suspects and that number can be significantly decreased with some investigation. I would also love to know how/if SourceFire wrote some new Snort/FireSight signatures to catch this malware as it spread across the network.
at March 24,2016
Yes it maybe an insider threat, just a revenge act. Or maybe as it's an attack on the power and sollar companies it also might be a competitor act.
It's scary when a virus attacks company's devices and wipe the whole information of. I I get upset when I delete a silly picture mistakenly, not crucial info. that will derive a company's existence.