Iran: A new wiper malware that has been named Dustman was reportedly linked to Iran, based on the similarities it shares with previous Iranian malware ZeroCleare and the original Shamoon wiper malware. The link was made based on the common component EldoS RawDisk, which is a legitimate software toolkit for interacting with files, disks, and partitions. The new wiper malware was recently seen in an attack against Bahrain’s national oil company, Babco. The attack began through one of Babco’s VPN servers on December 29, 2019, due to an unpatched vulnerability that was exploited by the attackers. The malware affected only a portion of the company’s network, leaving them operational throughout the attack. A report from Saudi Arabia CNA outlined the malware and explained that a series of small mistakes led to the malware not being fully effective, which is why only a small portion of Babco’s systems could be infected.
Analyst Notes
A defense-in-depth strategy should be utilized by all companies to ensure the best security measures are in place. Securing all servers would also help protect companies from attacks such as this one that originated by using a VPN server. Having monitoring in place such as Binary Defense’s MDR service would help detect when intrusions occur and stop them before they take over an entire organization. Making sure systems and entities are up to date with security patches is crucial to prevent attacks from having an easy way to target the company. As typical with wiper malware, groups using it are more worried about destruction as opposed to financial gain commonly seen with ransomware.
More can be read here: https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report
