I have been involved in cybersecurity for more than a dozen years now and it still surprises me how often corporations deploy a flat network architecture. Granted, there are several reasons why a company would implement a relatively flat network such as simplicity of O&M, number of users, and the ever-present factor of cost. However, companies are missing two significant benefits of a network with well-planned segmentation as it relates to cybersecurity.
A priority for network defenders is to find a potential threat at the earliest possible stage. While it is important to identify a system has been infected by observing the outbound command and control communication, the real benefit both in remediation time and potential data and financial loss is to detect the malicious file entering the network prior to the infection. Better still is to detect the exploit vector attempting to compromise a system before the malicious file is downloaded. Defense-in-depth not only applies to maintaining multiple solutions, but also ensuring those solutions scan several steps of the campaign lifecycle.
A recent cyber-attack reported within the South Korean broadcasting and banking infrastructure reportedly brought down over 35,000 systems. This attack has drawn comparisons in intent and method to the recent wiping attack against Saudi Aramco by the Shamoon malware. Shamoon has been covered extensively by the community, and was covered in Fidelis Threat Advisory #1007. Naturally our curiosity was peaked and we acquired samples of the malware and started analysis.
The initial analysis has been posted on the Fidelis Threat Geek blog and will be expanded upon in this advisory. This write-up will focus on the wiper malware used and the recovery techniques that are possible.
From preliminary analysis it is known that the malware will overwrite the Master Boot Record (MBR) and Volume Boot Record (VBR). The records and files overwritten by the malware so far have been wiped with patterns of 'HASTATI' or 'PR!NCPES’.
The malware samples that have been analyzed by our team are different in code and function from the Shamoon malware. However, by using the same recovery methods found in advisory #1007 the files and data are indeed recoverable.