It is being reported that a new variant of the Shamoon malware was discovered on the network of Italian oil and gas contractor Saipem, where it destroyed files on about 10% of the company's PC fleet.
The vast majority of the affected systems were located in the Middle East, where Saipem does a vast majority of its business, but infections were also reported in India, Italy, and Scotland.
Please see below for commentary from cybersecurity experts at Synopsys.
Andrew van der Stock, Senior Principal Consultant at Synopsys:
“The resurgence of the Shamoon wiper should remind all IT Executives and Directors of the critical importance of the basics of infosec security hygiene – such as the Australian Cyber Security Centre’s “Essential 8,” which starts with application whitelisting – an essential control which would have prevented this attack, automated patching, application hardening, restricting admin privileges, and multi-factor authentication. In this case, the victim had backups to recover service, but the reality is that this attack might have been prevented if such basic precautions were in place for the majority of users.”
Thomas Richards, Associate Principal Consultant at Synopsys:
"The initial entry point is of interest. With the recent releases of breaches involving passwords, it is a possibility that an employee used the same password in multiple locations which led to the attacker’s ability to compromise Saipem. The Shamoon attack could also be predicated by a phishing campaign or other credential compromising event. This attack is most likely perpetrated by an advanced threat actor who was specifically targeting Saipem. Employers should state in their password policy that employees should not reuse corporate passwords on other systems. Additionally, if an employee receives a suspicious email they should report it to their IT security group immediately."
Read the article online at: https://www.worldpipelines.com/equipment-and-safety/14122018/synopsys-comments-on-saipem-cyberattack/