As part of Palo Alto Networks Unit 42’s ongoing monitoring of the Shamoon 2 situation, we have updated information since our last posting Threat Brief: Second Wave of Shamoon 2 Attacks Reveal Possible New Tactic.
Since that Threat Brief, our Unit 42 researchers have become aware of another wave of Shamoon 2 attacks. This third wave was set to wipe systems using the Disttrack malware on January 23, 2017.
Aside from that difference, this latest wave of Shamoon 2 attacks appears to be the same as wave 1, which wiped systems on November 17, 2016, and wave 2, which wiped systems on November 29, 2016. The wave 3 samples our Unit 42 researchers have analyzed are similar to the other two waves in terms of the attack vectors, payloads and actions taken: there is no new intelligence to share on those.
This latest threat intelligence suggests that Shamoon 2 attacks are an ongoing situation and that additional waves of attack are possible in the future.
Organizations that are concerned about this situation and believe it poses risks to them should perform a risk assessment that considers the following possible actions in response:
- Examine all remote access traffic like RDP and SSH and block all unnecessary remote connections.
- Alternately, consider blocking all remote access connections to your organization altogether.
- Consider forcing a full password-reset organization-wide of all accounts, and especially those with administrative privileges.
In addition, organizations should review their backup strategies and disaster recovery/business continuity plans.
Our Unit 42 research team continues to follow the situation closely and we will provide updates as appropriate.