Weekly podcast: Shamoon, Year Zero and Confide

This week, we discuss the re-emergence of the Shamoon/Disttrack malware, a new trove of CIA documents from WikiLeaks and “numerous security vulnerabilities” in an app used by President Trump’s aides.

Hello and welcome to the IT Governance podcast for Friday, 10 March 2017. Here are this week’s stories.

The Shamoon or Disttrack malware virus, which was first used in 2012 to erase data from some 35,000 computers at oil giant Saudi Aramco, has re-emerged and now features a ransomware module as well as its remote-wiping functionality, according to a new report from Kaspersky Lab. Shamoon 2.0 has “targeted organizations in various critical and economic sectors in Saudi Arabia” since November 2016 and, like the previous variant, “aims for the mass destruction of systems inside targeted organizations.”

Symantec, meanwhile, explains that the new Shamoon campaign was conducted by a group it calls ‘Timberworm’, which used spear phishing emails to spread the virus via Word or Excel attachments containing malicious macros, or malicious links that downloaded similar infected files. These then provided the attackers with remote access to compromised machines.

Obviously, relatively few organisations are likely to be targeted by international cyberwarfare, but it is worth remembering that malware is increasingly spread by phishing emails, which is why staff awareness training is so important for all organisations.

Coincidentally, Shamoon is just one of the tools revealed to have been repurposed by the CIA, according to the latest batch of leaks – 8,761 documents collectively known as ‘Year Zero’ – published by WikiLeaks this week. According to WikiLeaks, the CIA’s UMBRAGE team – part of the Remote Development Branch – “collects and maintains a substantial library of attack techniques ‘stolen’ from malware produced in other states”. These components include “keyloggers, password collection, webcam capture, data destruction, persistence, privilege escalation, stealth, anti-virus (PSP) avoidance and survey techniques.”

The CIA hasn’t commented.

Aside from the time- and cost-saving benefits to the CIA of using techniques that are already in use in the wild, the main advantage of using established exploits would be that it makes attribution more difficult for security companies, enabling state-sponsored activity to slip under the radar more easily.

The Year Zero documents catalogue tools that work against Windows, OS X, iOS and Android operating systems, most of the popular antivirus software, IoT devices, and even smart TVs – via an attack called Weeping Angel, named after a Doctor Who villain. One piece of good news for those who fear state surveillance: the Whisper Systems protocol used in encrypted messaging applications Signal and WhatsApp remains uncracked.

One messaging app that wasn’t secure, however, is Confide – the app used by President Trump’s aides according to The Washington Post. This week, security researchers at IOActive announced that they had identified “numerous security vulnerabilities” in the application, which allowed malicious attackers to potentially “impersonate another user by hijacking their account session, impersonate another user by guessing their password, learn the contact details of all or specific Confide users, become an intermediary in a conversation and decrypt messages, and alter the contents of a message or attachment in transit without first decrypting it”. According to IOActive’s report, Confide has now remediated the critical issues.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s March book of the month is Once more unto the breach – Managing information security in an uncertain world, by Andrea C Simmons. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.