SHAMOON 2 Mitigations

 SHAMOON 2 ATTACK AGAIN

Malware called : Shamoon has three primary functional components:

1.    Dropper—the main component and source of the original infection. It installs a number of other modules.

2.    Wiper—this module is responsible for the destructive functionality of the malware.

3.    Reporter—this module is responsible for reporting infection information back to the attacker.

After the initial infection, Shamoon spreads via network shares to infect additional machines on the network. Symantec first detected Shamoon on August 16, 2012, and estimates only few infections exist worldwide (less than 50).

Impact

Because of the highly destructive functionality of the Shamoon “Wiper” module, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations vary, depending on the type and number of systems impacted. it can log into VDI solutions, wipe any saved snapshots, and thereby prevent an organization from restoring their systems.

Mitigation

Tactical Mitigations

·         Execute daily backups of all critical systems.

·         Periodically execute an “offline” backup of critical files to removable media.

·         Establish emergency communications plans should network resources become unavailable.

·         Isolate any critical networks (including operations networks) from business systems.

·         Identify critical systems and evaluate the need for having on-hand spares to quickly restore service.

·         Ensure antivirus is up to date.

·         Disable credential caching for all desktop devices with particular importance on critical systems such as servers and restrict the number of cached credential for all portable devices to no more than three if possible. This can be accomplished through a Group Policy Object (GPO).

·         Disable AutoRun and Autoplay for any removable media device.

·         Prevent or limit the use of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration data, except where there is a valid business case for use.

·         Consider restricting account privileges. It is our recommendation that all daily operations should be executed using standard user accounts unless administrative privileges are required for that specific function. Configure all standard user accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and administrative accounts should have access only to services required for nominal daily duties, enforcing the concept of separation of duties. Lastly, disable Web and email capabilities on administrative accounts. Compromise of admin accounts is one vector that allows malicious activity to become truly persistent in a network environment.

·         Ensure that password policy rules are enforced and Admin password values are changed periodically.

·         Consider prohibiting hosts within the production environment or DMZ from sharing an Active Directory enterprise with hosts on other networks. Each environment should have separate forests within Active Directory, with no trust relationships allowed between the forests if at all possible. If necessary, the trust relationships should be one-way with the low integrity environment trusting the higher integrity environment.

·         Consider deployment of a coaching page with click through acceptance; these are traditionally deployed in an environment to log the acceptance of network acceptable use policy or to notify users of monitoring. Coaching pages also provide some measure of protection from automated malicious activity. This occurs because automated malware is normally incapable of physically clicking an acceptance radial button. Automated malware is traditionally hardcoded to execute, then retrieve commands or additional executables from the Internet. If the malware is unable to initiate an active connection, the full train of infection is potentially halted. The danger still exists that the physical user will authorize access, but through the use of coaching pages, infections can be limited or at least the rate of infection reduced.

·         Monitor logs -- Maintain and actively monitor a centralized logging solution that keeps track of all anomalous and potentially malicious activity.

·         Ensure that all network operating systems, web browsers, and other related network hardware and software remain updated with all current patches and fixes.

Strategic Mitigations

·         Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services.

·         Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Any unused applications or functions should be removed or disabled, if possible, to limit the attack surface of the host.

·         Consider the deployment of Software Restriction Policy set to only allow the execution of approved software (application whitelisting)

·         Recommend the whitelisting of legitimate executable directories to prevent the execution of potentially malicious binaries.

·         Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems.

·         Consider deploying a two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access.

·         Deny direct Internet access, except through the use of proxies for Enterprise servers and workstations. Perform regular content filtering at the proxies or external firewall points of presence. Also consider the deployment of an explicit versus transparent proxy policy.

·         Implement a Secure Socket Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity.

·         Isolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization technology. This will limit the damage sustained from a compromise or attack of a single network component.

·         Implement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing Foundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). It is difficult to enforce corporate policies, detect intrusions, and conduct forensic analysis or remediate compromises on non-corporate owned devices.

·         Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.d

·         Place control system networks behind firewalls, and isolate or air gap them from the business network.

·         When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

To protect against Shamoon’s destructive forces, enterprises should train their employees to avoid clicking on suspicious links and email attachments.