New Iranian Data Wiper Malware Hits Bapco, Bahrain's National Oil Company (Jan 9, 2019)
On December 29, 2019, Iran-sponsored threat actors deployed a strain of new data-wiping malware, known as “Dustman,” on the network of the Bahraini national oil company, Bapco. The details of the attack are provided in a security alert published by Saudi Arabia’s National Cybersecurity Authority (CNA), which was sent to local companies involved in the energy market to warn of impending attacks. The incident demonstrates Iran’s advanced capabilities in launching cyberattacks, which has been of great international interest due to U.S. and Iranian political tension. The Dustman data-wiper is designed to delete data on infected computers when executed, and appears to be an upgraded and more advanced version of “ZeroCleare” malware that was first discovered in September 2019. The two important differences in Dustman are that all necessary drivers and loaders are delivered in one executable, and Dustman has the ability to completely overwrite the volume. The CNA believes with "moderate confidence" that the initial attack vector was a Virtual Private Network (VPN) server containing a remote code execution vulnerability that had been disclosed in the summer of 2019. This could potentially be referring to VPN servers from Fortinet or Pulse Secure. Bapco officials learned of the incident the day following the attack, as employee workstations that were in “Sleep Mode” during the attack sent antivirus detections of the malware attempting to execute when they were turned on the morning of December 30, as the antivirus was no longer disabled from the attack.
Recommendation: It is recommended to update all security devices, windows servers and workstations with the latest updates and signatures. Ensure that service accounts are not members of the Domain/Enterprise Admins or Administrators groups. Ensure patching of the recent vulnerabilities in VPN softwares (CVE-2018-13379, CVE-2019-19781, CVE-2019-11510, CVE-2019-11539).
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.