The Bahrain Petroleum Company (Bapco) has been stuck by a new strain of data-wiping malware.
Iranian state-sponsored hackers targeted Bapco on December 29 using the data-wiping malware dubbed “Dustman”, which is designed to delete data on infected computers.
In a report published last week by Saudi Arabia’s National Cybersecurity Authority (CNA), the hackers used Dustman as a last resort to hide forensic evidence after making mistakes from a previous attempt which would have revealed their presence on the network.
CNA officials confirmed that the point of entry was the company’s VPN server, citing: “remote execution vulnerabilities in a VPN appliance that was disclosed in July 2019” as the hackers’ point of entry.
No specific appliance has been blamed for the attack, but officials are referring to a Devcore report published over the summer that disclosed remote execution bugs in enterprise-grade VPN servers, such as those from Palo Alto Networks and Fortinet.
ZDNet sources stated that hackers exploited a vulnerability in Pulse Secure servers, whilst others put the focus on Fortinet VPN servers.
Either way, after gaining access to the VPN server, hackers then escalated their access.
The report wrote:
“The threat actor obtained domain admin and service accounts on the victim’s network, which was used to run “DUSTMAN” malware on all of the victim’s systems. The attacker utilized the anti-virus management console service account to distribute the malware across the network.”
“The threat actor accessed the victim’s network and copied the malware and the remote execution tool “PSEXEC” into the anti-virus management console server, which was connected to all machines within the victim’s network due to the nature of its functionality. Few minutes later, the attacker accessed the storage server of the victims and deleted all volumes manually,” CNA added.
Hackers then executed a set of commands on the anti-virus management control which distributed the malware to all connected machines. Wiped systems displayed a Blue Screen of Death (BSOD) message.
CNA officials noted that there was a sense of urgency in the hacker’s actions, as a result of this hackers only achieved a partial compromise.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.