The Threat
On December 29, 2019, the network of Bapco, the national oil company of Bahrain, was affected by a new strain of the ZeroCleare Wiper [1]. The new version of the wiper has been dubbed “Dustman”. Preliminary investigations, conducted by Saudi Arabia’s National Cybersecurity Authority (NCA), have linked the attack and the Dustman wiper to a threat actor suspected to be linked to Iran. The attack was only partially successful and Bapco did not suffer significant disruptions or downtime. It should be noted that this attack occurred prior to the death of the Iranian General, Qasem Soleimani, and the attack is not believed to be a direct response to the events on January 2nd, 2020.
What we’re doing about it
- esNETWORK rules are in place to detect the exploitation attempts related to various VPN services
- esENDPOINT
- Known indicators have been queried across all CB Response customers
- CB Defense detects and prevents the Dustman Wiper
- esLOG clients receive auto-alerts for the creation of high privilege accounts
- MVS (formerly esRECON) has plugins for the VPN vulnerabilities listed in the original Dustman NCA report
What you should do about it
- Ensure systems are patched and up to date
- Ensure VPN systems are not impacted by recent critical vulnerabilities [2]
- Avoid including service accounts as Domain Admins Groups [3]
- Secure local admin accounts to prevent abuse [4]
- See the National Cybersecurity Authority report for additional recommendations [1]
Additional information
In the attack against Bapco, the threat actors exploited a vulnerability in the company’s VPN service to gain initial access and establish a foothold in the company’s network. It is believed that initial access was gained months prior to the destructive attack being carried out. Once inside the network, the threat actors escalated privileges and used the service account for the victim’s antivirus product to distribute the wiper across the network. The public report states that prior to distribution of Dustman, the attacker deleted victim files from a storage server [1]. Dustman was distributed to all systems then executed using PSEXEC. This caused data destruction and blue-screens on impacted devices. VPN logs and other artifacts of the attack were then deleted in an attempt to obfuscate the attacker’s activities.
| Observed Filename |
MD5 |
SHA-1 |
SHA-256 |
| dustman.exe |
8AFA8A59EEBF43EF223BE52E08FCDC67 |
E3AE32EBE8465C7DF1225A51234F13E8A44969CC |
F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7 |
| elrawdsk.sys |
993E9CB95301126DEBDEA7DD66B9E121 |
A7133C316C534D1331C801BBCD3F4C62141013A1 |
36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C |
| assistant.sys |
EAEA9CCB40C82AF8F3867CD0F4DD5E9D |
7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C |
CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986 |
| agent.exe |
F5F8160FE8468A77B6A495155C3DACEA |
20D61C337653392EA472352931820DC60C37B2BC |
44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2 |
References:
[1] https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report
[2] https://www.us-cert.gov/ncas/alerts/aa20-010a
[3] https://adsecurity.org/?p=4115
[4] https://docs.microsoft.com/en-ca/archive/blogs/secguide/blocking-remote-use-of-local-accounts
