FILE- In this Monday, Oct. 6, 2003 file photo, Saudi Arabian capital Riyadh with the 'Kingdom Tower' photographed through a window of the 'Al-Faislia Tower' in the Saudi Arabian capital Riyadh. Saudi Arabias stock exchange has opened up to direct foreign investment for the first time. The decision to open up the Tadawul stock exchange on Monday comes at a crucial time for Saudi Arabia, whose revenue has taken a hit from the plunge in oil prices over the past year. The kingdom is the worlds largest exporter of crude. (AP Photo/Markus Schreiber, File)
On Monday, Saudi authorities announced to have detected an “advanced” cyber attack targeting the kingdom. According to the experts at the Saudi National Cyber Security Centre, the attackers aimed to disrupt government computers.
The attackers leveraged the Powershell, but at the time of writing Government experts it did not comment on the source of the attack.
PowerShell is extremely powerful and that attackers are increasingly using it in their attack methods. PowerShell is a default package that comes with Microsoft Windows OS and hence it is readily available on the victim machines to exploit.
“Powershell is Predominantly used as a downloader”
The most prominent use of PowerShell, that is observed in the attacks in-the-wild, is to download the malicious file from the remote locations to the victim machine and execute it using commands like Start-Process, Invoke-Item OR Invoke-Expression (-IEX) file OR downloading the content of the remote file directly into the memory of the victim machine and execute it from there.
Back to the attacks that hit Saudi computers, the NCSC speculates the involvement of an APT that used spear phishing attacks to infiltrate computers in the Kingdom.
“The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia,” the agency said in a statement.
Saudi Arabia was targeted several times by APT, the most clamorous attack was conducted with the Shamoon wiper in 2012 against computers in the Saudi energy sector in 2012.
Computers at Saudi Aramco, one of the world’s biggest oil companies, was disrupted by Shamoon in what is believed to be the country’s worst cyber attack yet.
In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.
The first team that discovered the malware was Kaspersky Lab that had analyzed some instances of the threat linked to the “wiper agent” due to the presence of a module of a string with a name that includes “wiper” as part of it.
Early this year, Saudi authorities warned of a new wave of attacks that leveraged the Shamoon 2 malware targeting the country.
In January, the Saudi Arabian labor ministry had been attacked and also a chemical firm reported a network disruption.
According to security experts, the threat actor behind the Shamoon attacks was likely working on behalf of the Iranian government in 2012.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Malware, Saudi Arabia)
[adrotate banner=”5″]
[adrotate banner=”13″]
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
A cyber attack on Leicester City Council resulted in certain street lights remaining illuminated all…
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
This website uses cookies.