Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert hunting, research and content.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and remediating threats to prevent lateral spread.
Investigation and enhanced threat detection across multi-cloud or hybrid environments.
Configuration escalations, policy and posture management.
Detects malicious insider behavior leveraging Machine Learning models.
Customer testimonials and case studies.
Stories on cyberattacks, customers, employees, and more.
Cyber incident, analyst, and thought leadership reports.
Demonstrations, seminars and presentations on cybersecurity topics.
Information and solution briefs for our services.
MITRE ATT&CK Framework, Cybersecurity Assessment, SOC Calculator & more
The Threat
On December 29, 2019, the network of Bapco, the national oil company of Bahrain, was affected by a new strain of the ZeroCleare Wiper [1]. The new version of the wiper has been dubbed “Dustman”. Preliminary investigations, conducted by Saudi Arabia’s National Cybersecurity Authority (NCA), have linked the attack and the Dustman wiper to a threat actor suspected to be linked to Iran. The attack was only partially successful and Bapco did not suffer significant disruptions or downtime. It should be noted that this attack occurred prior to the death of the Iranian General, Qasem Soleimani, and the attack is not believed to be a direct response to the events on January 2nd, 2020.
What we’re doing about it
What you should do about it
Additional information
In the attack against Bapco, the threat actors exploited a vulnerability in the company’s VPN service to gain initial access and establish a foothold in the company’s network. It is believed that initial access was gained months prior to the destructive attack being carried out. Once inside the network, the threat actors escalated privileges and used the service account for the victim’s antivirus product to distribute the wiper across the network. The public report states that prior to distribution of Dustman, the attacker deleted victim files from a storage server [1]. Dustman was distributed to all systems then executed using PSEXEC. This caused data destruction and blue-screens on impacted devices. VPN logs and other artifacts of the attack were then deleted in an attempt to obfuscate the attacker’s activities.
Observed Filename | MD5 | SHA-1 | SHA-256 |
dustman.exe | 8AFA8A59EEBF43EF223BE52E08FCDC67 | E3AE32EBE8465C7DF1225A51234F13E8A44969CC | F07B0C79A8C88A5760847226AF277CF34AB5508394A58820DB4DB5A8D0340FC7 |
elrawdsk.sys | 993E9CB95301126DEBDEA7DD66B9E121 | A7133C316C534D1331C801BBCD3F4C62141013A1 | 36A4E35ABF2217887E97041E3E0B17483AA4D2C1AEE6FEADD48EF448BF1B9E6C |
assistant.sys | EAEA9CCB40C82AF8F3867CD0F4DD5E9D | 7C1B25518DEE1E30B5A6EAA1EA8E4A3780C24D0C | CF3A7D4285D65BF8688215407BCE1B51D7C6B22497F09021F0FCE31CBEB78986 |
agent.exe | F5F8160FE8468A77B6A495155C3DACEA | 20D61C337653392EA472352931820DC60C37B2BC | 44100C73C6E2529C591A10CD3668691D92DC0241152EC82A72C6E63DA299D3A2 |
References:
[1] https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report
[2] https://www.us-cert.gov/ncas/alerts/aa20-010a
[3] https://adsecurity.org/?p=4115
[4] https://docs.microsoft.com/en-ca/archive/blogs/secguide/blocking-remote-use-of-local-accounts