Dustman

Security analysts from the National Cyber Security Center (NCSC), a part of Saudi Arabia’s National Cyber Security Authority (NCSA), have discovered a new data wiping malware “Dustman” that hit BAPCO, Bahrain’s national oil company, on December 29, 2019. With recent world events occurring, businesses are now living in a time where cyber warfare is a real possibility.

As concerns rose in the marketplace last week, communications to assist in minimizing the impacts to business have also been reported. In this blog, I will cover what Dustman is, security best practices, how you can continue to stay informed, and what you can do today.

What is Dustman?

Dustman is designed to delete data from infected computers. The malware was named after the filename and string embedded in the malware. Dustman seems to be a new variant of ZeroCleare as the raw disk driver shares the same exact digital fingerprint as the one used by ZeroCleare.

The malware attack, aimed notoriously at BAPCO, was partially successful as it affected only a certain module of its extensive network. The company was able to detect and contain this malware attack immediately and thus continued normal services after the attack.

Both Dustman and ZeroCleare use the exact same skeleton, Turla Driver Loader (TDL), published on March 2019 on GitHub. What’s different in Dustman is that it has been optimized to deliver all drivers and payloads in a single executable file, as opposed to the two executable files required in ZeroCleare.

Knowing how you and your organization may be exposed or targeted during this time of increased tensions can help you better prepare. Should an incident occur, engage with partners and work with cyber or physical first responders to gain technical assistance.

Review your organization from an outside perspective and ask the tough questions. Where are vulnerabilities in your IT infrastructure and how can you fix them? Would your organization be a target of this malware based on your business model, customers, competitors, or what you stand for?

Iranian Threat Profile and Activity

According to CISA Insights, recent Iran-U.S. tensions have the potential for retaliatory aggression against the U.S. and its global interests. Iran and its proxies have a history of leveraging cyber tactics to pursue national interests, both regionally and here in the United States, such as:

  • Disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations, and an increased interest in industrial control systems and operational technology.
  • Cyber-enabled espionage and intellectual property theft targeting a variety of industries and organizations to enable a better understanding of our strategic direction and policymaking.

The CISA strongly urges business to assess and strengthen basic cyber and physical defenses to protect against this potential threat.

Dustman Security Best Practices

Below are best practices from the Department of Homeland Security and other managed security service providers, like LightEdge:

Business IP Addresses

If your business does not require Iran IP addresses to communicate or perform critical business processes, we recommend Firewall geo blocking Iran and other countries affiliated with Iran. If you do have business in Iran, it is important to know exactly which IPs you are required to communicate with and restrict access at the firewall.

Consider geo blocking for nations affiliated with Iran or other countries that are in your business target market. LightEdge’s managed firewall clients can put in request to make this configuration update to the managed device.

Multi-Factor Authentication

If you or any of your team members are externally accessing any internal resources, multi-factor authentication should be enabled. Security services are concerned that compromised accounts would be used for system access.

At the very minimum, multi-factor authentication should be enabled for network access including:

  • Virtual Private Networks (VPNs) or other remote access systems
  • Firewalls
  • Network routers
  • Financial systems
Patching Updates

Current patching recommendations are to ensure that your business systems get to the current patch or OS and firmware levels. If your organization does not have patching programs in place, it is critical to begin implementing those programs immediately.

As of now, malware and ransomware are the top threats to be concerned about. Ransomware will involve wipers for data destruction. Rather than a monetary compensation, data destruction will be the main goal. Other bad actors will still want the money involved with ransomware yet, if the attack is politically motivated they will typically go for data destruction.

Ask yourself and your security team, have you implemented regular scans of the networks and systems? Do you have an automated patch management program? If the answer is no, it is time to consider both.

Monitoring and Logging

Monitoring and logging are an important part of the cybersecurity and recovery process. If your organization does not already have a Security Information and Event Management (SIEM) system implemented, you should consider doing so.

SIEM is a software solution that aggregates and analyzes activity from many different resources across your entire IT infrastructure. SIEM collects security data from network devices, servers, domain controllers, and more.

In addition to monitoring software, all log files should be retained and stored as a backup to your backup strategy. Without a business continuity or disaster recovery plan in place, you’re risking mission-critical systems, applications, and irreplaceable data.

Ensure your security team is monitoring key internal security capabilities and that they know how to identify anomalous behavior. Assess your access control protocols. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures for immediate response.

Maintain continuous operations with disaster recovery solutions deployed at multiple data center locations. Backup best practices recommend maintaining three copies of data on two types of storage with one in a remote location. With LightEdge managed backup services, there is no need to own or manage the second storage facility yourself.

PowerShell Restriction

PowerShell is a task automation and configuration management framework from Microsoft consisting of a command-line shell and associated scripting language. It will be the first choice in a compromised system. Keeping ownership of the network will be the main goal. Older methods with batch files are used when PowerShell is not available.

Top Targets for Dustman Malware Attack

The Dustman malware is being targeted at various sectors specifically. The following industries are at a higher risk of breach and should take immediate action to secure their critical infrastructure:

  • Government Agencies
  • Infrastructure
  • Academic Institutions
  • Commercial
  • Any organization that shares joint ventures or third-party partnerships with the above

Iran has exercised increasingly sophisticated capabilities to suppress social and political perspectives deemed dangerous to its regime and to target regional and international adversaries.

Disaster Recovery Importance

In this heightened state of risk, there are things you and your organization can start doing today to reduce breach risks or recover faster.

Enact a Rapid Response Plan

Start to prepare your organization for issuing a rapid response by adopting a state of heightened awareness. This ranges from reviewing your security and emergency preparedness plans, consuming relevant threat intelligence, minimizing coverage gaps in personnel availability, and making sure your emergency call tree is up to date.

It is also important that your security team knows how and when to report an incident. The welfare of your organization and cyber infrastructure depends on awareness of threat activity. Consider reporting your cyber incidents to CISA as part of an early warning system.

Conduct Regular Audits

It is important to test the effectiveness of your designed solutions. Revisit all factors that when into developing your data protection plan regularly and update any outdated information. These regular audits should evaluate your security practices and test whether your organization is following the policies and procedures outlined.

Without proper testing, you will never know if your data protection plan actually works or meets your recovery objectives until it is too late. The more you plan for a disaster or breach and practice how you will handle it, the more prepared you and your team will be. With adequate testing, your operations will run smoothly when you need them to.

What was a threat 10-years, 5-years, and even 1-year ago is not the same exact risks you will face today. Your plan should always be adapting to current scenarios. There are a lot of things that may break a perfect plan. The only way to find them is to test it when you can afford to fail.

Data Backup is Not Enough

Are your company’s primary servers located on the premises of your office building? What if a cyber or physical attack wiped them out? There goes all the company’s backed-up files and data. Sending a copy of data offsite for disaster recovery and business continuity purposes should be considered essential.

In fact, entrusting a data center colocation facility to house your critical infrastructure would erase the need to prepare for a data outage entirely. Colocation facilities are built with security and compliance as top-of-mind items. They are designed to withstand the natural disasters and cybersecurity breaches. Many facilities even provide redundant backup options.

Data center redundancy should be designed to weather nearly any incident with minimal downtime. Data centers like LightEdge’s facilities use redundant power and cooling, geographically diverse central offices, and multiple data network carrier access.

The reliable availability of business IT is essential to the management and livelihood of every company, big or small. All elements hinge on the dependability of your technology to deliver important information when you need it.

Finding the right technology partner to help you keep your IT operations, critical applications, and data protected is a must.

When It Comes to Your Organization’s Security, Don’t Risk It

Cyber threats and actors are evolving and gaining intelligence every day. Leaving your business’s security up to chance is not an option. Finding disaster recovery and managed security services are imperative to stay a step ahead of malicious incidents.

Protect your data from corruption or loss and quickly restore as needed. Our solutions enable fast, reliable data backup and recovery environments, even at a granular-level. You can choose from flexible deployment options based on your goals and budget. Our process allows companies to optimize their WAN bandwidth and encrypt backup data for additional security.

LightEdge also utilizes Vision Solutions’ MIMIX real-time replication tool designed specifically for IBM Power and IBM i OS, providing a unique backup and disaster recovery solution to the iSeries world.

LightEdge is well known for our ISO 20000 and ISO 27001-validated infrastructure and operations, and constant adherence to reference architecture. LightEdge services are third-party audited regularly to assure compliance with HIPAAPCI DSSSSAE 18, HITRUST, and more. Our highly-trained experts are also knowledgeable about achieving compliance standards like NIST, FedRAMP, and FISMA. Partner with us to comply with archival and disaster recovery compliance standards.

Ready to put your data protection in the hands of LightEdge’s highly trained engineers?  Contact one of our data protection experts to get started or to schedule your private tour of any of our data center facilities. We have disaster recovery, colocation, and business continuity experts standing by to answer any questions.

If you would like to get more information on disaster preparedness and threat prevention, download our free Guide to Disaster Preparedness or our Cyberattack Threat and Prevention guide.


Related Posts

Robert Bennett

Rob Bennett has served in a variety of leadership positions focusing on Security Operations & Business Continuity since 1993. His roles included a 12-year stint as the Director of IT Operations for a global telecommunications company, implementing video and VOIP communications systems and ITIL-based processes. Rob has also spent 7 years in consulting roles with regulated companies seeking to attain specific compliance certifications.