Happy New Year 2018 – Let the Dumpster Fires Begin

Just three days into 2018,  two massive security warnings were issued for Meltdown and Spectre. About those names – for an industry that claims to hate FUD, we need to work on this. But all kidding aside, these are perhaps the biggest inherent vulnerabilities to be brought to light that I am aware of. For good reason. When almost every device we use in our online and connected lives contains the problem at hand, it’s a top-tier event. Rather than jump on the “sky is falling” bandwagon, I chose to wait things out and read all that I could. There are far more experienced and knowledgeable people who have been weighing in on this from the start, and I will share links to their excellent insights and explanations. Also, as dust settles we can seee things more clearly, which is very relevant when dealing with a situation as massive and impactful as this. More details come available; facts are verified; information about what to do is tested and shared. Worth waiting for given that there was no immediate fix and panic is never a solution.

Here is the simplest breakdown of what both are by Daniel Miessler.  What everyone is worried about is that both of these enable attackers to access information and processes that we had all thought were inherently secured, like privacy keys we use to protect our data. Daniel lays it all out here:

Both Meltdown and Spectre allow low-privilege users who execute code on your system to read sensitive information from memory via Speculative Execution.  The basic concept for these two attacks is that you should consider secrets to be attackable any place you’re allowing someone else’s code to run on an affected system.

In Meltdown that means “any secret a computer is protecting (even in the kernel) is available to any user able to execute code on the system.” (Miessler) Spectre is worse in that it “works by tricking processors into executing instructions they should not have been able to, granting access to sensitive information in other applications’ memory space.” (Miessler)    

What I have been listening for is how this may impact Cloud computing, which we only think we understand, and we need to remember is just somebody else’s server.  Jerry Bell has written a piece on his blog, “Thoughts on Cloud Computing in the Wake of Meltdown”. He happens to be one of my go-to sources as part of the Dynamic Duo on the Defensive Security Podcast. First, the good news.  As managed service providers running largely out of datacenters, these operations will have likely been told to patch ahead of most, and done so in the best interests of running their business. As well, since datacenters are large organizations managing many clients, they will be using automation to help the patching process. And patching is complicated, especially when it comes to these critical issues.

And that brings us to the not so good news. Patching virtual machines isn’t always straightforward or successful.

spec2spec1

As Jerry presents:

Meltdown provided an apparent possibility for a guest in one virtual machine to read the memory of a different virtual machine running on the same physical server.  This is a threat that doesn’t exist on private servers, or is much less concerning for private cloud.  This vulnerability existed for many years

And then there are performance issues. Interestingly, as Jerry points out, not as hard to mitigate on cloud as they would be for physical servers.

One of the big downsides to cloud therefore, seems to the risk of a sudden change in the operating environment that results in higher cloud service costs.  As problematic as that might be, firing an API to increase the execution cap or add CPUs to a cloud server is logistically much simpler than private physical servers experiencing the same performance hit and needing to be replaced, which requires the arduous process of obtaining approval for a new server, placing the order, waiting, racking, cabling, set up, and so on.

Based on this, and what has been occurring across 2016 and 2017, I predict we will see more of these events where something we did in the past comes back to “haunt” us, from a time when we did not have any idea of how technology would develop. We are now uncovering what lies beneath the surface of frameworks we rely on that others laid down before us. Simon Segars is CEO of ARM Holdings, which designs mobile chips. He warned at CES 2018 in Vegas last week that we need to expect more of these discoveries. He states one of my chief concerns here:

“The reality is there are probably other things out there like it that have been deemed safe for years.. Somebody whose mind is sufficiently warped toward think about security threats may find other ways to exploit systems which had otherwise been considered comletely safe.”

We don’t know what we don’t know unfortunately in this case, so we need to be prepared for similar discoveries. More importantly, we need to be ready to assess, then share the information in a controlled and constructive fashion while we mobilize immediate and long term responses to the event. My watchword now is “prudence”, both in terms of patching, and then in terms of vigilance as we watch over all our systems with new eyes and insights. Haste makes waste. Because as time has borne out, and is once again, patches can go sideways very badly. Whether you brick a device or you brick an enterprise, both outcomes are severe.

UPDATE ON PATCHES

Per Steve Ragan’s piece in CSO Online, Microsoft has suspended Windows security updates related to this issue on systems with older AMD CPUs, after a documentation mix-up led to the systems being unable to boot after patches were applied.

In order to “prevent AMD customers from getting into an unbootable state,” Microsoft  has temporarily paused sending the following Windows updates to devices with impacted AMD processors:

  • January 3, 2018—KB4056897 (Security-only update)
  • January 9, 2018—KB4056894 (Monthly Rollup)
  • January 3, 2018—KB4056888 (OS Build 10586.1356)
  • January 3, 2018—KB4056892 (OS Build 16299.192)
  • January 3, 2018—KB4056891 (OS Build 15063.850)
  • January 3, 2018—KB4056890 (OS Build 14393.2007)
  • January 3, 2018—KB4056898 (Security-only update)
  • January 3, 2018—KB4056893 (OS Build 10240.17735)
  • January 9, 2018—KB4056895 (Monthly Rollup)

 

There are some excellent writeups out there. Here are some suggestions:

https://www.csoonline.com/article/3245770/security/spectre-and-meltdown-what-you-need-to-know-going-forward.html

https://blog.malwarebytes.com/security-world/2018/01/meltdown-and-spectre-what-you-need-to-know/

https://www.renditioninfosec.com/2018/01/meltdown-and-spectre-vulnerability-slides/

https://infosec.engineering/thoughts-on-cloud-computing-in-the-wake-of-meltdown/

Advertisements

Quickhits: Monday Dec 18 2018

New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development  framework used to build JAVA web applications. In this report by F5 labs,  a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy.  Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.

Potential for Uptick in Iranian-based attacks:  The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.

Banking Trojan Emotet:  There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year.  A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here. 

VirusBulletin and Critical Flaws:  VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.

 

 

 

 

 

Quickhits: Thursday Dec 14 2018

Attacks on ICS:  FireEye has identified a new targeted attack on ICS. “Triton” is designed to cause physically damage and harm operations. Thanksfully, this latest attack failed, but the lessons and warning are huge. Consider the implications of this against water ppurification plants; nublear power plants; major processing plants that cannot sustain downtime. Triton goes after the SIS or safety implemented system controllers. The FIreEye report describes the malware as follows:

TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. TRITON is consistent with these attacks, in that it could prevent safety mechanisms from executing their intended function, resulting in a physical consequence.

 

While FireEye cannot attribute the actor, they suggest with some certainty this is the act of a nationstate, they back it up with this statement:

The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.

New Banking APT:  The discovery of a new long term attack on banks was revealed this week.  Dubbed “MoneyTaker”, a report issued by Group-IB Security  details how the group has taken over $11 million across 18 months from over 20 targets in the UK, Russia and US, including banks and legal firms. Dmitry Volkov, co-founder of Group-IB and head of intelligence, stated:

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” says. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future.”

The twist here is that MoneyTaker is leveraging pentesting tools like Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire. They used PSExec to propogate across the network, per The Hackernews.   The article reports they are also using Citadel and Kronos banking trojans to deliver a specific point of sale or POS malware known as ScanPOS.

The group has been targetting card processing systems, like the Russian Interbank System AWS CBR and SWIFT which prompted Group-IB to warn that Latin America is a tempting target because of their broad use of STAR. I’ll be writing more about this as a separate piece. Stay tuned.

Avast AV & CCleaner Massive Malware Download: How to Help the End users

ccleaner

Screenshot of CCleaner from Talos Blog

Computers are hard. Ask the average user. They expect technology to serve their needs, not the other way around. Computers are supposed to be instant gratification, entertainment, making life easier, solving problems. They are not supposed to require much more effort than pressing the “on” key and typing. Anything else is our problem – we we were supposed to build security in, right?

We talk increasingly about “the human condition” in tech and security, because more often than not, it is that path of least resistance. Attackers know how we succumb – hence phishing. We opt for free – but you really do only get what you pay for, and buyer beware. Convenience, immediacy, lowest price – these drive the standard of quality in our connected world. It explains the current abysmal state of the IoT. And as we know, we cannot keep doing what we have been doing because – say it with me – it just doesn’t work anymore.

So when things go wrong, which they have been on an almost daily basis it seems, we who are tech reach out to the end users and let them know that they have to do more: remove software, delete files, check for files, run scans. As anyone who has ever worked helpdesk or worked with end users knows, this is not an easy ask. Most people struggle with just setting up their ISP modem/routers. Never mind removing default passwords or enabling controls. People tend to be afraid of technology, because as humans, we are afraid of what we don’t know. So we are afraid of breaking things, just as we are afraid to ask for help. And face it, tech support has earned its reputation for good reason.  People know when they are being made fun of, talked down to. We don’t make it easy for people to ask for help.

It doesn’t help that mega breaches and global ransomware outbreaks have been consistently in the headlines this past year. It’s enough to give anyone breach fatigue. And that’s what brings me to this. The talented team at Cisco Talos have issued a warning in their blog about a massive malware infection being spread by a tool, CCleaner 5.33, that has been shipping with a popular, often free, antivirus product, Avast. This is the statement according to Piriform, who owns CCleaner:

“An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.”

There are excellent technical write ups on this latest event and mine is not one of them. Initially, I saw the threat of securing third parties – we all know the perils of supply chain. But then, as I read through it, I realized I could read through it only after months of immersing myself, by choice, in infosec. Choosing to look up and learn what I did not already know (which is still a lot). The average user – that ain’t happening. They may read some of the articles that are more mainstream, but don’t bank on that either. Increasingly, end users are hitting the bar. Some are defeatist, saying they don’t care anymore, it’s pointless, what can they do anyway. Others believe in the power of the megacorps to protect them, so they follow whatever advice is given, like buying credit monitoring. Because that is easier than having to piece together a solution themselves on something they really know nothing about. And others prefer the head in the sand approach – Hear no evil, see no evil. I kid you not.

Some are lucky enough to have the money to pay a tech to fix the problem. Some have tech friends/family who can fix it for them. Most, however, are cast adrift on a sea of increasing peril, without life preservers. And even if we threw them a lifeline, we can’t expect they would be willing to take it. Trust goes both ways.

Before you make fun of the folks who chose Avast because it was free, here’s how I rationalized it years ago, before I arrived in InfoSec. I knew I needed to do something to secure my computer, and a free AV was better then nothing at all. Plus I could use it. And understand enough to use it, to scan. To pay attention if it alerted me. Maybe I even read a bit more to see that it suggested things I could do to clean up my computer and be safer. So, I would have downloaded CCleaner, which I have seen recommended in other places as a safe and free solution to optimizing my performance. And here’s the thing – I would have expected a known AV product, like Avast, would not be endorsing something harmful. Hence, I could trust CCleaner because I could trust Avast.

certsAnd Avast trusted CCleaner enough to promote and bundle them. To download them. So let’s look at that breakdown of trust. The researchers at Cisco Talos flagged a malicious executable file while doing some beta testing for their new product. That file happened to be the installer file for CCleaner v5.33. Now, that file was being delivered as downloads in good faith by legit CCleaner servers to millions of customers. It was legit because the appropriate digital certification was issued and signed to the main company, Piriform.

Enter the attackers. They had managed to intrude this trust worthy process and include a free, unwelcome gift with download.  This was malware, a malicious payload containing the ability to call back to the attackers command and control server, as well as being equipped with a DGA or Domain Generating Algorithm – definitely not a good thing. Obfuscation is a thing. If you can’t find someone was there, how do you know? And, without evidence or proof, trying to analyze this after the fact is problematic. The good news is there was a short window of release between August 15 til the latest version, 5.34 was issued on September 12. In previous attacks I’ve seen, manipulation of digital certificates is often an indicator that compromise is deep, systemic even, and trust in the signing authority may have been misplaced. In this case, Cisco cites:

 “the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code”

Looking through the malware, Cisco found clues that the attacker tried to cover their tracks. Once the infection was in place, the program worked to erase its source data and the memory regions it inhabited. With the legit program now installed, the attacker has the ability to do as they wish in the machine they now occupy. Which means they can gather system information on the machine and send it back to their command + control server. With this link established, other malware could be sent to infect the compromised machines. Here is a high level view of what happens, as written by the Talos crew:talos pic2

As for the DGA, if the key C+C server for the malware failed to respond, the program had a failback to generate some other IP addresses using the DGA and dns lookups. Here’s the good news. Talos used the algorithm and found that the domains it generated had not been registered. Moving on it,  they registered them instead and sinkholed them to keep the attackers out. As well, the malicious version of CCleaner had been removed from the download servers.

talos pic3

What is of concern is how many people around the world apparently use CCleaner.  As of today, Piriform is somewhat ambivalent in its claims of the number of users affected. Are they limited to only 32 bit windows machines? If you go back to Aug 15, would almost 4 million users have downloaded the malware?

cleaner

Talos advises that users need to either rollback to the previous version or install the new one. Which brings me to my earlier point about the human condition:

“according to the CCleaner download page, the free version of CCleaner does not provide automated updates, so this might be a manual process for affected users.”

The team at Talos is seeing a lot of DNS activity around machines trying to connnect with those suspect domains that are no longer available. And the only reason can be those machines are being controlled by malware. Worse, the malware is not being detected using current methods. So far as fixing things goes: if you currently are a Cisco customer then you are covered. As for the rest of us, sigh. We have work to do. Uninstalling will not remove the malware. That is left to you.  If you have a full backup of your system, (and in this age of ransomware you really, really need one)  you can restore from that. Otherwise, I suggest using Malwarebytes.

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html

https://techcrunch.com/2017/09/18/avast-reckons-ccleaner-malware-infected-2-27m-users/

Petnya Post-Mortem: Wiper, not Ransom

This wasn’t just another ransomware attack. It marks a pivot. Because these are the games nationstates play. With collateral damage and no impunity because attribution is hard. We left brick and mortar behind some time ago, when the battlefield moved to cyberspace, where there are no boundaries. Moreover, whatever previous rules of battle we followed do not apply.

There was a one-two punch, with the events out of the Ukraine Thursday morning.  Absolutely things were connected and we need to remember that going forward. Bigger picture. Because a lot is at play right now. From my vantage point, as a Poli Sci grad, cyber security is intrinsically tied to whatever is going on in the larger arena. National security. Global security. The whims of the powers that be dictate their machinations of technology, which has become their new and shiny arsenal. They’ve been at it for a while now, but unlike conventional physical battlefields, we don’t witness what plays out until we’re impacted.

What’s critical to me is that this attack was presented as ransomware to throw us off. As described by The Grugq:

This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”

This was actually a targeted attack against Ukraine, using malware that was highly destructive. This attack was never about making money. It was all about taking down systems and taking away access to essential service, as per this illustration from the blog post by The Grugq :

 

 

 

 

 

 

 

 

 

Think CIA – confidentiality, integrity, accessibility. Ransomware and wiperware go after accessibility. And in our world, downtime can equal death, figuratively as well as literally (think hospitals and critical infrastructure).  As Leslie Carhart says:

Blood is in the Water -Not only have criminals found that ransomware is a great money-making scheme, but nation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective weapon. A weapon that can cause collateral damage, globally.

 

 

 

 

 

 

There have been some excellent reviews of what this attack was about, and how the Eternal Blue exploit released via ShadowBrokers was yet again leveraged against unpatched systems. Key takeaways were:

  • Unpatched systems will continue to be our undoing and exploited. We’re more at risk now because of that cache of exploits being lobbed at us monthly via the ShadowBrokers.
  • Lateral movement within networks works for attackers and infection spread. Segment. Segregate. Flat networks are an attacker’s dream.
  • Multiple infection vectors. There were as many as 4 ways for the target to be compromised.
  • Backup and test how those restore. Don’t assume anything. And keep backups off the main network
  • Windows.  Everyone uses it. Powershell. Sysinternals. AD. PSExec. Let’s keep learning about these because the attackers sure as heck know what they can do with them.

We know what er are not doing well. It’s catching up with us. Let me end with these words of wisdom by Leslie:

Defense in depth, including human threat hunting and effective detection and prevention at many points, is key. This will involve policy and financial buy-in from many lagging organizations at a new level.

And this sums it up:

 

 

 

 

 

 

These blog posts say everything I could ever want you to know, only better. Please read them:

The Grugq: Pnetya: Yet Another Ransomware Outbreak  .

Leslie Carhart @hacksforpancakes:  Why NotPetya Kep Me Awake (And You Should Worry Too)

Cisco Talos Blog: New Ransomware Variant Netnya Compromises Systems Worldwide

Learning: Reversing Malware

Have you ever wanted to learn about reversing malware? There is no better way to understand exploits and infections. It’s essential as attacks evolve and we need to understand what’s being leveraged, how and why. It’s fascinating, and yes – you can do this. Dream big! Aim high!

@MalwareUnicorn (Twitter) is one of the best there is at this and she shares her wisdom and knowledge online. I’ll make you a deal – let’s start learning this together. I promise regular progress updates.

Here is her site. Let’s get going!

https://securedorg.github.io/RE101/

The ABC’s of APTs: Shamoon

sham35Welcome to the grey zone where politics and cyber meet. APTs or advanced persistent threats, are one of my favourite acronyms (but then you know how I am intrigued by Stuxnet and cartels), and essentially are how nation states get their digital digs at each other. Usually the intention is to get information, because knowledge is power. Cyberespionage can give a competing nation a real competitive advantage in the world economy, among other things. But sometimes, there is a need to control more, and that is where weaponizing code takes on a whole new nasty.

The keyword here is “persistence.”  First, attackers must find their way into the networks of the target. Usually, they employ targeted spear phishing, painstakingly staking out the right victim to receive that loaded email.  The investment of time and money at this point is essential, so as not to tip anyone off. And the emails are crafted so carefully, picking up on points tailored to that recipient so that they will open it, and launch the attachment that will create an entry point for the attacker. There is a reason why phishing is at the heart of so many breaches.

Now, imagine a video game, where you must progressively meet the challenges of each level to go higher. That is the attacker moving through the network, acquiring credentials to gain access to the crown jewels. The strategy is to find someone lower level, then work your way up. Hence, persistence, because this is an investment of both time and patience. Expect the key executives or decision makers to be well-guarded, with access and authorization controls in place. Not the case for someone lower on the food chain. All an attacker needs is to gain access. As proven repeatedly, once in, they can take all the time they need to find what they want. Case in point: the attack on the Ukraine power grid in December 2016.  The attackers were in that system for over nine months, collecting what they needed, notably credentials for the Virtual Private Network, that enabled them to jump the security gap onto the restricted side. As Stuxnet taught us, there is no such thing as air-gapped security.

shamoonattackgraphic

We know the Russians hacked the US; we know China hacked the US and Canada; and yes, the US has hacked someone too. These are the games nations play. The trick, of course, is not to get caught before you have the prize. And when you do get caught?  Well, as we’ve seen play out, nothing really bad happens. Just expect that your victim will be in your systems. Unless information isn’t the endgame and control is. Then, be prepared for something to go bump in the night.

Shamoon is devastating wiper malware that took out a massive swath of Saudi Aramco when it first debuted in 2012.  Linked to Iran, and an ongoing feud in the region between key players, it was a targeted attack against the oil giant, damaging or destroying 35,000 computers. Sec Def at the time, Leon Panetta, described it as “probably the most destructive cyber attack on a business.”

Wiper malware was used against business targets in  December 2014 destroying the systems in a Vegas casino, The Sands, after owner Sheldon Adelson advocated using nuclear weapons against Iran. The US “publicly cited Iran as the culprit”.   Then Disstrack was used again in December 2015, in the attack that brought Sony to its knees.  These aren’t gangs using cybercrime for monetary gain. These are the equivalent of acts of war, given the level of damage done.

Fast forward to late 2016. Two major attacks happened in Saudi: November 17 taking out systems at the airport and other Saudi government agencies, and then again on November 29. Then, on January 23 there was another attack. The malware used was almost identical to the original Shamoon, aka Disstrack.  Except there were a few key enhancements.  According to Andrew Plato, CEO of Anitian Enterprise Security

 “What is really worrisome about this is it’s just outright destructive. It isn’t really trying to steal anything. It’s the closest things we’re going to get to a cyber bomb”.

The new version, dubbed Shamoon 2, spread through the local network using legitimate counts belonging to users and administrators, with complex passwords likely obtained from an earlier attack. Remember what I said about persistence?  This new version, however went on to attack VDIs, or Virtual Desktops, which previously could have offered some protection because of their ability to load snapshots of systems that were wiped. Now Shamoon had migrated from just Windows-based systems to Linux in the attacks on VDIs.

cyberwar1-1024x482

Now, I don’t want to be alarmist and spread FUD everywhere. Yes, this is serious and destructive. Like Stuxnet, it broke things. And that’s the differentiator. So far, the line hasn’t been crossed where breaking things was deliberately done to harm people. Because as Archer would say: You want cyberwar? Because that’s how you get cyberwar.

While the expectation is that Iran is once again behind the attacks, Symantec has revealed there are multiple parties involved. More than one entity, so collaboration and cooperation.  The report is that an entity known as Greenbug may have assisted in getting the credentials needed for access.  Palo Alto reported on a campaign known as Magic Hound which targeted energy, technology and government with ties or locations in Saudi.  There were links between Magic Hound and two other actors with Iranian ties: Charming Kitten and Rocket Kitten. Finally, putting all this together was the group Timberworm or Cobalt Gypsy.  Per Symantec, Timberworm was behind the January 23 attacks.

Here’s the play by play. First, Timberworm used spear phishing emails with weaponized documents (we warned you about those Office Macros!) to gain initial access into the network. Once there, they used custom malware, along with leveraging existing sysadmin tools to avoid detection, and help them achieve persistent remote access. Quick FYI: custom malware is a hallmark of major organized cybercrime groups or nation state attacks because it costs a lot of time and money to craft, and the stakes are going to be very high.

Apparently Greenbug and Timberworm have been active, penetrating organizations beyond Saudi. Note that Shamoon, however, was only used against the Saudi target. Timberworm is a large operation, as is Greenbug, with targets in a range of areas. We know who they are now, what they can do, and that they have a shared interest. What we don’t know: the endgame. I’m waiting for that other shoe to drop.

http://www.zerohedge.com/news/2016-12-01/another-false-flag-destructive-iranian-hackers-allegedly-wreak-havoc-saudi-computer-

http://www.securityweek.com/shamoon-2-variant-targets-virtualization-products

http://www.securityweek.com/multiple-groups-cooperated-shamoon-attacks-Symantec

http://www.archersecuritygroup.com/second-wave-bomb-malware-hits-saudi-arabia/