The UAE Cyber Security Council has flagged wiper malware as a growing threat. From your perspective, why is this the right moment to be having this conversation?
The UAE is being targeted by a rapidly increasing volume of cyberattacks linked to the Iran conflict, which makes this exactly the moment to be talking about wiper malware.
According to Mohammed Al Kuwaiti, the UAE’s Head of Cyber Security, attack attempts on national infrastructure have jumped from roughly 200,000 to 800,000 daily since the start of the Iran war. As modern conflicts continue to play out in the digital world, companies are now viewed as legitimate targets, and wiper activity is likely driving a large portion of the recent spike.
What makes wiper attacks so uniquely destructive compared to other forms of cyberattack?
The key difference comes down to the attacker’s objective and the resulting impact. Ransomware is typically designed to generate profit rather than destruction. As a result, demands are often set at amounts the victim can realistically pay, and attackers usually give back access once paid.
On the other hand, wiper attacks are built to destroy. They erase data, eliminate backups, and may even trigger endpoints to reset to factory settings. The intent is not negotiation, but maximum disruption.
What makes wipers especially dangerous is that they offer no built-in path to recovery.
Wipers don’t just delete files — they target backups, boot records, and recovery systems. How do attackers typically get that level of access in the first place?
Typically, attackers start with a relatively simple foothold like a compromised account or access to an exposed system. In environments with weak controls or excessive privileges, attackers can escalate access quickly, often reaching administrative or domain-level control.
From there, hackers use poor network segmentation and limited internal restrictions to move laterally, reaching critical systems like backup servers and recovery infrastructure. If these systems aren’t properly isolated, attackers can tamper with them while launching the wiper malware.
Ultimately, it’s not a single failure. It’s the combination of initial access, privilege escalation, and lack of internal controls that hackers maliciously use to gain access.
What are the most common vulnerabilities organisations leave exposed that make a wiper deployment possible?
The vulnerabilities that enable a wiper attack are rarely unique. Wiper attacks use the same entry points as any other cyberattack. Weak or reused credentials, lack of hardware verification to supplement MFA, and excessive user privileges are some of the most common entry points. Unpatched systems and overlooked vulnerabilities in internet-facing services also provide attackers with an easy foothold.
Once inside, limited network segmentation and poor visibility allow attackers to move laterally and escalate access without detection. In most cases, it’s not a single flaw but a combination of these weaknesses that makes a wiper deployment possible. Deploying proactive defences like Zero Trust significantly reduces the risk or wipers and other attacks.
You advocate for a deny-by-default security model. Can you explain what that means in practice and why it matters specifically in the context of wiper attacks?
Adopting a deny-by-default posture, also known as Zero Trust cybersecurity, is essential to protect against wiper attacks. Unlike traditional EDR defences that react once an attacker is in the system, deny-by-default is preventative. Solutions like Allowlisting enforce this by preventing any unapproved code from running, regardless of whether it leverages a known vulnerability or a zero-day exploit. If it isn’t recognised and approved, it simply doesn’t execute.
Application containment is also becoming more important. Trusted applications should only have access to the specific resources they need to function. For example, limiting the ability of programs to interact with PowerShell or communicate with unapproved websites. Containing applications helps organisations reduce the risk of legitimate software being abused as an attack vector, which is now even more important given the renewed attention to AI-identified exploits.
The growing effectiveness of adversary-in-the-middle phishing attacks that steal both passwords and MFA codes, means that network and cloud access should also be denied by default even if an MFA access code verifies identity. Requests should only be approved if they originate from authorised networks and hardware-verified devices, ensuring that even if credentials are compromised, they cannot be used without access to a trusted environment.
Many organisations in the UAE still operate on allow-by-default principles. What is the real-world risk of that approach today?
Many organisations in the UAE still operate on an allow-by-default approach, where applications and processes are generally permitted to run unless they are specifically blocked.
This model relies on identifying and blocking known threats, which can leave gaps when something new or unexpected appears. That’s becoming more relevant as AI is increasingly used to create new malware and exploits.
The other challenge is what happens after initial access. In an allow-by-default environment, there are fewer controls over what is allowed to execute once an attacker is inside the system. As a result, even a limited foothold can expand more easily, with fewer restrictions on what can run or interact with systems and data.
That’s why many organisations are starting to move toward a deny-by-default approach. Instead of allowing everything unless it’s known badblocked, only approved applications and behaviours are permitted to run, which helps limit what can happen even if an attacker gains access.
For a business that wants to start moving toward a stronger security posture right now, where should it begin?
For organisations looking to strengthen their security posture, the starting point should be shifting from reactive to preventative controls. This means moving away from a model that assumes that everything is good until proven otherise to one that limits what can run, access systems, and move across the environment in the first place.
The recent recommendations from the UAE Cybersecurity Council are a good first step. Their advice included making sure systems are properly updated, implementing robust isolated backups, and restricting access privileges. These measures address common weaknesses that attackers rely on and help organisations recover more effectively if an incident occurs.
From there, the next step is to build on that foundation with a deny-by-default approach. Companies should implement Zero Trust solutions such as Allowlisting, Zero Trust Network Access, and Zero Trust Cloud Access to defend against malware and credential theft.
Taken together, these steps move organisations toward a more proactive, layered security model that is better equipped to defend against modern threats, including malware and credential-based attacks.
Discussion about this post