Destructive data wipers and worms targeting Ukrainian organizations

For a detailed advisory, download the pdf file here

Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly released an advisory and warned of an ongoing cyber attack using destructive malware targeting organizations in Ukraine that allows attackers to take complete access of the systems and make them inoperable.

Several cybersecurity researchers reported from across the globe and disclosed a highly catastrophic malware known as HermeticWiper which was targeting several organizations in Ukraine. The malware targets Windows devices’ master boot record and manipulates to cause the boot failure. To infiltrate the network, lateral movement, and malware distribution, attackers used tools like Impacket and RemCom as remote access software. Microsoft tracks this malware as Foxblade wiper.

A worm HermeticWizard uses WMI and SMB to spread through network and deploy wiper to local computer. Successful exploitation may directly impact the daily operations of any organization and cause the unavailability of critical assets and data. Another wiper named Isaacwiper is now targeting the organizations which are not affected by Hermeticwiper. On the other hand, they do not have the same code. Along with the wiper, a ransomware HermeticRansom was also used potentially to hide the wiper’s action.

A fourth wiper dubbed as CaddyWiper is targeting Ukraine as of March second week. The wiper is deployed using Group Policy Objects and further avoids deleting data on domain controllers in order to keep access to the target organization while yet disrupting operations. In addition to this, it determines whether a device is a domain controller by calling the DsRoleGetPrimaryDomainInformation() method. This is most likely a method employed by attackers to keep access to the infiltrated networks of the businesses they target while causing significant disruption to operations by deleting other vital devices.

The Mitre TTPs used by the malwares in the current attack are:

TA0001: Initial AccessTA0007: DiscoveryTA0040: ImpactTA0042: Resource DevelopmentTA0002: ExecutionTA0008: Lateral MovementT1588: Obtain CapabilitiesT1588.002: Obtain Capabilities: ToolT1588.003: Obtain Capabilities: Code Signing CertificatesT1078: Valid AccountsT1078.002: Valid Accounts: Domain AccountsT1059: Command and Scripting InterpreterT1059.003: Command and Scripting Interpreter: Windows Command ShellT1106: Native APIT1569: System ServicesT1569.002: System Services: Service ExecutionT1047: Windows Management InstrumentationT1018: Remote System DiscoveryT1021: Remote ServicesT1021.002: Remote Services: SMB/Windows Admin SharesT1021.003: Remote Services: Distributed Component Object ModelT1561: Disk WipeT1561.002: Disk Wipe: Disk Structure WipeT1561.001: Disk Wipe: Disk Content WipeT1485: Data DestructionT1499.002: Endpoint Denial of ServiceT1499.002: Endpoint Denial of Service: Service Exhaustion Flood

Indicators of Compromise (IoCs)

References