UPDATE 3.4.2022 In the nine days since Russia’s invasion of Ukraine began, there has been a noted escalation of cyber threats attributable to the conflict. Four new threats have been observed: HermeticWizard, HermeticRansom, and IsaacWiper, and a spear-phishing campaign dubbed Asylum Ambuscade.
2.24.2022 Timely reports of cyber threats associated with Russian actors are surfacing with the news of the Ukraine invasion. Cyberattacks are thought to be a first wave tool in Russia’s adversarial footing with NATO. This advisory is quick rundown of the different threats we’re aware of at this time. The entire security community is monitoring the situation very closely.
Expect more in-depth advisories as new threats are discovered.
Cyclops Blink malware
Sandworm, also known as Voodoo Bear, is a threat group with known ties to a Russian special technologies military unit. They’re credited with authoring and deploying a persistent Linux executable malware dubbed Cyclops Blink which targets small/home office networking devices such as firewalls and routers. It appears to be a replacement framework for a previous malware called VPNFilter.
The behavior of the malware is a persistent resident executable which connects to well-obscured C2 hosts, leading analysts to believe the purpose is a widespread botnet capable of espionage or coordinated DDoS.
Thus far Cyclops Blink has only been discovered in Watchguard devices sold since 2019, but the architecture of the Linux malware is such that it can be easily compiled and packaged to target any small Linux based networking device, which most products in the SOHO (small office/home office) category are, including firewalls, routers, and NAS units.
In a joint advisory from CISA, the FBI, and NSA, comprehensive analysis of the malware’s design and behavior are documented, as well as techniques for detection.
How to mitigate Cyclops Blink?
Watchguard has prepared a knowledge base article for Cyclops Blink Diagnosis and Remediation of their Firebox device. At this point in time, only Watchguard devices are affected but as mentioned above, the malware could easily be adapted for other devices in this category.
The basic approach to mitigation is to determine if the device has been infected, and if it has, remediate through a process that is performed with physical access to the device. Afterward, upgrade firmware to the latest version to prevent future infection from the botnet.
If a device is infected with Cyclops Blink, assume that any passwords present on the device have been compromised and should be changed ASAP. Additional forensic investigation may be necessary.
HermeticWiper (aka DriveSlayer)
UPDATE CISA has posted an extensive guidance on dealing with HermeticWiper.
A newly discovered malware dubbed HermeticWiper has been observed circulating in Ukrainian organizations. Sentinel Labs reports the malware is delivered using a signed Windows hardware driver and after execution subsequently alters the master boot record of the system volume resulting in boot failure.
The malware is named for the company on the driver’s certificate: “Hermetica Digital Ltd.” It co-opts a seemingly benign partition management driver by EaseUS named empntdrv.sys. According to Sentinel Labs this adds to the difficulty of analyzing HermeticWiper, much of the functionality is deferred to DeviceIoControl calls with specific I/O control codes.
How to mitigate HermeticWiper?
Mitigation of this one is difficult at this time. The vector for introduction of the signed driver is not well known. Searching for IOCs post-infection may not be possible as the malware does its damage quickly after execution.
Currently known IOCs from @EsetResearch:
912342F1C840A42F6B74132F8A7C4FFE7D40FB77 61B25D11392172E587D8DA3045812A66C3385451 Win32/KillDisk.NCV trojan 6/n
MD5: 3f4a16b29f2f0532b7ce3e7656799125
SHA: 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
3.4.2022 IOCs posted at CISA:
| Name | File Category | File Hash | Source |
|---|---|---|---|
| Win32/KillDisk.NCV | Trojan | 912342F1C840A42F6B74132F8A7C4FFE7D40FB77 61B25D11392172E587D8DA3045812A66C3385451 | ESET research |
| HermeticWiper | Win32 EXE | 912342f1c840a42f6b74132f8a7c4ffe7d40fb77 | SentinelLabs |
| HermeticWiper | Win32 EXE | 61b25d11392172e587d8da3045812a66c3385451 | SentinelLabs |
| RCDATA_DRV_X64 | ms-compressed | a952e288a1ead66490b3275a807f52e5 | SentinelLabs |
| RCDATA_DRV_X86 | ms-compressed | 231b3385ac17e41c5bb1b1fcb59599c4 | SentinelLabs |
| RCDATA_DRV_XP_X64 | ms-compressed | 095a1678021b034903c85dd5acb447ad | SentinelLabs |
| RCDATA_DRV_XP_X86 | ms-compressed | eb845b7a16ed82bd248e395d9852f467 | SentinelLabs |
| Trojan.Killdisk | Trojan.Killdisk | 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 | Symantec Threat Hunter Team |
| Trojan.Killdisk | Trojan.Killdisk | 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da | Symantec Threat Hunter Team |
| Trojan.Killdisk | Trojan.Killdisk | a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e | Symantec Threat Hunter Team |
| Ransomware | Trojan.Killdisk | 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 | Symantec Threat Hunter Team |
HermeticWizard
NEW Over the course of their research into the HermeticWiper malware, security researchers were further able to discover the use of HermeticWizard, a computer worm assessed to be used for Lateral Movement across networks. While precise details are still sparse on how exactly HermeticWizard was introduced to victim networks, it is known to utilize WMI and SMB to traverse networks.
How to mitigate HermeticWizard
When HermeticWizard finds a reachable machine, it will drop a WMI spreader onto the disk and create a new process. At this time, HermeticWizard is still using the same signed certificate as HermeticWiper, making some of the detection for this less complicated. In addition, the use of the following commands, while not inherently suspicious, may be able to better discern anomalous activity on the network associated with HermeticWizard.
| DNSGetCacheDataTable | GetIpNetTable | WNetOpenEnumW(RESOURCE_GLOBALNET,RESOURCETYPE_ANY) |
| NetServerEnum | GetTcpTable | GetAdaptersAddresses |
Additionally, while HermeticWizard scans in a random pattern to prevent fingerprinting via that method, it is known to attempt connection with potential victims via the following ports. For SMB, it will utilize port 445 and attempt to connect to the following pipes.
| Port | SMB Pipe |
| 20: ftp | samr |
| 21: ftp | browser |
| 22: ssh | netlogon |
| 80: http | lsarpc |
| 135: rpc | ntsvcs |
| 137: netbios | svcctl |
| 139: smb | |
| 443: https | |
| 445: smb |
Known Indicators of Compromise 3.4.2022
| 6B5958BFABFE7C731193ADB96880B225C8505B73 |
| AC5B6F16FC5115F0E2327A589246BA00B41439C2 |
| 3C54C9A49A8DDCA02189FE15FEA52FE24F41A86F |
HermeticRansom (aka PartyTicket Ransomware)
NEW While deployed in far fewer numbers than the mainline HermeticWiper, HermeticRansom was discovered on at least some Ukrainian machines at the same time as the wiper malware. Assessed to likely be a distraction from the main offensive, HermeticRansom shows several indicators of being rushed in development. Specifically, due to errors in the precise mechanisms of encryption, it is possible to reverse the encryption, with Avast providing a free decryptor. In addition, it bears several political references to the sitting US president and administration, but the implications of this are unknown.
How to mitigate HermeticRansom?
While again the precise delivery method is unknown, HermeticRansom is ultimately the same as many ransomware payloads. To that end, it utilizes the “.encryptedJB” file extension, and while it does encrypt the first 9.44MB of every file, the flaws in its methodology mean that decryptors already exist. This sort of relatively sloppy activity is further reflected in the way several other portions of the malware operate, effectively reducing the potential damage that this payload could cause.
Known Indicators of Compromise 3.4.2022
| 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 |
| F32D791EC9E6385A91B45942C230F52AFF1626DF |
WhisperGate
Another malware attack almost identical in nature to HermeticWiper was identified and published by the Microsoft Threat Intelligence Center in mid January. Dubbed WhisperGate, it masquerades as ransomware but does not actually have a recovery mechanism. Similar to HermeticWiper, it overwrites the MBR upon system shutdown, destroying data. This is atypical of criminal ransomware which are intended to be profitable for the actors. Instead, these destructive malware types are thought to be primarily intended to disrupt and degrade capabilities.
Microsoft recommends the following actions for customers or administrators of Windows systems to mitigate WhisperGate:
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity. NOTE: Microsoft strongly encourages all customers download and use password-less solutions like Microsoft Authenticator to secure accounts.
- Enable Controlled folder Access (CFA) in Microsoft Defender for Endpoint to prevent MBR/VBR modification.
IOCS:
| Indicator | Type | Description |
| a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 | SHA-256 | Hash of destructive malware stage1.exe |
| dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 | SHA-256 | Hash of stage2.exe |
| cmd.exe /Q /c start c:\stage1.exe 1> \\127.0.0.1\ADMIN$\__[TIMESTAMP] 2>&1 | Command line | Example Impacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions. |
IsaacWiper
NEW ESET researchers discovered the use of another variant of wiper malware against an unspecified Ukranian government network. Dubbed IsaacWiper, details are unfortunately rather sparse, other than to say that it is unlike any other known malware samples at the time of analysis (25 February).
How to Mitigate IsaacWiper
While the initial access vector is still not known, ESET suggests that attacker utilized Impacket for lateral movement. In a few other cases, they observed the use of RemCom, a remote access tool, being deployed at the same time as IsaacWiper.
Known Indicators of Compromise 3.4.2022
| 0E84AFF18D42FC691CB1104018F44403C325AD21 |
| 379FF9236F0F72963920232F4A0782911A6BD7F7 |
| 87BD9404A68035F8D70804A5159A37D1EB0A3568 |
| B33DD3EE12F9E6C150C964EA21147BF6B7F7AFA9 |
| AD602039C6F0237D4A997D5640E92CE5E2B3BBA3 |
| 736A4CFAD1ED83A6A0B75B0474D5E01A3A36F950 |
| E9B96E9B86FAD28D950CA428879168E0894D854F |
Asylum Ambuscade Spear-Phishing Campaign
NEW Leading email security firm Proofpoint has identified a spear-phishing campaign that utilizes the compromised account of a Ukrainian service member and targets European officials involved with the logistics of assisting refugees fleeing Ukraine.
The “Asylum Ambuscade” campaign email includes a malicious macro attachment which attempts to download a Lua-based malware dubbed “SunSeed.”
The email utilized the subject “IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022” and included a macro enabled XLS file titled “list of persons.xlsx,” which was later determined to deliver SunSeed malware. The social engineering lure utilized in this phishing campaign were very timely, following a NATO Security Council meeting on February 23, 2022 and a news story about a Russian government “kill list” targeting Ukrainians that began circulating in Western media outlets on February 21, 2022.
Proofpoint researchers
More details on the delivery and payload of the malware-laden phishing campaign as well as filter key terms can be found in the Proofpoint blog post.
Looking forward
The threat landscape as it relates to increased activity by Russian operators is evolving rapidly. The currently known threats appear intended to disrupt and degrade Ukrainian services and capabilities. Cybersecurity intelligence analysts anticipate continued escalating activity as a part of invasion tactics and potentially actions against NATO member nations.
CISA has compiled a comprehensive guide on Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure that should be required reading for security practitioners at this time.
Innovate Cybersecurity is on heightened awareness for new intel and will compile and report it as it arrives. Users and administrators should exercise additional prudence and vigilance with cybersecurity best practices and monitoring of network activity.
Resources
- MSTIC WhisperGate KB article
https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - Sentinel Labs HermeticWiper analysis
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ - CISA/FBI/NSA Joint Cybersecurity Advisory on Sandworm/CyclopsBlink
https://www.cisa.gov/uscert/ncas/alerts/aa22-054a - Watchguard CyclopsBlink Technical guidance
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA16S000000SNyiSAG&lang=en_US - Avertium FLASH NOTICE: HermeticWizard, HermeticRansom, and IsaacWiper Target Ukraine
https://www.avertium.com/blog/hermeticwizard-hermeticransom-isaacwiper-target-ukraine - IsaacWiper and HermeticWizard: New Wiper and Worm Target Ukraine
https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ - Help for Ukraine: Free Decryptor for HermeticRansom Ransomware
https://decoded.avast.io/threatresearch/help-for-ukraine-free-decryptor-for-hermeticransom-ransomware/ - Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities
https://www.crowdstrike.com/blog/how-to-decrypt-the-partyticket-ransomware-targeting-ukraine/ - ESET Research: Ukraine Hit by Destructive Attacks Before and During the Russian Invasion with HermeticWiper and IsaacWiper
https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-ukraine-hit-by-destructive-attacks-before-and-during-the-russian-invasion-with-hermet/ - Proofpoint blog post on Asylum Ambuscade
https://www.proofpoint.com/us/blog/threat-insight/asylum-ambuscade-state-actor-uses-compromised-private-ukrainian-military-emails
