Destructive data wipers and worm targeting Ukranian organizations

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have jointly released an advisory and warned of an ongoing cyber attack using destructive malware targeting organizations in Ukraine that allows attackers to take complete access of the systems and make them inoperable.

Several cybersecurity researchers reported from across the globe and disclosed a highly catastrophic malware known as HermeticWiper which was targeting several organizations in Ukraine. The malware targets Windows devices’ master boot record and manipulates to cause the boot failure. To infiltrate the network, lateral movement, and malware distribution, attackers used tools like Impacket and RemCom as remote access software. Microsoft tracks this malware as Foxblade wiper.

A worm HermeticWizard uses WMI and SMB to spread through network and deploy wiper to local computer. Successful exploitation may directly impact the daily operations of any organization and cause the unavailability of critical assets and data. Another wiper named Isaacwiper is now targeting the organizations which are not affected by Hermeticwiper. On the other hand, they do not have the same code. Along with the wiper, a ransomware HermeticRansom was also used potentially to hide the wiper’s action.

A fourth wiper dubbed as CaddyWiper is targeting Ukraine as of March second week. The wiper is deployed using Group Policy Objects and further avoids deleting data on domain controllers in order to keep access to the target organization while yet disrupting operations. In addition to this, it determines whether a device is a domain controller by calling the DsRoleGetPrimaryDomainInformation() method. This is most likely a method employed by attackers to keep access to the infiltrated networks of the businesses they target while causing significant disruption to operations by deleting other vital devices.

The Mitre TTPs used by the malwares in the current attack are:

TA0001: Initial Access
TA0007: Discovery
TA0040: Impact
TA0042: Resource Development
TA0002: Execution
TA0008: Lateral Movement
T1588: Obtain Capabilities
T1588.002: Obtain Capabilities: Tool
T1588.003: Obtain Capabilities: Code Signing Certificates
T1078: Valid Accounts
T1078.002: Valid Accounts: Domain Accounts
T1059: Command and Scripting Interpreter
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1106: Native API
T1569: System Services
T1569.002: System Services: Service Execution
T1047: Windows Management Instrumentation
T1018: Remote System Discovery
T1021: Remote Services
T1021.002: Remote Services: SMB/Windows Admin Shares
T1021.003: Remote Services: Distributed Component Object Model
T1561: Disk Wipe
T1561.002: Disk Wipe: Disk Structure Wipe
T1561.001: Disk Wipe: Disk Content Wipe
T1485: Data Destruction
T1499.002: Endpoint Denial of Service
T1499.002: Endpoint Denial of Service: Service Exhaustion Flood