CyFlare System Status Page
Monitoring - Posted Date: 04/01/2022
Published Date: 04/01/2022
Source: Known reputed Security Agencies/Reports/Articles
Sector: All – including Government agencies
Reported by: CyberKendra Security blog post
CVE: CVE-2022-22965, CVE-2022-22963, and CVE-2022-22950
DATE(S) ISSUED: 03/31/2021
SUBJECT: Known IOCs and facts about Spring4Shell zero-day vulnerability

OVERVIEW:
As the world's most popular Java lightweight open-source framework, Spring allows developers to focus on business logic and simplifies the development cycle of Java enterprise applications.
Spring has released a security advisory explaining that the vulnerability is now tracked as CVE-2022-22965 and impacts Spring MVC and Spring WebFlux applications on JDK 9. The exploitation of the vulnerability also requires Apache Tomcat, an application packaged as a WAR, and the spring-webmvc or spring-webflux dependencies.

THREAT INTELLIGENCE: Per recent updates on Bleeping Computer, the vulnerability is actively being exploited in attacks – targets are unknown now.

SYSTEMS AFFECTED:
• JDK version 9 and beyond
• Apache Tomcat as the Servlet container
• Packaged as WAR
• spring-webmvc and spring-webflux dependency
• Spring Cloud function versions 3.1.6, 3.2.2
• Spring Framework
o 5.3.0 to 5.3.17
o 5.2.0 to 5.2.19
o Older, unsupported versions are also affected

RISK:
Government and their entities: High Impact
Businesses and their entities: High Impact

TECHNICAL SUMMARY:
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Unfortunately, two other Spring CVEs were released simultaneously as SpringShell (CVE-2022-22965), which caused a lot of confusion.
These two additional CVEs are not related to SpringShell, and each of them should be handled separately from SpringShell.

• CVE-2022-22963 is a critical-severity RCE issue (reported initially as a medium-severity issue) in Spring Cloud Function. This is a very severe issue, but Spring Cloud Function is less widespread than Spring Framework.
• CVE-2022-22950 is a medium-severity DoS issue in Spring Framework.

CyFlare is continuously monitoring and updating the known IOCs in order to fetch updated information on the threat and any potential mitigation techniques.

RECOMMENDATIONS:
We recommend the following actions be taken:
• Users of affected versions should apply the following mitigation: 5.3.x users should upgrade to 5.3.18+, 5.2.x users should upgrade to 5.2.20+. No other steps are necessary. There are other mitigation steps for applications that cannot upgrade to the above versions. Those are described in the early announcement blog post, listed under the Resources section. Releases that have fixed this issue include:
o Spring Framework
 5.3.18+
 5.2.20+
• Potential IOCs:
o HTTP POST request with exploit code as payload in the data section.
o The following filenames would store the web shell contents on the server in the event of successful exploitation:
 0xd0m7.jsp
 myshell.jsp
 shell.jsp (far too general – not very conclusive)
 tomcatwar.jsp
 wpz.jsp

REFERENCES:
https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html
https://portswigger.net/daily-swig/spring4shell-spring-users-face-new-zero-day-vulnerability
https://www.bleepingcomputer.com/news/security/new-spring-java-framework-zero-day-allows-remote-code-execution/
Apr 1, 18:06 EDT
Monitoring - Source(s): Microsoft Threat Intelligence Center, SentinelLabs, Symantec
Sector: Security Vulnerability
Reported by: Microsoft Threat Intelligence Center (MTIC), SentinelLabs

Subject: Emerging threats: WhisperGate, HermeticWiper, and Party ticket which were used by threat actors leading up to the recent Russia Ukraine conflict

OVERVIEW
Leading up to the current Russia-Ukraine conflict, threat actors deployed the following malware that was designated to target and destroy computer systems in Ukraine: WhisperGate, HermeticWiper, and PartyTicket.

SYSTEMS AFFECTED:
• Windows Operating System (all versions)
• Windows Server (all versions)

RISK:
Sectors targeted so far: Financial, defense, aviation, and IT services

THREAT SUMMARY:
Conti Ransomware group:
Conti, a Russian tied ransomware-as-a-service, pledged their support to the Russian government. This group announced that any cyberattack or war activities against Russia would result in a counterattack at any critical infrastructures of an enemy. However, after making this statement an external or internal actor to the group leaked information regarding the organization's internal activities including the source code of their locker software. This leaked source code could be used by less experienced criminals to create their own ransomware. This situation is ongoing and any relevant indicators of compromise from the analysis of the source code will be updated in our tools***

Mitigations****:
Mitigations
CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks.
Use multi-factor authentication.
• Require multi-factor authentication to remotely access networks from external sources. Implement network segmentation and filter traffic.
• Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.
• Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.
• Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users.
• Implement a URL blocklist and/or allow the list to prevent users from accessing malicious websites. Scan for vulnerabilities and keep software updated.
• Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures.
• Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system. Remove unnecessary applications and apply controls.
• Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications- such as remote monitoring and management software and remote desktop software applications to aid in the malicious exploitation of an organization's enterprise.
• Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.
• Implement application allow listing, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs.
• Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
• See the joint Alert, Publicly Available Tools Seen in Cyber Incidents Worldwide developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom for guidance on detection and protection against malicious use of publicly available tools.
- Implement endpoint and detection response tools.
• Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
- Limit access to resources over the network, especially by restricting RDP.
• After assessing risks, if ROP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
- Secure user accounts.
• Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
• Regularly audit logs to ensure new accounts are legitimate users.

Whisper Gate:
On January 15, 2022, Microsoft Threat Intelligence Center announced the identification of this malware operation used to target Ukrainian organizations. This malware has two stages, The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. This ransom note will contain a Bitcoin wallet and Tox ID. The malware will execute when the device is powered down. It overwrites the MBR of the system, rendering it inoperable. Whether the ransom is paid or not, the malware will execute and overwrite the MBR.

Indicators of Compromise:
Indicator #1: a196c6b8ffcb97ffb276d04f354696e2391311 db3841ae16c8c9f56f36a38e92
Indicator #1 Type: SHA-256
Indicator #1 Description: Hash of destructive malware stage1.exe

Indicator #2: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Indicator #2 Type: SHA-256
Indicator #2 Description: Hash of stage2.exe

Indicator #3: cmd.exe /Q /c start c:\stage1.exe 1 > \\ 127.0.0.1\ADMIN$\_[TIMESTAMP] 2>&1
Indicator #3 Type: Command line
Indicator #3 Description: Example lmpacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.

Hermetic Wiper:
February 23, 2022, researchers disclosed this was being used against Ukraine organizations. This malware is named after the digital certificate used to sign the sample ‘Hermetica Digital Ltd’. This malware contains 32 and 64-bit driver files compressed by Lempel-Ziv algorithm. Driver file names are generated using the Process ID of the wiper. The driver is loaded into the wiper’s process memory space, decompressed, and written to disk at “C:\Windows\System32\drivers\.sys” Once run this is like the WhisperGate malware in the sense that it damages the Master Boot Record (MBR). HermeticWiper enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the \\.\EPMNTDRV\ device is called for a device number. The malware focuses on corrupting the first 512 bytes of the Master Boot Record for every Physical Drive.

Indicators of Compromise:

Indicator #1 Name: Win32/Ki11Disk.NCV
Indicator #1 File Category: Trojan
Indicator #1 File Hash: 912342F1C840A42F6B74132FSA7C4FFE7D40FB77
61B25D11392172E587D8DA3045812A66C3385451
Indicator #1 Source: ESET research

Indicator #2 Name: HermeticWiper
Indicator #2 File Category: Win32EXE
Indicator #2 File Hash: 912342fle 840a42f6b7413218a7c4fie7d40fb77
Indicator #2 Source: ISentinelLabs

Indicator #3 Name: HermeticWiper
Indicator #3 File Category: Win32EXE
Indicator #3 File Hash: 61b25d11392172e587d8daJ045812a66c3385451
Indicator #3 Source: ISentinelLabs

Indicator #4 Name: RCDATA_DRV_X64
Indicator #4 File Category: ms-compressed
Indicator #4 File Hash: a952e288alead66490b3275a807f52e5
Indicator #4 Source: ISentinellabs

Indicator #5 Name: IRCDATA_DRV_xs6
Indicator #5 File Category: lms- compressed
Indicator #5 File Hash: 231b3385acl 7e41c5bblblfcb59599c4
Indicator #5 Source:ISentinellabs

Indicator #6 Name: IRCDATA_DRV_XP_X64
Indicator #6 File Category: lms-compressed
Indicator #6 File Hash: 095al 678021b034903c85dd5acb447ad
Indicator #6 Source:ISentinellabs

Indicator #7 Name: RCDATA_DRV_XP_X86
Indicator #7 File Category: ms-compressed
Indicator #7 File Hash: eb845b7a16ed82bd248e395d9852f467
Indicator #7 Source:ISentinellabs

Indicator #8 Name: Trojan.Killdisk
Indicator #8 File Category: Trojan.Killdisk
Indicator #8 File Hash: lbc44-eef75779e3caleefb8ff5a64807dbc942ble4a2672d77b9f6928d292591
Indicator #8 Source: lsymantec threat, Hunter treama

Indicator #9 Name: Trojan.Killdisk
Indicator #9 File Category: Trojan.Killdisk
Indicator #9 File Hash: 0385eea b00e946a302 b24a91dea4187cl210597b8e17cd9e2230450f5ece21da
Indicator #9 Source: !Symantec threat, Hunter treama

Indicator #10 Name: Trojan.Killdisk
Indicator #10 File Category: Trojan.Killdisk
Indicator #10 File Hash: a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e
Indicator #10 Source: !Symantec trhreat Hunter treama

Indicator #11 Name: Ransomware
Indicator #11 File Category: Trojan.Killdisk
Indicator #11 File Hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
Indicator #11 Source: !Symantec threat Hunter

PartyTicket:
Discovered by Symantec researchers on February 24th. This is decoy ransomware used alongside the deployment of HermeticWiper. Function naming convention and ransom note after the execution of this ransomware shows intent for taunting the US government. File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe. It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.

Indicators of Compromise:

Indicator #1 Name: PartyTicket SHA-1
Indicator #2 Name: Win32 EXE f32d'791ec9e6385a91b45942c230f52aff1 626df

CyFlare Actions Taken:
• XDRaaS: Request submitted to the vendor to update the ‘Emerging Threat’ security detection by adding provided Yara rules to the tool’s IDS Engine to trigger on recent related activity observed, if not preemptively added/updated already. The Machine Learning-IDS engine, as well as built-in threat intelligence, is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community.
https://github.com/SentineLabs/yara/blob/main/APT_ZZ_Unknown_HermeticWiper.yar
• SentinelOne: SentinelLabs provided a list of Yara detection rules, as well as ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customers’ SentinelOne environments.
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community. Any OTX indicators, such as those related to emerging Russian Cyber-attacks will trigger security alarms if observed in any customer’s environment. https://otx.alienvault.com/pulse/621802d015d213ff12c78818
• Sophos: Sophos released recent news articles & blog posts highlighting the emerging activity related to Russia’s invasion of Ukraine, as well as general best-practice cyber security tips. Moreover, the Austrian IT-Security testing lab – “AV-Comparatives” has tested the protection of recently-emerged Hermetic Wiper malware across multiple vendors. Sophos was one enterprise endpoint security vendor tested and identified as having full detection for Hermetic Wiper malware variants and was able to protect systems effectively against its multiple variants.

Developing Situation:
With a full-scale invasion now underway in Ukraine, the likelihood of further cyberattacks from Russia remains high. The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.


Reference Links:
https://www.cisa.gov/uscert/ncas/alerts/aa21-265a
https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
https://www.securityweek.com/conti-ransomware-source-code-leaked
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
https://cluster25.io/2022/02/24/ukraine-analysis-of-the-new-disk-wiping-malware/
https://github.com/SentineLabs/yara/blob/main/APT_ZZ_Unknown_HermeticWiper.yar
https://medium.com/@andreabocchetti88/thehermeticwiper-new-data-wiping-malware-hits-ukraine-3f8383f43792
https://news.sophos.com/en-us/2022/02/22/cyberthreats-during-russian-ukrainian-tensions-what-can-we-learn-from-history-to-be-prepared/
https://www.darkreading.com/threat-intelligence/7-steps-to-take-right-now-to-prepare-for-cyberattacks-by-russia
https://www.av-comparatives.org/av-comparatives-tests-anti-virus-software-protection-against-the-hermetic-wiper-malware/

Should you have any questions or concerns please place a ticket with the SOC using socir@cyflare.com or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Mar 8, 21:36 EST
Update - We are continuing to monitor for any further issues.
Mar 16, 12:33 EDT
Monitoring - To our valued partners and customers,

As part of our ongoing commitment to providing exceptional customer service, we are modifying our processes further to protect your endpoints through our MDR-SentinelOne service offering. Customers and partners will now be auto-enrolled into a quarterly SentinelOne agent upgrade. Every quarter, CyFlare will upgrade you to the best version for each operating system recommended by SentinelOne, if one is available. The first quarterly upgrade will take place in Q2 2022.

CyFlare will send a Trust Post thirty days before we intend to upgrade. The post will include the upgrade version, any relevant release information from the vendor, and the upgrade's date and time. Endpoints not connected during the upgrade time will be upgraded during the next connection.

You may opt-out of this automatic upgrade. If you choose NOT to take advantage of the automatic upgrades, please open a ticket through our ticketing portal with the following subject line: Customer Name – Upgrade Process: Opt Out. We will mark your account for manual upgrades. If you opt-out, you can continue to see CyFlare's recommended upgrades via our Trust Posts. However, you will be responsible for ensuring a consistent upgrade schedule to protect your endpoints best.

CyFlare continually evaluates our services to serve our customers and our partners better. Ensuring our customers have the latest recommended SentinelOne versions means more features and increased security.

We appreciate your business.

Thank you,
CyFlare TechOps Team
Mar 1, 16:32 EST
Breach Detection Service ? Operational
90 days ago
100.0 % uptime
Today
Rochester SOC Internet & Phones Operational
90 days ago
100.0 % uptime
Today
CyFlare Support Desk Platform ? Operational
90 days ago
100.0 % uptime
Today
Operational
Degraded Performance
Partial Outage
Major Outage
Maintenance
Major outage
Partial outage
No downtime recorded on this day.
No data exists for this day.
had a major outage.
had a partial outage.
Past Incidents
May 17, 2022

No incidents reported today.

May 16, 2022

No incidents reported.

May 15, 2022

No incidents reported.

May 14, 2022

No incidents reported.

May 13, 2022

No incidents reported.

May 12, 2022

No incidents reported.

May 11, 2022

No incidents reported.

May 10, 2022

No incidents reported.

May 9, 2022

No incidents reported.

May 8, 2022

No incidents reported.

May 7, 2022

No incidents reported.

May 6, 2022

No incidents reported.

May 5, 2022

No incidents reported.

May 4, 2022

No incidents reported.

May 3, 2022
Completed - The scheduled maintenance has been completed.
May 3, 17:30 EDT
In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
May 3, 16:00 EDT
Scheduled - As part of our ongoing commitment to provide excellent customer service to our partners and customers, we continue to bring enhancements and improvements to our XDRaaS platform through an upgrade to version 4.3.1.

Upgrade will start at 4:00 PM Eastern Time on Tuesday, May 3, 2022.

Downtime to the system will be less than one hour and require nothing to be done from our customers or partners, as sensors will continue to collect and buffer information until the upgrade is completed.

Highlights
• Introduced new connectors for integration with Cynet EDR, GuardDuty, Proofpoint on Demand, HandreamNet, Barracuda Email, and Cybereason.
• Introduced new log parsers and many improvements in existing log parsers.
• Introduced alerts based OneLogin activities.

Connector Enhancements
• Introduced response integration with Cynet EDR , supporting both Contain Host and Shutdown Host actions.
• Enhanced the SentinelOne connector to use an API key for authentication instead of username and password.
• Introduced a new GuardDuty connector that integrates with AWS GuardDuty using direct APIs.
• Introduced response integration with HandreamNet, supporting Block an IP actions.
• Introduced a new Proofpoint on Demand connector to ingest logs.
• Enhanced the Office 365 connector with improved statistics and error reporting.
• Introduced a new Barracuda Email connector that allows administrators to create a Barracuda incident directly from ingested Barracuda Email logs.
• Introduced a new Cybereason connector that collects syslogs and supports the Isolate a Machine (Contain Host) response action.
• Enhanced the Azure Event Hub connector to include SQLServer AuditEvents.
• Updated the TrendMicro Cloud One Workload Security connector to use API URL.

Parser Enhancements
• Introduced support for Cribl logs with the Syslog JSON parser.
• Introduced a new parser for OPNSense Zenarmor plugin logs on ingestion port 5604.
• Introduced a new parser for Lepide logs on ingestion port 5606.
• Introduced a new parser for NXlog on ingestion port 5601.
• Introduced a new parser for Android syslogs on ingestion port 5605.
• Introduced a new parser for the Airgap Ransomware Kill Switch log on ingestion port 5602.
• Introduced support for multi-tenant log ingestion for one sensor to be shared across multiple tenants.
• Added support for both Cisco ASA and Cisco Firepower log parsing on port 5168.
• Updated the CEF log parser to support ZScaler syslogs.
May 2, 10:36 EDT