CyFlare SOC Advisory - Russian Cyber Attacks
Incident Report for CyFlare
Source(s): Microsoft Threat Intelligence Center, SentinelLabs, Symantec
Sector: Security Vulnerability
Reported by: Microsoft Threat Intelligence Center (MTIC), SentinelLabs

Subject: Emerging threats: WhisperGate, HermeticWiper, and Party ticket which were used by threat actors leading up to the recent Russia Ukraine conflict

Leading up to the current Russia-Ukraine conflict, threat actors deployed the following malware that was designated to target and destroy computer systems in Ukraine: WhisperGate, HermeticWiper, and PartyTicket.

• Windows Operating System (all versions)
• Windows Server (all versions)

Sectors targeted so far: Financial, defense, aviation, and IT services

Conti Ransomware group:
Conti, a Russian tied ransomware-as-a-service, pledged their support to the Russian government. This group announced that any cyberattack or war activities against Russia would result in a counterattack at any critical infrastructures of an enemy. However, after making this statement an external or internal actor to the group leaked information regarding the organization's internal activities including the source code of their locker software. This leaked source code could be used by less experienced criminals to create their own ransomware. This situation is ongoing and any relevant indicators of compromise from the analysis of the source code will be updated in our tools***

CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks.
Use multi-factor authentication.
• Require multi-factor authentication to remotely access networks from external sources. Implement network segmentation and filter traffic.
• Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks.
• Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses.
• Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users.
• Implement a URL blocklist and/or allow the list to prevent users from accessing malicious websites. Scan for vulnerabilities and keep software updated.
• Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures.
• Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system. Remove unnecessary applications and apply controls.
• Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications- such as remote monitoring and management software and remote desktop software applications to aid in the malicious exploitation of an organization's enterprise.
• Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software.
• Implement application allow listing, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs.
• Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications.
• See the joint Alert, Publicly Available Tools Seen in Cyber Incidents Worldwide developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom for guidance on detection and protection against malicious use of publicly available tools.
- Implement endpoint and detection response tools.
• Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors.
- Limit access to resources over the network, especially by restricting RDP.
• After assessing risks, if ROP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
- Secure user accounts.
• Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties.
• Regularly audit logs to ensure new accounts are legitimate users.

Whisper Gate:
On January 15, 2022, Microsoft Threat Intelligence Center announced the identification of this malware operation used to target Ukrainian organizations. This malware has two stages, The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. This ransom note will contain a Bitcoin wallet and Tox ID. The malware will execute when the device is powered down. It overwrites the MBR of the system, rendering it inoperable. Whether the ransom is paid or not, the malware will execute and overwrite the MBR.

Indicators of Compromise:
Indicator #1: a196c6b8ffcb97ffb276d04f354696e2391311 db3841ae16c8c9f56f36a38e92
Indicator #1 Type: SHA-256
Indicator #1 Description: Hash of destructive malware stage1.exe

Indicator #2: dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78
Indicator #2 Type: SHA-256
Indicator #2 Description: Hash of stage2.exe

Indicator #3: cmd.exe /Q /c start c:\stage1.exe 1 > \\\ADMIN$\_[TIMESTAMP] 2>&1
Indicator #3 Type: Command line
Indicator #3 Description: Example lmpacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.

Hermetic Wiper:
February 23, 2022, researchers disclosed this was being used against Ukraine organizations. This malware is named after the digital certificate used to sign the sample ‘Hermetica Digital Ltd’. This malware contains 32 and 64-bit driver files compressed by Lempel-Ziv algorithm. Driver file names are generated using the Process ID of the wiper. The driver is loaded into the wiper’s process memory space, decompressed, and written to disk at “C:\Windows\System32\drivers\.sys” Once run this is like the WhisperGate malware in the sense that it damages the Master Boot Record (MBR). HermeticWiper enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the \\.\EPMNTDRV\ device is called for a device number. The malware focuses on corrupting the first 512 bytes of the Master Boot Record for every Physical Drive.

Indicators of Compromise:

Indicator #1 Name: Win32/Ki11Disk.NCV
Indicator #1 File Category: Trojan
Indicator #1 File Hash: 912342F1C840A42F6B74132FSA7C4FFE7D40FB77
Indicator #1 Source: ESET research

Indicator #2 Name: HermeticWiper
Indicator #2 File Category: Win32EXE
Indicator #2 File Hash: 912342fle 840a42f6b7413218a7c4fie7d40fb77
Indicator #2 Source: ISentinelLabs

Indicator #3 Name: HermeticWiper
Indicator #3 File Category: Win32EXE
Indicator #3 File Hash: 61b25d11392172e587d8daJ045812a66c3385451
Indicator #3 Source: ISentinelLabs

Indicator #4 Name: RCDATA_DRV_X64
Indicator #4 File Category: ms-compressed
Indicator #4 File Hash: a952e288alead66490b3275a807f52e5
Indicator #4 Source: ISentinellabs

Indicator #5 Name: IRCDATA_DRV_xs6
Indicator #5 File Category: lms- compressed
Indicator #5 File Hash: 231b3385acl 7e41c5bblblfcb59599c4
Indicator #5 Source:ISentinellabs

Indicator #6 Name: IRCDATA_DRV_XP_X64
Indicator #6 File Category: lms-compressed
Indicator #6 File Hash: 095al 678021b034903c85dd5acb447ad
Indicator #6 Source:ISentinellabs

Indicator #7 Name: RCDATA_DRV_XP_X86
Indicator #7 File Category: ms-compressed
Indicator #7 File Hash: eb845b7a16ed82bd248e395d9852f467
Indicator #7 Source:ISentinellabs

Indicator #8 Name: Trojan.Killdisk
Indicator #8 File Category: Trojan.Killdisk
Indicator #8 File Hash: lbc44-eef75779e3caleefb8ff5a64807dbc942ble4a2672d77b9f6928d292591
Indicator #8 Source: lsymantec threat, Hunter treama

Indicator #9 Name: Trojan.Killdisk
Indicator #9 File Category: Trojan.Killdisk
Indicator #9 File Hash: 0385eea b00e946a302 b24a91dea4187cl210597b8e17cd9e2230450f5ece21da
Indicator #9 Source: !Symantec threat, Hunter treama

Indicator #10 Name: Trojan.Killdisk
Indicator #10 File Category: Trojan.Killdisk
Indicator #10 File Hash: a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3e
Indicator #10 Source: !Symantec trhreat Hunter treama

Indicator #11 Name: Ransomware
Indicator #11 File Category: Trojan.Killdisk
Indicator #11 File Hash: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382
Indicator #11 Source: !Symantec threat Hunter

Discovered by Symantec researchers on February 24th. This is decoy ransomware used alongside the deployment of HermeticWiper. Function naming convention and ransom note after the execution of this ransomware shows intent for taunting the US government. File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe. It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.

Indicators of Compromise:

Indicator #1 Name: PartyTicket SHA-1
Indicator #2 Name: Win32 EXE f32d'791ec9e6385a91b45942c230f52aff1 626df

CyFlare Actions Taken:
• XDRaaS: Request submitted to the vendor to update the ‘Emerging Threat’ security detection by adding provided Yara rules to the tool’s IDS Engine to trigger on recent related activity observed, if not preemptively added/updated already. The Machine Learning-IDS engine, as well as built-in threat intelligence, is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community.
• SentinelOne: SentinelLabs provided a list of Yara detection rules, as well as ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customers’ SentinelOne environments.
• AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community. Any OTX indicators, such as those related to emerging Russian Cyber-attacks will trigger security alarms if observed in any customer’s environment.
• Sophos: Sophos released recent news articles & blog posts highlighting the emerging activity related to Russia’s invasion of Ukraine, as well as general best-practice cyber security tips. Moreover, the Austrian IT-Security testing lab – “AV-Comparatives” has tested the protection of recently-emerged Hermetic Wiper malware across multiple vendors. Sophos was one enterprise endpoint security vendor tested and identified as having full detection for Hermetic Wiper malware variants and was able to protect systems effectively against its multiple variants.

Developing Situation:
With a full-scale invasion now underway in Ukraine, the likelihood of further cyberattacks from Russia remains high. The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.

Reference Links:

Should you have any questions or concerns please place a ticket with the SOC using or by calling 877.729.3527 extension 2.

Thank you,
Your CyFlare SOC
Posted Mar 08, 2022 - 21:36 EST
This incident affects: Breach Detection Service.