Source(s): Microsoft Threat Intelligence Center, SentinelLabs, Symantec Sector: Security Vulnerability Reported by: Microsoft Threat Intelligence Center (MTIC), SentinelLabs
Subject: Emerging threats: WhisperGate, HermeticWiper, and Party ticket which were used by threat actors leading up to the recent Russia Ukraine conflict
OVERVIEW Leading up to the current Russia-Ukraine conflict, threat actors deployed the following malware that was designated to target and destroy computer systems in Ukraine: WhisperGate, HermeticWiper, and PartyTicket.
SYSTEMS AFFECTED: • Windows Operating System (all versions) • Windows Server (all versions)
RISK: Sectors targeted so far: Financial, defense, aviation, and IT services
THREAT SUMMARY: Conti Ransomware group: Conti, a Russian tied ransomware-as-a-service, pledged their support to the Russian government. This group announced that any cyberattack or war activities against Russia would result in a counterattack at any critical infrastructures of an enemy. However, after making this statement an external or internal actor to the group leaked information regarding the organization's internal activities including the source code of their locker software. This leaked source code could be used by less experienced criminals to create their own ransomware. This situation is ongoing and any relevant indicators of compromise from the analysis of the source code will be updated in our tools***
Mitigations****: Mitigations CISA, FBI, and NSA recommend that network defenders apply the following mitigations to reduce the risk of compromise by Conti ransomware attacks. Use multi-factor authentication. • Require multi-factor authentication to remotely access networks from external sources. Implement network segmentation and filter traffic. • Implement and ensure robust network segmentation between networks and functions to reduce the spread of ransomware. Define a demilitarized zone that eliminates unregulated communication between networks. • Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. • Enable strong spam filters to prevent phishing emails from reaching end users. Implement a user training program to discourage users from visiting malicious websites or opening malicious attachments. Filter emails containing executable files to prevent them from reaching end users. • Implement a URL blocklist and/or allow the list to prevent users from accessing malicious websites. Scan for vulnerabilities and keep software updated. • Set antivirus/antimalware programs to conduct regular scans of network assets using up-to-date signatures. • Upgrade software and operating systems, applications, and firmware on network assets in a timely manner. Consider using a centralized patch management system. Remove unnecessary applications and apply controls. • Remove any application not deemed necessary for day-to-day operations. Conti threat actors leverage legitimate applications- such as remote monitoring and management software and remote desktop software applications to aid in the malicious exploitation of an organization's enterprise. • Investigate any unauthorized software, particularly remote desktop or remote monitoring and management software. • Implement application allow listing, which only allows systems to execute programs known and permitted by the organization's security policy. Implement software restriction policies (SRPs) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs. • Implement execution prevention by disabling macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Microsoft Office suite applications. • See the joint Alert, Publicly Available Tools Seen in Cyber Incidents Worldwide developed by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom for guidance on detection and protection against malicious use of publicly available tools. - Implement endpoint and detection response tools. • Endpoint and detection response tools allow a high degree of visibility into the security status of endpoints and can help effectively protect against malicious cyber actors. - Limit access to resources over the network, especially by restricting RDP. • After assessing risks, if ROP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication. - Secure user accounts. • Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties. • Regularly audit logs to ensure new accounts are legitimate users.
Whisper Gate: On January 15, 2022, Microsoft Threat Intelligence Center announced the identification of this malware operation used to target Ukrainian organizations. This malware has two stages, The two-stage malware overwrites the Master Boot Record (MBR) on victim systems with a ransom note. This ransom note will contain a Bitcoin wallet and Tox ID. The malware will execute when the device is powered down. It overwrites the MBR of the system, rendering it inoperable. Whether the ransom is paid or not, the malware will execute and overwrite the MBR.
Indicators of Compromise: Indicator #1: a196c6b8ffcb97ffb276d04f354696e2391311 db3841ae16c8c9f56f36a38e92 Indicator #1 Type: SHA-256 Indicator #1 Description: Hash of destructive malware stage1.exe
Indicator #3: cmd.exe /Q /c start c:\stage1.exe 1 > \\ 127.0.0.1\ADMIN$\_[TIMESTAMP] 2>&1 Indicator #3 Type: Command line Indicator #3 Description: Example lmpacket command line showing the execution of the destructive malware. The working directory has varied in observed intrusions.
Hermetic Wiper: February 23, 2022, researchers disclosed this was being used against Ukraine organizations. This malware is named after the digital certificate used to sign the sample ‘Hermetica Digital Ltd’. This malware contains 32 and 64-bit driver files compressed by Lempel-Ziv algorithm. Driver file names are generated using the Process ID of the wiper. The driver is loaded into the wiper’s process memory space, decompressed, and written to disk at “C:\Windows\System32\drivers\.sys” Once run this is like the WhisperGate malware in the sense that it damages the Master Boot Record (MBR). HermeticWiper enumerates a range of Physical Drives multiple times, from 0-100. For each Physical Drive, the \\.\EPMNTDRV\ device is called for a device number. The malware focuses on corrupting the first 512 bytes of the Master Boot Record for every Physical Drive.
Indicators of Compromise:
Indicator #1 Name: Win32/Ki11Disk.NCV Indicator #1 File Category: Trojan Indicator #1 File Hash: 912342F1C840A42F6B74132FSA7C4FFE7D40FB77 61B25D11392172E587D8DA3045812A66C3385451 Indicator #1 Source: ESET research
PartyTicket: Discovered by Symantec researchers on February 24th. This is decoy ransomware used alongside the deployment of HermeticWiper. Function naming convention and ransom note after the execution of this ransomware shows intent for taunting the US government. File names used by the ransomware included client.exe, cdir.exe, cname.exe, connh.exe, and intpub.exe. It appears likely that the ransomware was used as a decoy or distraction from the wiper attacks.
CyFlare Actions Taken: • XDRaaS: Request submitted to the vendor to update the ‘Emerging Threat’ security detection by adding provided Yara rules to the tool’s IDS Engine to trigger on recent related activity observed, if not preemptively added/updated already. The Machine Learning-IDS engine, as well as built-in threat intelligence, is also consistently updated with the latest threats identified by the open-source cyber threat intelligence community. https://github.com/SentineLabs/yara/blob/main/APT_ZZ_Unknown_HermeticWiper.yar • SentinelOne: SentinelLabs provided a list of Yara detection rules, as well as ‘Deep Visibility’ queries that the SOC will leverage to search for related indicators of compromise across customers’ SentinelOne environments. • AlienVault USM Anywhere: AlienVault Open Threat Exchange or OTX has been updated with ‘OTX Pulses’ or information available on related indicators observed from both vendor and community. Any OTX indicators, such as those related to emerging Russian Cyber-attacks will trigger security alarms if observed in any customer’s environment. https://otx.alienvault.com/pulse/621802d015d213ff12c78818 • Sophos: Sophos released recent news articles & blog posts highlighting the emerging activity related to Russia’s invasion of Ukraine, as well as general best-practice cyber security tips. Moreover, the Austrian IT-Security testing lab – “AV-Comparatives” has tested the protection of recently-emerged Hermetic Wiper malware across multiple vendors. Sophos was one enterprise endpoint security vendor tested and identified as having full detection for Hermetic Wiper malware variants and was able to protect systems effectively against its multiple variants.
Developing Situation: With a full-scale invasion now underway in Ukraine, the likelihood of further cyberattacks from Russia remains high. The SOC will continue to research emerging related threats in the wild or from the cyber community. Furthermore, the SOC will hunt related indicators of compromise, as well as scan for the vulnerabilities within our clients that have the Vulnerability Management Service.