
Russia - Ukraine Cyberwar
The day before the invasion of Ukraine by Russian forces, a new wiper malware sample spreading across Ukrainian companies is observed. An hour before the invasion, an IssacWiper attack against government websites was recorded. Moreover, cyber-attacks continued in March, as well, with the CaddyWiper malware which infiltrated the systems of several Ukrainian organizations, from both the government and the financial sectors.
Indicators of Compromise
Domains (1233)
rainbowt.siteverusa.rurhinoderma.xyzwakatteru.ruturgescere.onlinevoranfi.rushermano.ruranar.xyzusherfat.rupuppis.onlinesolerat.ruoyamawo.rupotrosiha.ruwillder.xyzplortac.ruzqt2578.complaicer.onlinepapayana.xyzrobostetics.comproject2.top+1213 moreHashes (4)
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d2925914dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382a64c3e0522fad787b95bfb6a30c3aed1b5786e69e88e023c062ec7e5cebf4d3eIPv4 (6446)
87.251.166.7091.239.190.1993.86.83.19093.185.166.19788.246.163.24594.187.179.8895.105.123.4891.105.123.23788.130.24.1693.186.209.15894.131.217.20292.148.37.17089.108.115.23595.79.96.23691.240.65.588.130.25.18787.97.116.16595.215.205.15895.170.113.7493.72.212.38+6426 moreAPT Groups
ELECTRUM
Mitigation
<h4 style="box-sizing: border-box; margin-top: 3rem; margin-bottom: 1rem; font-family: " font-weight: bold; line-height: 1.2; color: rgb(66, 66, 102); font-size: 1.5rem; letter-spacing: normal;"><strong style="box-sizing: border-box; letter-spacing: 0px;">Mitigation for HermeticWiper:</strong></h4><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 28px; padding-left: 1.5rem; color: rgb(96, 96, 128); font-family: " font-size: 16px;"><li style="box-sizing: border-box; margin-bottom: 0.75rem;">Make sure you patched all the critical vulnerabilities and closed all the essential ports discovered SOCRadar Attackmapper module</li><li style="box-sizing: border-box; margin-bottom: 0.75rem;">If you have anti-malware programs from vendors like SentinelOne or Symantec, their scanners can catch HermeticWiper. Make sure that your definitions are up-to-date.</li><li style="box-sizing: border-box; margin-bottom: 0.75rem;">There are also YARA rules: <span class="tagnamecolor" style="color: brown; font-family: Consolas, Menlo, " font-size: 15px;"><span class="attributecolor" style="color: red;"><span class="attributevaluecolor" style="color: mediumblue;"><a href="https://github.com/Cluster25/detection/tree/main/yara/hermeticwiper" style="box-sizing: border-box; font-family: " font-size: 16px; background-color: transparent; color: rgb(255, 84, 98); font-weight: 600; box-shadow: none;">https://github.com/Cluster25/detection/tree/main/yara/hermeticwiper</a></span></span></span> here if you would like to double-check your network.</li><li style="box-sizing: border-box; margin-bottom: 0.75rem;">IOCs published by SOCRadar can be fed the security devices like Firewalls, IPSs, or SOAR solutions. </li><li style="box-sizing: border-box; margin-bottom: 0.75rem;">Be extra careful against usual delivery methods of malware like phishing.</li><li style="box-sizing: border-box; margin-bottom: 0.75rem;">Webshell detection plays a very critical role in hermetic wiper mitigation strategies. Please<span class="tagnamecolor" style="color: brown; font-family: Consolas, Menlo, " font-size: 15px;"><span class="tagcolor" style="color: mediumblue;"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia" style="box-sizing: border-box; font-family: " font-size: 16px; background-color: transparent; color: rgb(255, 84, 98); font-weight: 600; box-shadow: none;"> see the details here: </a></span></span>https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia</li></ul><div><h4 style="box-sizing: border-box; margin-top: 0px; margin-bottom: 1rem; font-family: " font-weight: bold; line-height: 1.2; color: rgb(66, 66, 102); font-size: 1.5rem; letter-spacing: normal;"><strong style="box-sizing: border-box; letter-spacing: 0px;">Mitigation for Cyclops Blink:</strong></h4><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 28px; padding-left: 1.5rem; color: rgb(96, 96, 128); font-family: " font-size: 16px;"><li style="box-sizing: border-box; margin-bottom: 0.75rem;"><p style="box-sizing: border-box; margin-bottom: 1rem; font-family: "">Make sure you patched all the critical vulnerabilities and closed all the critical ports discovered SOCRadar Attackmapper module</p></li><li style="box-sizing: border-box; margin-bottom: 0.75rem;"><p style="box-sizing: border-box; margin-bottom: 1rem; font-family: "">If you have a WatchGuard Device, Follow the directions from WatchGuard Which can be found here: <span class="tagnamecolor" style="color: brown; font-family: Consolas, Menlo, " font-size: 15px;"><span class="tagcolor" style="color: mediumblue;"><a href="https://detection.watchguard.com/" style="box-sizing: border-box; font-family: " font-size: 16px; background-color: transparent; color: rgb(255, 84, 98); font-weight: 600; box-shadow: none;">https://detection.watchguard.com</a></span></span></p></li><li style="box-sizing: border-box; margin-bottom: 0.75rem;"><p style="box-sizing: border-box; margin-bottom: 1rem; font-family: "">The NCSC has also published its own analysis which can be found here: <span class="tagnamecolor" style="color: brown; font-family: Consolas, Menlo, " font-size: 15px;"><span class="tagcolor" style="color: mediumblue;"><a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" style="box-sizing: border-box; font-family: " font-size: 16px; background-color: transparent; color: rgb(255, 84, 98); font-weight: 600; box-shadow: none;">https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf</a></span></span></p></li><li style="box-sizing: border-box; margin-bottom: 0.75rem;"><p style="box-sizing: border-box; margin-bottom: 1rem; font-family: "">There are IOCs published by SOCRadar that can be fed the security devices like Firewalls, IPSs, or SOAR solutions. </p></li><li style="box-sizing: border-box; margin-bottom: 0.75rem;"><p style="box-sizing: border-box; margin-bottom: 1rem; font-family: "">Be extra careful against usual delivery methods of malware like phishing.</p></li></ul><div><h4 style="box-sizing: border-box; margin-top: 3rem; margin-bottom: 1rem; font-family: " font-weight: bold; line-height: 1.2; color: rgb(66, 66, 102); font-size: 1.5rem; letter-spacing: normal;"><strong style="box-sizing: border-box; letter-spacing: 0px;">Mitigation for Katana:</strong></h4><ul style="box-sizing: border-box; margin-top: 0px; margin-bottom: 28px; padding-left: 1.5rem; color: rgb(96, 96, 128); font-family: " font-size: 16px;"><li style="box-sizing: border-box; margin-bottom: 0.75rem;">It is the ISP-level filtering of all traffic that may come from abroad, except for the traffic that will come from abroad and which does not make sense to be blocked (Search engine traffic, etc.). </li><li style="box-sizing: border-box; margin-bottom: 0.75rem;">Attacks from within the country are generally low. Potential amplifier IP addresses that can use for high-dimensional DDoS attacks should be uploaded to the security wall / IPS systems in a list and activated in monitoring mode.</li></ul></div></div>