HermeticWiper: A New Data Wiper Malware Targeting Ukraine Systems
Written by: Vikram Navali – Senior Technical Product Manager, As the Ukraine-Russia conflict is gathering attention from everyone worldwide, a massive data-wiping malware called HermeticWiper hit multiple organizations in Ukraine. According to ESET researchers, threat actors have been in preparation for a couple of months before they could launch a full-fledged attack.
Background of the HermeticWiper Malware Attack
As per Cisco’s Threat advisory report, the deployment of the destructive HermeticWiper malware began on Feb. 23, 2022. HermeticWiper is a malware type that can erase all the data from a victim’s system. The research also revealed that the wiper abuses legitimate drivers from the EaseUS Partition Master software to corrupt data. The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd.
How Impactful is the HermeticWiper Malware?
This malware is quite impactful and different from other malware types that destroy data recovery tools without leaving any attack traces.
The malware has two components designed for destruction: one that targets the Master Boot Record (MBR) and another targeting partitions.
The wiper process begins by gaining SeShutDownPrivilege (to shut down the endpoint once it’s wiped the drives) and SeBackupPrivilege (to retrieve file contents for files whose security descriptor does not grant such access).
The wiper corrupts the MBR for every physical drive, enumerates individual partitions, and corrupts the partition data after destroying the Volume Shadow Copy Service (VSS) and corrupting other files necessary for file system operations. It then initiates a reboot to complete the wipe.
The research also discovered that threat actors have already compromised the Active Directory (AD) infrastructure in one of the Ukrainian’s targeted organizations and dropped the wiper via a default group policy object (GPO). They have gathered information on Group Policy settings and identified paths for privilege escalation.
How Can Attivo Networks Solution Help?
Attivo Networks solutions offer advanced protection for Active Directory, identifying specific domain, computer, and user-level risks and detecting live attacks. The ADSecure solution prevents Active Directory compromise by concealing objects in AD and stopping attacks that target them. The ADAssessor solution helps identify vulnerabilities in Active Directory Group Policy Preferences and permissions allow threat actors to perform privilege escalation. Additionally, the solution can deploy deceptive SYSVOL Group Policy Objects in the production AD infrastructure. The solution detects and raises high-fidelity alerts when an attacker collects GPO information to determine a potential attack path.
The EDN capabilities detect Indicators of Compromise (IoC) such as file deletion, shadow volumes deletion, etc., and prevent the malware from deleting backup files created using Windows Volume Shadow Copy Service (VSS).
Additionally, Attivo Networks provides simple and flexible deployment solutions to identify threats and remediate them quickly. For more information, please visit https://www.attivonetworks.com/solutions/threat-detection/active-directory-protection/.
Sign up for free trial offers on Active Directory security assessments and continuous visibility to AD vulnerabilities.
In the current situation of the Ukraine crisis, it is crucial to understand how cyber security can play a more significant role in safeguarding digital information against malicious or accidental threats. Organizations must implement a defense-in-depth strategy and deploy cyber security solutions across several barriers to prevent malicious activity.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise