DDoS attack on Ukrainian government site and new malware discovering data deletion on hundreds of Ukrainian machines
ESET Research Labs,
HermeticWiper: New data-wiping malware hits Ukraine | WeLiveSecurity
https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/
Ukraine: Disk-wiping Attacks Precede Russian Invasion
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
Ukrainian gov't sites disrupted by DDoS, wiper malware discovered | ZDNet
https://www.zdnet.com/article/ukrainian-govt-sites-banks-disrupted-by-ddos-amid-invasion-fears/
HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine --SentinelOne
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
New data-wiping malware used in destructive attacks on Ukraine
https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/
On February 24, 2022 local time, the Ukrainian Special Communications and Information Protection Agency announced that the country's government websites and banks were under heavy DDoS attacks .
NetBlocks , which oversees cybersecurity and internet governance, said: 'Websites involved in the Ukrainian Ministry of Foreign Affairs, Defense, Interior, Security Bureau and Ministerial Conference have just been affected by a network disruption. This event has just been sent to the Ukrainian government site. It seems to be consistent with the DDoS attack in Ukraine ', and it has been confirmed that many websites have been shut down due to the DDoS attack.
⚠️ Confirmed: #Ukraine's Ministry of Foreign Affairs, Ministry of Defense, Ministry of Internal Affairs, the Security Service of Ukraine and Cabinet of Ministers websites have just been impacted by network disruptions; the incident appears consistent with recent DDOS attacks ??? ? pic.twitter.com/EVyy7mzZRr
— NetBlocks (@netblocks) February 23, 2022
Cloudflare, which also deploys Internet security services, said about DDoS attacks detected in Ukraine: 'This week we have detected more DDoS attacks than last week, but the activity period is less than a month. Still, Ukraine Attacks on individual websites have been devastating. '' So far, it's a modest attack compared to the large-scale DDoS attacks we've dealt with in the past. '
A week before this DDoS attack was detected, a DDoS attack targeting the Ukrainian website was detected. Regarding this attack, the Foreign, Commonwealth and Development Ministry of the United Kingdom pointed out that ' GRU , the intelligence agency of the Russian government, is involved in the attack.'
After the Special Communications Information Protection Agency reported on the new DDoS attack, ESET Research Labs reported that it had detected the new data wiper malware 'Hermetic Wiper' used in Ukraine. According to a study by ESET Research Labs, Hermetic Wiper has already infected hundreds of machines deployed in Ukraine and is 'a cyberattack following a DDoS attack detected on a website related to the Ukrainian government.' I am.
Breaking. #ESETResearch discovered a new data wiper malware used in Ukraine today. ESET telemetry shows that it was installed on hundreds of machines in the country. This follows the DDoS attacks against several Ukrainian websites earlier today 1 / n
— ESET research (@ESETresearch) February 23, 2022
The first attack was observed at 16:52 local time. The compile-time time stamp of one of the samples is 'December 28, 2021', which indicates that the attack using Hermetic Wiper may have been prepared for about two months.
It seems that the code signing certificate issued by a company called Hermetica Digital is used for Hermetic Wiper.
The Wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd 3 / n pic.twitter.com/sGCl3Lbqc1
— ESET research (@ESETresearch) February 23, 2022
Hermetic Wiper is exploiting a legitimate driver used by EaseUS Partition Master software to corrupt the infected device data, and the final step is for the malware to restart the infected device.
The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step the wiper reboot computer 4 / n pic.twitter.com/JsAT11S8lK
— ESET research (@ESETresearch) February 23, 2022
One of the targeted organizations has revealed that Hermetic Wiper was dropped via the default GPO . 'This means that the attacker is likely to have control of Active Directory ,' explains ESET Research Labs.
In one of the targeted organizations, the wiper was dropped via the default (domain policy) GPO meaning that attackers had likely taken control of the Active Directory server. 5 / n
— ESET research (@ESETresearch) February 23, 2022
The Hermetic Wiper attack began around 16:00 local time when the Ukrainian Parliament began discussing a state of emergency.
In addition, Ukrainian journalists have detected that the country's chairman, Ruslan Stefanchuk, and his family have been repeatedly targeted by cyberattacks. According to another reporter, cyber attacks on Ukraine are trying to break into targeted email accounts and block access to bank accounts.
In addition, Avast Threat Labs, a research arm of another cybersecurity company Avast, points out the existence of new Go language-based ransomware in Ukraine, in addition to the Hermetic Wiper detected by ESET.
On top of the #HermeticWiper ( https://t.co/tTqE4HNgua ) there is also a new golang -based ransomware roaming in #Ukraine waters.
— Avast Threat Labs (@AvastThreatLabs) February 24, 2022
Related Posts: