DDoS attack on Ukrainian government site and new malware discovering data deletion on hundreds of Ukrainian machines



ESET Research Labs,

ESET 's research division that develops and sells security software, has revealed that a Ukrainian government site that is being invaded by Russian troops is being attacked by malware.

HermeticWiper: New data-wiping malware hits Ukraine | WeLiveSecurity
https://www.welivesecurity.com/2022/02/24/hermeticwiper-new-data-wiping-malware-hits-ukraine/

Ukraine: Disk-wiping Attacks Precede Russian Invasion
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia

Ukrainian gov't sites disrupted by DDoS, wiper malware discovered | ZDNet
https://www.zdnet.com/article/ukrainian-govt-sites-banks-disrupted-by-ddos-amid-invasion-fears/

HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine --SentinelOne
https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/

New data-wiping malware used in destructive attacks on Ukraine
https://www.bleepingcomputer.com/news/security/new-data-wiping-malware-used-in-destructive-attacks-on-ukraine/

On February 24, 2022 local time, the Ukrainian Special Communications and Information Protection Agency announced that the country's government websites and banks were under heavy DDoS attacks .

NetBlocks , which oversees cybersecurity and internet governance, said: 'Websites involved in the Ukrainian Ministry of Foreign Affairs, Defense, Interior, Security Bureau and Ministerial Conference have just been affected by a network disruption. This event has just been sent to the Ukrainian government site. It seems to be consistent with the DDoS attack in Ukraine ', and it has been confirmed that many websites have been shut down due to the DDoS attack.



Cloudflare, which also deploys Internet security services, said about DDoS attacks detected in Ukraine: 'This week we have detected more DDoS attacks than last week, but the activity period is less than a month. Still, Ukraine Attacks on individual websites have been devastating. '' So far, it's a modest attack compared to the large-scale DDoS attacks we've dealt with in the past. '

A week before this DDoS attack was detected, a DDoS attack targeting the Ukrainian website was detected. Regarding this attack, the Foreign, Commonwealth and Development Ministry of the United Kingdom pointed out that ' GRU , the intelligence agency of the Russian government, is involved in the attack.'



After the Special Communications Information Protection Agency reported on the new DDoS attack, ESET Research Labs reported that it had detected the new data wiper malware 'Hermetic Wiper' used in Ukraine. According to a study by ESET Research Labs, Hermetic Wiper has already infected hundreds of machines deployed in Ukraine and is 'a cyberattack following a DDoS attack detected on a website related to the Ukrainian government.' I am.



The first attack was observed at 16:52 local time. The compile-time time stamp of one of the samples is 'December 28, 2021', which indicates that the attack using Hermetic Wiper may have been prepared for about two months.

It seems that the code signing certificate issued by a company called Hermetica Digital is used for Hermetic Wiper.



Hermetic Wiper is exploiting a legitimate driver used by EaseUS Partition Master software to corrupt the infected device data, and the final step is for the malware to restart the infected device.



One of the targeted organizations has revealed that Hermetic Wiper was dropped via the default GPO . 'This means that the attacker is likely to have control of Active Directory ,' explains ESET Research Labs.



The Hermetic Wiper attack began around 16:00 local time when the Ukrainian Parliament began discussing a state of emergency.

In addition, Ukrainian journalists have detected that the country's chairman, Ruslan Stefanchuk, and his family have been repeatedly targeted by cyberattacks. According to another reporter, cyber attacks on Ukraine are trying to break into targeted email accounts and block access to bank accounts.

In addition, Avast Threat Labs, a research arm of another cybersecurity company Avast, points out the existence of new Go language-based ransomware in Ukraine, in addition to the Hermetic Wiper detected by ESET.



in Software,   Security, Posted by logu_ii