VMware is closely monitoring the evolving situation in Ukraine, and in addition to the safety and wellbeing of our employees in the region, we are focused on protecting customer business continuity and mitigating risk from cyber threats. You can view our public statement here.
The VMware Threat Analysis Unit (TAU) is actively monitoring malicious activity associated with the situation in Ukraine and providing customers with the latest intelligence on potential threats. Our VMware Carbon Black customers are urged to tap into the User Exchange for real-time intelligence notifications, such as details on targeted destructive malware coined HermeticWiper that began executing against Ukrainian targets late last week.
As a founding member of the Joint Cyber Defense Collaborative (JCDC) convened by the U.S. Cyber and Infrastructure Security Agency (CISA), VMware is also actively aligned with a global network of industry and public sector organizations focused on early warning and rapid response efforts to protect critical infrastructure.
Based on observations of cyberattacks already underway in Ukraine, VMware recommends that organizations operate under the assumption that they will be impacted by destructive cyberattacks, either directly or indirectly, and that adversary behavior will be punitive. In particular, we recommend that critical industries and infrastructure, as well as their supply chains, heighten their security posture and prepare for the manifestation of integrity attacks.
CISA’s Shields Up guidance, developed with input from security experts in the JCDC partnership, provides concrete steps organizations can take to make near-term progress on improving their resilience to the most likely threat tactics observed by a broad network of cybersecurity experts. Here are some steps we suggest organizations prioritize immediately:
- Validate that all remote access to the network and privileged or administrative access requires multi-factor authentication.
- Apply software patches immediately to address known exploited vulnerabilities.
- Confirm all ports and protocols that are not essential for business purposes have been disabled.
- Identify and assess any unexpected or unusual network behavior.
- Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack.
- Expand Threat Hunting to include O365 and Active Directory to assess for behavioral anomalies.
- If using industrial control systems or operational technology, conduct a test of manual controls, processes or other workarounds, to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
- Empower CISOs by including them in the decision-making process for risk to the company.
Regional organizations should also review guidance from CISA’s partner agencies in Australia, Canada, New Zealand, and the UK.
Threat Intelligence on HermeticWiper
On February 24, 2022, we saw one of the largest targeted attacks in history that focused solely on the destruction of critical information and resources. This attack employed the use of a new type of destructive malware that began executing against Ukrainian targets shortly before Russia’s physical military invasion of the country.
The malware used in this attack has been coined HermeticWiper, as the binaries are signed using a certificate by Hermetica Digital Ltd. This malware leverages legitimate EaseUS Partition Master drivers to access the disk of the victim’s computer, which in turn targets the Master Boot Record (MBR) of the disk. The MBR holds critical partition data necessary for computer systems to boot into an operating system. By targeting the MBR, the malware can carry out its intended goal of causing the data on disk to be destroyed, which would then be difficult and time-consuming to recover. VMware’s Global Incident Response Threat Report highlighted the steep 51% increase in the use of destructive malware in targeted attacks.
Initial evidence suggests that these attacks are highly targeted and have been in development for some time as the original executables were compiled on December 28, 2021. Newer samples from February 23, 2022, have recently emerged which highlights this adversary’s ability to adapt and evolve quickly to execute their goal.
During execution, the attacker first targets privilege escalation before targeting the Domain Controller. Once access to the Domain Controller is achieved, the attacker will utilize Active Directory to move laterally to deploy and execute the malware on additional systems. The Domain Controller itself is left intact to allow for widespread malware distribution within the victim network.
There have been reported instances of ransomware being deployed concurrently with the wiper, dropping a ransom note on the system. The ransomware is then utilized to drop and execute the wiper in the environment. Additional technical analysis on HermeticWiper, including IoCs, can be accessed in the VMware Carbon Black User Exchange.
Additional Threat Intelligence Resources
- Iron Rain threat research details the motives of APT actors and explores the TTPs of these groups as their operations have evolved over the years. It brings together research and analysis from the VMware Howlers, VMware TAU, and the security industry regarding threat actors such as Turla, Sandworm, APT28, and APT29 – as well as best practices for countering APTs.
- The NCSC, CISA, FBI and NSA have released a joint advisory detailing malicious Linux ELF malware called Cyclops Blink targeting network devices. Our latest VMware TAU threat report details how to fight back against malware targeting Linux-based systems with a combination of approaches, policies, and mechanisms.
- Included in CISA’s list of free cybersecurity services and tools for U.S. critical infrastructure, VMware Carbon Black TAU Excel 4 Macro analysis tool tests endpoint security solutions against Excel 4.0 macro techniques.
- There are reports of ransomware being used as a decoy in recent data-wiping cyberattacks. Review our Defense in Depth resource to help protect, detect, and respond to ransomware attacks.
- VMware Carbon Black customers automatically receive high-fidelity detections from VMware TAU within the VMware Carbon Black Cloud dashboard. There is no interaction needed from customers to receive this shared intelligence. This video demonstrates how to find the latest threat intelligence within the dashboard.