Threat Analysis Unit Multi-Cloud Security

Shields Up: Prepare for Destructive Cyberattacks

UPDATED March 10, 2022: This blog post was updated to provide the latest information on VMware’s response regarding Ukraine.

How we’re prioritizing security and resiliency for VMware customers

VMware is suspending all business operations in Russia and Belarus. We stand with Ukraine, and we commend the bravery of the Ukrainian people. You can view our public statement here.

VMware maintains a proactive security posture, and we are doing all we can to protect customers in Ukraine from cyberattacks and loss of continuity. For example, we are working with customers and partners in Ukraine — including large financial entities — to help migrate data center applications and workloads out of the country to other European data centers. And we’re providing 90 days of free services to support that effort.

On a global scale, we have deployed our considerable security capabilities to protect VMware customers, partners and products from relevant threats. This critical work includes monitoring the landscape, openly sharing our threat intelligence, and proactive threat hunting.

VMware is also a founding member of the Joint Cyber Defense Collaborative where industry and U.S. government agencies collaborate on early warning and rapid response efforts to protect critical infrastructure. In turn, this collaboration empowers our own security capabilities like Carbon Black and NSX.

The VMware Threat Analysis Unit (TAU) is actively monitoring malicious activity associated with the invasion of Ukraine and providing customers with the latest intelligence on potential threats. Our VMware Carbon Black customers are urged to tap into the User Exchange for real-time intelligence notifications, such as details on targeted destructive malware coined HermeticWiper that began executing against Ukrainian targets late last week.

Based on observations of cyberattacks already underway in Ukraine, VMware recommends that organizations operate under the assumption that they will be impacted by destructive cyberattacks, either directly or indirectly, and that adversary behavior will be punitive. In particular, we recommend that critical industries and infrastructure, as well as their supply chains, heighten their security posture and prepare for the manifestation of integrity attacks.

CISA’s Shields Up guidance, developed with input from security experts in the JCDC partnership, provides concrete steps organizations can take to make near-term progress on improving their resilience to the most likely threat tactics observed by a broad network of cybersecurity experts. Here are some steps we suggest organizations prioritize immediately:

  • Validate that all remote access to the network and privileged or administrative access requires multi-factor authentication.
  • Apply software patches immediately to address known exploited vulnerabilities.
  • Confirm all ports and protocols that are not essential for business purposes have been disabled.
  • Identify and assess any unexpected or unusual network behavior.
  • Test backup procedures to ensure that critical data can be rapidly restored if the organization is impacted by ransomware or a destructive cyberattack.
  • Expand Threat Hunting to include O365 and Active Directory to assess for behavioral anomalies.
  • If using industrial control systems or operational technology, conduct a test of manual controls, processes or other workarounds, to ensure that critical functions remain operable if the organization’s network is unavailable or untrusted.
  • Empower CISOs by including them in the decision-making process for risk to the company.

Regional organizations should also review guidance from CISA’s partner agencies in Australia, Canada, New Zealand, and the UK.

Threat Intelligence on HermeticWiper

On February 24, 2022, we saw one of the largest targeted attacks in history that focused solely on the destruction of critical information and resources. This attack employed the use of a new type of destructive malware that began executing against Ukrainian targets shortly before Russia’s physical military invasion of the country.

The malware used in this attack has been coined HermeticWiper, as the binaries are signed using a certificate by Hermetica Digital Ltd. This malware leverages legitimate EaseUS Partition Master drivers to access the disk of the victim’s computer, which in turn targets the Master Boot Record (MBR) of the disk. The MBR holds critical partition data necessary for computer systems to boot into an operating system. By targeting the MBR, the malware can carry out its intended goal of causing the data on disk to be destroyed, which would then be difficult and time-consuming to recover. VMware’s Global Incident Response Threat Report highlighted the steep 51% increase in the use of destructive malware in targeted attacks.

Initial evidence suggests that these attacks are highly targeted and have been in development for some time as the original executables were compiled on December 28, 2021. Newer samples from February 23, 2022, have recently emerged which highlights this adversary’s ability to adapt and evolve quickly to execute their goal.

During execution, the attacker first targets privilege escalation before targeting the Domain Controller. Once access to the Domain Controller is achieved, the attacker will utilize Active Directory to move laterally to deploy and execute the malware on additional systems. The Domain Controller itself is left intact to allow for widespread malware distribution within the victim network.

There have been reported instances of ransomware being deployed concurrently with the wiper, dropping a ransom note on the system. The ransomware is then utilized to drop and execute the wiper in the environment. Additional technical analysis on HermeticWiper, including IoCs, can be accessed in the VMware Carbon Black User Exchange.

Additional Threat Intelligence Resources

  • Iron Rain threat research details the motives of APT actors and explores the TTPs of these groups as their operations have evolved over the years. It brings together research and analysis from the VMware Howlers, VMware TAU, and the security industry regarding threat actors such as Turla, Sandworm, APT28, and APT29 – as well as best practices for countering APTs.
  • The NCSC, CISA, FBI and NSA have released a joint advisory detailing malicious Linux ELF malware called Cyclops Blink targeting network devices. Our latest VMware TAU threat report details how to fight back against malware targeting Linux-based systems with a combination of approaches, policies, and mechanisms.
  • Included in CISA’s list of free cybersecurity services and tools for U.S. critical infrastructure, VMware Carbon Black TAU Excel 4 Macro analysis tool tests endpoint security solutions against Excel 4.0 macro techniques.
  • There are reports of ransomware being used as a decoy in recent data-wiping cyberattacks. Review our Defense in Depth resource to help protect, detect, and respond to ransomware attacks.
  • VMware Carbon Black customers automatically receive high-fidelity detections from VMware TAU within the VMware Carbon Black Cloud dashboard. There is no interaction needed from customers to receive this shared intelligence. This video demonstrates how to find the latest threat intelligence within the dashboard.