Lucene search

K
hiveproHive ProHIVEPRO:117C06FAB305E3556D7D341CD4305EA7
HistoryJan 17, 2022 - 2:38 p.m.

Ukraine government entities targeted by a destructive malware “Whispergate”

2022-01-1714:38:43
Hive Pro
www.hivepro.com
11

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. A malware attack was carried out on Ukraine government, non-profit, and IT entities with a wiper disguised as ransomware. The threat actor, DEV-0586 targeted government bodies that provide critical executive branch or emergency response functions. The attack using the malware “Whispergate” was preformed in two stages: Stage 1: The malware overwrites the Master Boot Record to display a faked ransom note that requests the payment of a $10,000 ransomware in bitcoin. Stage 2: Stage2.exe is a downloader for second stage malware that corrupts files and is hosted on a Discord channel. After that, the corrupter virus searches for files with hundreds of various extensions, overwrites their contents with a predetermined quantity of 0xCC bytes, and renames each file with an apparently random four-byte extension. This attack is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom. Previously on 13th of January an attack by UNC1151 targeted at least 15 websites belonging to various Ukrainian public institutions were compromised, defaced, and subsequently taken offline. The attackers carried out a supply chain attack by using the vulnerability CVE-2021-32648 in October CMS which is a free content management system. Exploiting this vulnerability, the hackers could send a password reset request for an account in this system and then gain access to it. The attacks are not linked currently but there is a huge possibility that they are carried simultaneously. To mitigate the risk organizations are advised to update October CMS to the latest version and also to monitor the hashes in their system. Actor Details Vulnerability Details Indicators of Compromise (IoCs) Patch Link https://github.com/octobercms/october/security/advisories/GHSA-mxr5-mc97-63rc References https://cert.gov.ua/article/17899 https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ https://securityaffairs.co/wordpress/126782/apt/destructive-malware-campaign-targets-ukraine.html?utm_source=rss&utm_medium=rss&utm_campaign=destructive-malware-campaign-targets-ukraine https://ain.ua/en/2022/01/14/hackers-attack-some-ukrainian-government-websites/

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

6.4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:P/A:N

Related for HIVEPRO:117C06FAB305E3556D7D341CD4305EA7