Second data-wiping malware found in Ukraine, says ESET

While Apple halts all sales in Russia, Visa and Mastercard block banks

The disk-wiping malware that tore through at least hundreds of Ukrainian Windows systems at the start of Russia's occupation wasn't alone. Slovakian infosec firm ESET has found a second similar strain in Ukraine.

"Malware artefacts suggest that the attacks had been planned for several months," said the biz. Last week, as the Russian armed forces invaded Ukraine, ESET published details of one wiper – malware that destroys data on whatever computer or device it has infected.

Threat research chief Jean-Ian Boutin added in a statement today that ESET had uncovered a similar Windows software nasty which it nicknamed IsaacWiper, which was first observed the day of the Russian invasion on February 24.

The initial strain, code-named HermeticWiper by ESET, has a Portable Executable (PE) compilation date of December 28, 2021 – which aligns with Russia preparing the cyber part of its attack on Ukraine months in advance. This also gels with military mobilizations from late last year, including the transit of Russian amphibious assault ships from northern Russia into the Black Sea via north-west Europe.

“With regard to IsaacWiper, we are currently assessing its links, if any, with HermeticWiper," continued ESET. "It is important to note that it was seen in a Ukrainian governmental organization that was not affected by HermeticWiper."

The firm added that IsaacWiper's PE compilation timestamp of October 19, 2021 suggested it might have been used in other attacks before Russia's Ukraine invasion. While IsaacWiper is not code-signed, HermeticWiper was signed with a certificate in the name of a Cypriot company, Hermetica Digital, apparently fraudulently obtained from DigiCert.

A different breed

Once deployed, HermeticWiper allows its operators to move laterally through a target's network before overwriting the whole of a host disk. ESET said they had seen a Windows Active Directory server compromised and a custom worm used to spread the wiper from there.

IsaacWiper, in contrast, appears to use "remote shell/telnet replacement" utility RemCom (whose use in the malware context is explained here) and SecureAuth's Impacket Python tools, as published on GitHub.

"ESET Research has not yet attributed these attacks to a known threat actor due to the lack of any significant code similarity with other samples in the ESET malware collection," concluded the security shop.

Reports are reaching channels in the West about Russian and Belarusian cyber attacks on Ukraine, but they are of a much lower volume than many had expected. Some have speculated that this may change as Russia's war continues to go badly.

Rumors in the media hint that significant numbers of Russian soldiers are deserting and abandoning their vehicles, that the Ukrainian Air Force – contrary to all expectations – is still able to fly and fight. The resistance from the Ukrainian population appears to be also proving surprisingly effective in the face of a nominal superpower.

However, if President Putin changes his mind from waging a war of occupation against Ukraine to a war of destruction, we may no longer be reading about wiper malware samples. Instead we may see widespread blackouts, outages, or the complete devastation of Ukrainian cities. ®

Speaking of the invasion... Amid fresh sanctions against Russia, Apple has stopped all sales of its products in the nation. The iGiant added in a statement: "Apple Pay and other services have been limited. RT News and Sputnik News are no longer available for download from the App Store outside Russia. And we have disabled both traffic and live incidents in Apple Maps in Ukraine as a safety and precautionary measure for Ukrainian citizens."

Meanwhile, Visa and Mastercard, which handle the vast majority of debit and credit card payments outside of China, have blocked various Russian banks from using their networks, as a result of US sanctions.

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Inside the RSAC expo: Buzzword bingo and the bear in the room
    We mingle with the vendors so you don't have to

    RSA Conference Your humble vulture never liked conference expos – even before finding myself on the show floor during a global pandemic. Expo halls are a necessary evil that are predominatly visited to find gifts to bring home to the kids. 

    Do organizations really choose security vendors based on a booth? The whole expo hall idea seems like an outdated business model – for the vendors, anyway. Although the same argument could be made for conferences in general.

    For the most part, all of the executives and security researchers set up shop offsite – either in swanky hotels and shared office space (for the big-wigs) or at charming outdoor chess tables in Yerba Buena Gardens. Many of them said they avoided the expo altogether.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading

Biting the hand that feeds IT © 1998–2022