{"id":7431,"date":"2022-03-16T15:45:45","date_gmt":"2022-03-16T22:45:45","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7431"},"modified":"2023-04-05T12:34:58","modified_gmt":"2023-04-05T19:34:58","slug":"cyberwar-bulletin-2-are-you-ready-for-this-cyberwar","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/cyberwar-bulletin-2-are-you-ready-for-this-cyberwar\/","title":{"rendered":"Cyberwar Bulletin 2: Are you ready for this cyberwar?"},"content":{"rendered":"

As the conflict in Ukraine continues, cyberwar<\/a> continues to be a critical part of the narrative on a global scale.\u00a0<\/strong><\/p>\n

 <\/p>\n

The necessity for organizations to understand their own attack surface more intimately has emerged as absolutely essential in order for organizations to remain vigilant in protecting business operations.<\/p>\n

 <\/p>\n

Cyber Security Works is committed to sharing the intelligence and the insights around the trends, patterns and signals that are meaningful to understand for any security practitioner today. This comes from vulnerability assessments and scans that CSW executes in order to identify areas where vulnerabilities emerge from malware and ransomware strains that might be immediately evident with other scans of data sets.<\/p>\n

In this bulletin, we share with you our research on the current threats posed by malware and ransomware spawning out of the conflict in Ukraine. It also poses a very important question to organizations in Europe, the UK, and the US:<\/p>\n

 <\/p>\n

\n

How prepared are you to tackle the threat posed by unidentified, undetected and yet-to-be-exploited Ransomware threats or dangerous malware such as WhisperGate?<\/p>\n<\/blockquote>\n

 <\/p>\n

This blog\u00a0leverages our vulnerability research expertise\u00a0as we delve deep into ransomware and malware threats that have become noticeably more present and active in this cyberwar.<\/p>\n

 <\/p>\n

Note:<\/strong> This is a developing story. CSW experts will continue their research and publish their analysis as and when new threat groups emerge.<\/em><\/p>\n

\"\"<\/p>\n

Conti Ransomware<\/h2>\n

One of the most disastrous ransomware groups in recent times, the Conti ransomware<\/a> has not missed out on any opportunity to capitalize on high-profile cyber events and vulnerable weaknesses. While this was one of the first mature ransomware groups to act on the Apache Log4j vulnerability, the Conti group has marked its presence in this cyber war by initially declaring its support to Russia, which it later retracted. (Probably because Ukrainian researchers got back at the group by leaking their internal chats and source code, putting them in a tight spot.)<\/p>\n

 <\/p>\n

The Conti group is associated with the Russian threat actor Wizard Spider and has of late been on a weaponry acquisition spree, adding the most dangerous vulnerabilities like ProxyShell, ProxyLogon, Log4j, alongside trickbot malware, SEO poisoning methods, and a revived emotet botnet.<\/p>\n

 <\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0Conti<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a017<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a03+<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 – \u00a0 7<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 – \u00a0 9<\/p>\n

\u00a0Medium\u00a0 \u00a0 – \u00a0 1<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2021-34527, CVE-2017-0144, CVE-2020-1472,<\/p>\n

\u00a0CVE-2017-0143, CVE-2017-0148, CVE-2020-0796,<\/p>\n

\u00a0CVE-2021-44228, CVE-2017-0145, CVE-2017-0146,<\/p>\n

\u00a0CVE-2017-0147, CVE-2018-13374,\u00a0CVE-2018-13379,<\/p>\n

\u00a0CVE-2021-1675, CVE-2021-31207, CVE-2021-34473,<\/p>\n

\u00a0CVE-2021-34523<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/p>\n

<\/h2>\n

LockBit Ransomware<\/h2>\n

The LockBit ransomware group, while not as ravenous as Conti or Revil, has silently climbed up the ranks to be one of the top ransomware contenders in 2021. With a revamped 2.0 version with a new information-stealing trojan, LockBit <\/a>was responsible for many attacks on Accenture, Bangkok airways, IT companies, and the industrial sector.<\/p>\n

 <\/p>\n

LockBit is known for its double extortion technique, encrypting victims\u2019 data while also threatening to leak or sell them. They exploit public-facing applications, external remote services, valid accounts and use phishing as a means to gain initial access into vulnerable networks.<\/p>\n

 <\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0Lockbit<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a02<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a02<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 –\u00a0 2<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 –\u00a0 0<\/p>\n

\u00a0Medium\u00a0 \u00a0 –\u00a0 0<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2021-22986, CVE-2018-13379<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/p>\n

WhisperGate<\/h2>\n

WhisperGate is a new malicious malware that was unleashed in January 2022 to target Ukraine\u2019s organizations. The malware is capable of wiping files, corrupting disks, and can prevent the operating system from loading. It was also responsible for defacing several websites associated with the Ukrainian government.<\/p>\n

 <\/p>\n

On February 14, 2021, a massive DDoS attack wreaked havoc across Ukraine, crashing major government websites. Although the impact was minimal, the ramifications were not. The Armed Forces of Ukraine, the Ministry of Defense, Oschadbank (the State Savings Bank), and Privatbank, the country’s largest commercial bank with approximately 20 million clients, were all targeted.<\/p>\n

 <\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0WhisperGate<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a013<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a08+<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 –\u00a0 \u00a0 3<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 –\u00a0 \u00a0 3<\/p>\n

\u00a0Medium\u00a0 \u00a0 –\u00a0 \u00a0 6<\/p>\n

\u00a0Note: 1 CVE does not have a CVSS score<\/span><\/em><\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2021-44228, CVE-2021-32648, CVE-2022-0215<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/p>\n

 <\/p>\n

HermeticWiper<\/h2>\n

The HermeticWiper, believed to be the same as the brand new Foxblade malware<\/a>, has now been identified as responsible for a round of calamitous cyberattacks against Ukraine\u2019s digital landscape, hours before the missile strike began on March 02, 2021. This malware is capable of causing Distributed Denial-of-Service (DDoS) attacks unknown to users, to the extent of rendering victims\u2019 systems useless.<\/p>\n

 <\/p>\n

The data wiper malware, as it is popularly addressed, does not need any network communication controls, thus making it difficult to detect, unless downloaded. This sophisticated malware strain targets drivers of disk management software and the word is that hundreds of computers in Ukraine have fallen victim to the strain. The latest is that the malware contains three components – HermeticWiper for data corruption, Hermetic Wizard for penetration, and Hermetic Ransom, a ransomware module that is believed to be a deception tactic. A decryptor<\/a> is now available for Hermetic ransomware.<\/p>\n

 <\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0Hermetic Wiper<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a06<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a02<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 – \u00a0 3<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 – \u00a0 3<\/p>\n

\u00a0Medium\u00a0 \u00a0 – \u00a0 0<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2021-26855, CVE-2021-34523, CVE-2021-34473,<\/p>\n

\u00a0CVE-2021-31207, CVE-2021-1636, CVE-2022-23181<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/p>\n

<\/h2>\n

IsaacWiper<\/h2>\n

IsaacWiper is the latest addition to the list of threats against Ukraine, and the second data wiper malware after Hermetic Wiper. The wiper was found waging attacks against a government network on March 03, 2021, and is believed to be part of a completely different campaign from its Hermetic counterpart.<\/p>\n

 <\/p>\n

A prominent component of the IsaacWiper<\/a> is the enumeration of all physical and logical drives before the file clean operation. This could be an indication that attackers are looking to understand some unpredicted behavior from previously targeted machines, researchers hint.<\/p>\n

 <\/p>\n\n\n\n<\/colgroup>\n\n\n\n\n\n\n\n
\n

\u00a0Isaac Wiper<\/p>\n<\/th>\n<\/tr>\n<\/thead>\n

\n

\u00a0Vulnerabilities Associated<\/p>\n<\/td>\n

\n

\u00a03<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Vendors Affected<\/p>\n<\/td>\n

\n

\u00a02<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0CVSS Severity<\/p>\n<\/td>\n

\n

\u00a0Critical \u00a0 \u00a0 –\u00a0 1<\/p>\n

\u00a0High \u00a0 \u00a0 \u00a0 \u00a0 –\u00a0 2<\/p>\n

\u00a0Medium\u00a0 \u00a0 –\u00a0 0<\/p>\n<\/td>\n<\/tr>\n

\n

\u00a0Public Exploits Available<\/p>\n<\/td>\n

\n

\u00a0CVE-2020-0688, CVE-2020-17144, CVE-2018-13379<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

\"\"<\/p>\n

 <\/p>\n

Vulnerabilities associated with the Russian Threats<\/h2>\n