Pierluigi Paganini
January 19, 2022
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an “insights” document that warned organizations about “potential critical threats” following the recent cyberattacks aimed at Ukraine.
The document starts from most recent attacks targeting public and private entities in Ukraine, including website defacement and destructive malware-based attacks on local systems that could have severe impact on critical functions.
“The identification of destructive malware is particularly alarming given that similar malware has been deployed in the past—e.g., NotPetya and WannaCry ransomware—to cause significant, widespread damage to critical infrastructure.” reads the insights” document. “This CISA Insights is intended to ensure that senior leaders at every organization in the United States are aware of critical cyber risks and take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise. All organizations, regardless of sector or size, should immediately implement the steps outlined below.”
Microsoft spotted a destructive malware, tracked as WhisperGate, that targeted government, non-profit, and IT entities in Ukraine with a wiper disguised as ransomware.
The attackers were discovered by Microsoft on January 13, the experts attributed the attack to an emerging threat cluster tracked as “DEV-0586.” The experts pointed out that the operation has not overlapped with TTPs associated with past campaigns.
“MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.” reads the post published by the Microsoft Threat Intelligence Center.
“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues.”
However, Reuters in exclusive reported that the attacks were launched by the Belarus-linked APT group tracked as UNC1151 (aka Ghostwriter).
The CISA document provides recommendations to reduce the likelihood of a damaging cyber intrusion and increase the resilience of the infrastructure.
According to Symantec, the WhisperGate wiper may have been employed in attacks against unknown victims since at least October 2021.
THREAD: Latest on #WhisperGate wiper attacks. Thanks to cooperation with the community, we can confirm related samples were being built by actors and possibly deployed to unknown victims as early as October 2021. Other unconfirmed samples may date even earlier. [1/4}
— Threat Intelligence (@threatintel) January 18, 2022
In recent attacks against Ukraine, threat actors compromised Ukrainian government networks through a supply chain attack that involved the third-party software supplier Kitsoft.
“As we noted earlier, the diagnostics showed the scale of the cyberattack, the platforms created by various companies were damaged.The complexity of the cyber attack is confirmed through an analysis using the Microsoft Threat Intelligence Center (MSTIC) that “has identified evidence of a major destructive malware operation targeting multiple organizations in Ukraine. This malware first appeared on systems in Ukraine on January 13, 2022. MSTIC has not found any notable associations between this observed activity, and other known activity groups” — the statement said. Kitsoft’s infrastructure was also damaged during the cyber attack.” reported Kitsoft. “Our specialists have identified this as one of the ways the attack was developed.”
According to Ukrainian cybersecurity agencies, threat actors exploited a vulnerability in the October CMS tracked as CVE-2021-32648, and the log4Shell vulnerability (CVE-2021-32648). Government authorities also reported DDoS attacks against their infrastructure.
The October CMS vulnerability was added by CISA this week to its Known Exploited Vulnerabilities Catalog.
Below are the recommendations provided by CISA in the insights document:
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, CISA)
[adrotate banner=”5″]
[adrotate banner=”13″]
