WhisperGate and HermeticWiper: Critical Public Aware Vulnerabilities
WhisperGate, a new malware, is being used to target organizations in Ukraine and companies with connections to the country.
WhisperGate Malware Is Targeting Ukraine
The Microsoft Threat Intelligence Center (MSTIC) has disclosed that malware known as WhisperGate is being used to target organizations in Ukraine and companies with connections to the country. According to Microsoft, WhisperGate is intended to be destructive and designed to render targeted devices inoperable.
Additionally, several cybersecurity researchers disclosed that malware known as HermeticWiper was being used against organizations in Ukraine. According to SentinelLabs, the malware targets Windows devices only by manipulating the master boot record resulting in subsequent boot failure.
These attacks are not intended to be used to extract a ransom, but to cause the maximum IT outage possible in an organization, by turning all devices into expensive door stops.
The National Cyber Security Centre in the UK are not aware of any current specific threats to UK organizations in relation to events in and around Ukraine, but there has been a historical pattern of cyberattacks on Ukraine with international consequences.
Threat actors have deployed destructive malware, including both WhisperGate and HermeticWiper against organizations in Ukraine to destroy computer systems and render them inoperable.
A joint Cybersecurity Advisory (CSA) between the Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) provided information on WhisperGate and HermeticWiper malware as well as open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware.
This data has been provided to help secure the maximum number of organizations around the world.
The following payloads are used to both infect and launch the WhisperGate attack. These are files which have known file hashes.
Even if the file name has changed, Syxsense can still detect this threat and keep your endpoints secure. The infection comes in 2 parts, first a stage file is copied to the PC which then launched stage 2 which causes the end result.
|Name||File Category||File Hash|
Any of the following payloads could be used to both infect and launch the HermeticWiper attack. These are files which have known file hashes, even if the file name has changed Syxsense can still detect this threat.
Similar to WhisperGate, these are files delivered initially as a Trojan, and from there it downloads and launches the sophisticated attack.
|Name||File Category||File Hash|
Increase Your Endpoint Security with Syxsense
You may configure the actions to keep your environment safe, such as simply deleting the file or to completely isolate the device from the network — this can stop a widespread attack in its tracks. You decide on the risk you are prepared to take!
These can be found within the extensive library of security scripts under “WhisperGate” and “HermeticWiper.”
Schedule Your Demo and Get Rewarded
After you receive a demo of Syxsense, we’ll send a $100 Visa gift card your way. Experience powerful endpoint management, patch management, as well as scanning and remediation.