WhisperGate and HermeticWiper & CVE-2021-32648 v1.0.8

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple organizations in Ukraine. On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

Author:
Cortex XSOAR
Support:
xsoar
URL:
https://www.paloaltonetworks.com/cortex
agentixxsiam
Case Management

README

This pack is part of the Rapid Breach Response pack.

On January 14th, 2022, reports began on a malware operation dubbed “WhisperGate” targeting multiple organizations in Ukraine.
CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

  • Collect related known indicators from Malware News blog.
  • Indicators hunting using PAN-OS and SIEM products.
  • Search for possible vulnerable servers using Xpanse.
  • Block indicators automatically or manually.

Mitigations:

  • October CMS security recommendations.
  • Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Microsoft Blog
CVE-2021-32648 NVD
October security recommendation

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

WhisperGate and HermeticWiper & CVE-2021-32648