WhisperGate and HermeticWiper & CVE-2021-32648

- On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine. - On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine. CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. **The playbook includes the following tasks:** - Collect related known indicators from Unit 42, CISA and Malware News blog. - Search for possible vulnerable servers using Xpanse. - Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. - Block indicators automatically or manually. **Mitigations:** * October CMS security recommendations * Deploy YARA detection Rules. More information: [UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict](https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/) [Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement](https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukraine-crisis/) [Microsoft Blog](https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/) [CVE-2021-32648 NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-32648#vulnCurrentDescriptionTitle) Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

WhisperGate and HermeticWiper & CVE-2021-32648 · 50 tasks · 7 inputs · 0 outputs

Inputs

  • PlaybookDescription — The playbook description for Rapid Breach Response layout.
  • BlockIndicatorsAutomatically — Whether to block the indicators automatically or not.
  • CollectedIndicatorsSeverity — The verdict of the collected indicators. Default is "Malicious". Other options can be "Suspicious" and "Unknown".
  • RelatedCVE — The WhisperGate malware related CVE.
  • RunXQLHuntingQueries — Whether to perform XQL hunting queries. Default is "False".
  • UserVerification — Possible values: True/False.\nWhether to provide user verification for blocking IPs. \n\nFalse - No prompt will be displayed to the user.\nTrue - The server will ask the user for blocking verification and will display the blocking list
  • AutoBlockIndicators — Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to True - no prompt will appear, and all provided indicators will be blocked automatically. If set to False - the user will be prompted to select which indicators to block.

Commands used

closeInvestigation createNewIndicator expanse-get-issues extractIndicators xdr-xql-generic-query

Flowchart

yes No Yes yes yes yes yes Start Start Collect Indicators Collect Indicators Collect indicators from Malware News - ParseHTMLIndicators Collect indicators from M... ParseHTMLIndicators Extract Indicators Extract Indicators Extract Indicators From Data Collected - extractIndicators Extract Indicators From D... extractIndicators Tag and Link Indicators Tag and Link Indicators Threat Hunting Threat Hunting Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Handle Rapid Breach Response Layout Handle Rapid Breach Respo... Remediation Remediation Block indicators automatically? Block indicators automati... Block indicators manually Block indicators manually Mitigation Mitigation October CMS security recommendations October CMS security reco... Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Patch Vulnerability and workarounds Patch Vulnerability and w... Deploy Detection Rules Deploy Detection Rules Tag File indicators - createNewIndicator Tag File indicators createNewIndicator Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator Download Yara Rules - http Download Yara Rules http Yara Rules Yara Rules Collect Detection Rules Collect Detection Rules Threat ID Hunting Threat ID Hunting Indicators Hunting Indicators Hunting Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Panorama query threat logs - Panorama Query Logs Panorama query threat logs Panorama Query Logs Tag URL indicators - createNewIndicator Tag URL indicators createNewIndicator Cortex XDR - XQL Hunting Queries Cortex XDR - XQL Hunting ... Should run XQL hunting queries? Should run XQL hunting qu... Search for WhisperGate use of InstallUtil (Wiper) - xdr-xql-generic-query Search for WhisperGate us... xdr-xql-generic-query Search for WhisperGate powershell sleep command - xdr-xql-generic-query Search for WhisperGate po... xdr-xql-generic-query Search for WhisperGate disable windows defender - xdr-xql-generic-query Search for WhisperGate di... xdr-xql-generic-query Check if Cortex XDR - XQL Query Engine is Enabled - IsIntegrationAvailable Check if Cortex XDR - XQL... IsIntegrationAvailable Hunting for WhisperGate in Your Network Hunting for WhisperGate i... Search for WhisperGate self-delete - xdr-xql-generic-query Search for WhisperGate se... xdr-xql-generic-query Xpanse Xpanse Is Xpanse enabled? Is Xpanse enabled? Search for possible vulnerable servers using Xpanse - expanse-get-issues Search for possible vulne... expanse-get-issues Review possible vulnerable servers Review possible vulnerabl... Found servers using Xpanse? Found servers using Xpanse? Collect HermeticWiper indicators from Unit 42 - ParseHTMLIndicators Collect HermeticWiper ind... ParseHTMLIndicators Collect indicators from CISA - ParseHTMLIndicators Collect indicators from CISA ParseHTMLIndicators Best practices by CISA Best practices by CISA Review and deploy CISA mitigation suggestions Review and deploy CISA mi... Collect Whispergate indicators from Unit 42 - ParseHTMLIndicators Collect Whispergate indic... ParseHTMLIndicators Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3