Skip to main content

WhisperGate and HermeticWiper & CVE-2021-32648

Download With Dependencies

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple organizations in Ukraine. On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

This pack is part of the Rapid Breach Response pack.

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple organizations in Ukraine.
CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

  • Collect related known indicators from Malware News blog.
  • Indicators hunting using PAN-OS and SIEM products.
  • Search for possible vulnerable servers using Xpanse.
  • Block indicators automatically or manually.

Mitigations:

  • October CMS security recommendations.
  • Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Microsoft Blog
CVE-2021-32648 NVD
October security recommendation

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

WhisperGate and HermeticWiper & CVE-2021-32648

This pack is part of the Rapid Breach Response pack.

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple organizations in Ukraine.
CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

  • Collect related known indicators from Malware News blog.
  • Indicators hunting using PAN-OS and SIEM products.
  • Search for possible vulnerable servers using Xpanse.
  • Block indicators automatically or manually.

Mitigations:

  • October CMS security recommendations.
  • Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Microsoft Blog
CVE-2021-32648 NVD
October security recommendation

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

WhisperGate and HermeticWiper & CVE-2021-32648

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedJanuary 19, 2022
Last ReleaseDecember 2, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.