WhisperGate and HermeticWiper & CVE-2021-32648

Details
Content
Dependencies
Version History

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple organizations in Ukraine. On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

This pack is part of the Rapid Breach Response pack.

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple organizations in Ukraine.
CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

Collect related known indicators from Malware News blog.
Indicators hunting using PAN-OS and SIEM products.
Search for possible vulnerable servers using Xpanse.
Block indicators automatically or manually.

Mitigations:

October CMS security recommendations.
Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Microsoft Blog
CVE-2021-32648 NVD
October security recommendation

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

WhisperGate and HermeticWiper & CVE-2021-32648

This pack is part of the Rapid Breach Response pack.

The playbook includes the following tasks:

Collect related known indicators from Malware News blog.
Indicators hunting using PAN-OS and SIEM products.
Search for possible vulnerable servers using Xpanse.
Block indicators automatically or manually.

Mitigations:

October CMS security recommendations.
Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Microsoft Blog
CVE-2021-32648 NVD
October security recommendation

WhisperGate and HermeticWiper & CVE-2021-32648

Playbooks

Name	Description
WhisperGate and HermeticWiper & CVE-2021-32648	On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine. On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine. CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. The playbook includes the following tasks: Collect related known indicators from Unit 42, CISA and Malware News blog. Search for possible vulnerable servers using Xpanse. Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Block indicators automatically or manually. Mitigations: October CMS security recommendations Deploy YARA detection Rules. More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

WhisperGate and HermeticWiper & CVE-2021-32648

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine.
On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

Collect related known indicators from Unit 42, CISA and Malware News blog.
Search for possible vulnerable servers using Xpanse.
Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
Block indicators automatically or manually.

Mitigations:

October CMS security recommendations
Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement
Microsoft Blog
CVE-2021-32648 NVD

Playbooks

Name	Description
WhisperGate and HermeticWiper & CVE-2021-32648	On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine. On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine. CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. The playbook includes the following tasks: Collect related known indicators from Unit 42, CISA and Malware News blog. Search for possible vulnerable servers using Xpanse. Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. Block indicators automatically or manually. Mitigations: October CMS security recommendations Deploy YARA detection Rules. More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Name

Description

WhisperGate and HermeticWiper & CVE-2021-32648

On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine.
On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

The playbook includes the following tasks:

Collect related known indicators from Unit 42, CISA and Malware News blog.
Search for possible vulnerable servers using Xpanse.
Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
Block indicators automatically or manually.

Mitigations:

October CMS security recommendations
Deploy YARA detection Rules.

Required Content Packs (2)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (4)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Cortex XDR by Palo Alto Networks	By: Cortex XSOAR
Rapid Breach Response	By: Cortex XSOAR
PAN-OS by Palo Alto Networks	By: Cortex XSOAR

All level dependencies (4)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Base	By: Cortex XSOAR

1.0.8 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.0.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

1.0.6 - 4856079 (September 11, 2025)

Playbooks

WhisperGate and HermeticWiper & CVE-2021-32648

Updated the input description "AutoBlockIndicators".

Related pull requests:
- 41245

Download

1.0.5 - R3980324 (June 26, 2025)

WhisperGateCVE-2021-32648

Fixed an issue where images with special chars were not displyed properly in the pack README file.

Related pull requests:
- 31421

Download

1.0.4 - 5782177 (July 16, 2023)

Playbooks

WhisperGate and HermeticWiper & CVE-2021-32648

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added the AutoBlockIndicators input. This input determines whether to block the indicators automatically or manually using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0).
Added the UserVerification input. This input determines whether blocking IPs should be done with or without user verification. The IPs blocking is done by using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 26581

Download

1.0.8 - 7839944 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43569

Download

1.0.7 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

1.0.6 - 4856079 (September 11, 2025)

Playbooks

WhisperGate and HermeticWiper & CVE-2021-32648

Updated the input description "AutoBlockIndicators".

Related pull requests:
- 41245

Download

1.0.5 - R3980324 (June 26, 2025)

WhisperGateCVE-2021-32648

Fixed an issue where images with special chars were not displyed properly in the pack README file.

Related pull requests:
- 31421

Download

1.0.4 - 5786478 (July 17, 2023)

Playbooks

WhisperGate and HermeticWiper & CVE-2021-32648

Replaced the Block Indicators - Generic v2 sub-playbook with the new Block Indicators - Generic v3 playbook. (Available from Cortex XSOAR 6.5.0).
Added the AutoBlockIndicators input. This input determines whether to block the indicators automatically or manually using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0).
Added the UserVerification input. This input determines whether blocking IPs should be done with or without user verification. The IPs blocking is done by using the Block Indicators - Generic v3 sub-playbook. (Available from Cortex XSOAR 6.5.0).

Related pull requests:
- 26581

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	January 19, 2022
Last Release	March 22, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

Palo Alto Networks Cortex XDR - Investigation and Response

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.