This pack is part of the Rapid Breach Response pack.
On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple organizations in Ukraine.
CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.
The playbook includes the following tasks:
- Collect related known indicators from Malware News blog.
- Indicators hunting using PAN-OS and SIEM products.
- Search for possible vulnerable servers using Xpanse.
- Block indicators automatically or manually.
Mitigations:
- October CMS security recommendations.
- Deploy YARA detection Rules.
More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Microsoft Blog
CVE-2021-32648 NVD
October security recommendation
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.