WhisperGate and HermeticWiper & CVE-2021-32648

• On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine.

• On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

• Collect related known indicators from Unit 42, CISA and Malware News blog.
• Search for possible vulnerable servers using Xpanse.
• Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
• Block indicators automatically or manually.

Mitigations:

• October CMS security recommendations
• Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement
Microsoft Blog
CVE-2021-32648 NVD

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

• On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine.

• On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

• Collect related known indicators from Unit 42, CISA and Malware News blog.
• Search for possible vulnerable servers using Xpanse.
• Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
• Block indicators automatically or manually.

Mitigations:

• October CMS security recommendations
• Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement
Microsoft Blog
CVE-2021-32648 NVD

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.