The National Cyber Security Directorate warns of new destructive malware used for cyber attacks targeting government and private organizations.
“A new destructive malware called HermeticWiper (aka KillDisk.NCV) is being used actively in the escalating military conflict in Ukraine for cyber attacks targeting government and private organizations, affecting decision makers, technical staff, and regular users. HermeticWiper is a small executable, approximately 115 KB, digitally signed with a certificate issued to ‘Hermetica Digital Ltd’ and valid from April 2021 to April 2022.
Malware uses a legitimate driver (associated with EaseUS Partition Master software) to corrupt data on hard drives, including the MBR (Master Boot Record) area. The final step of the attack with HermeticWiper is to deactivate the victim computer by restarting it “, the DNSC experts explain on the institution’s Facebook page.
The HermeticWiper attacks were most likely prepared a few months in advance, with the attackers gaining access to the victims’ networks / infrastructure as early as November 2021, initially exploiting known vulnerabilities in Microsoft Exchange or Apache Tomcat servers.
Initial access was usually followed by theft of access credentials, side movement and web shells. HermeticWiper spreads to the Active Directory level through Group Policy Objects (GPO). This is an indication that the attack is initiated when the attackers have already taken partial or complete control over the computer network / infrastructure.
So far, the Directorate has not registered any HermeticWiper attacks in Romania.
recommendation
Periodically create, update, maintain, and practice cyber incident response capabilities, as well as continuity and resilience plans in the event of loss of access or control of the IT network / infrastructure.
Review the back-up strategy implemented at the organization level, as data affected / deleted by HermeticWiper cannot be recovered.
Immediately apply the necessary security updates for the software you are using, especially for Microsoft Exchange or Apache Tomcat servers.
Follow the HermeticWiper compromise indicators (IOCs) that the Directorate has included in this alert or those communicated by cybersecurity solution providers.
Follow along with HermeticWiper compromise indicators and network compromise indicators (IP or domain) for which we recommend including them in the threat intelligence lists of your organization’s security equipment.
Use an IOC scanner (such as the “LOKI Open-Source IOC Scanner”) to automate the monitoring of compromise indicators across your IT infrastructure.
Carefully monitor data flows and components interconnected directly with Ukrainian partners and / or located in Ukrainian networks, as well as other external connections.
Apply the principle of least privilege to all key remote access systems that you manage.
Contact the Directorate immediately if you have been affected by an attack with HermaticWiper.
–