How does the HermeticWiper data wipe program work, which enters through Active Directory to delete data from servers and PCs. Published on 25 February 2022 by Redazione
The Russian bombings that are falling on Ukraine have been accompanied by a parallel shower of cyberattacks, carried out through HermeticWiper: a data wiper type malware, that is, capable of erasing data from affected memory resources. A few days after the DDoS attacks that had put out of use Ukrainian government sites (whose equally governmental Russian origin has yet to be demonstrated) today the attention of cybersecurity researchers is all on this new threat, initially reported by Eset and Symantec but then also analyzed by other companies in the sector.
Researchers from Eset and Symantec detected the data wiper, identified as Win32 / KillDisk.NCV, on Wednesday but the timestamp traces its compilation to the end of December. The baptism as HermeticWiper is due to SentinelOne, who observed the name of the program's digital certificate, referring to the Cypriot company Hermetica Digital Ltd. "So far we have not seen any legitimate files signed with this certificate," writes SentinelOne. "It is possible that the attackers used a shell company or appropriated a company that is no longer in business to issue the digital certificate." The program uses legitimate software for creating partitions on the hard drive, i.e. EaseUS Partition Master, to corrupt the data present on the hardware resource.
How HermeticWiper works The wiper sneaks into the target system through compromised identities, which allow you to directly attack a resource or act as a base to move laterally. Therefore, it does not seem to exploit vulnerabilities along the supply chain, as has instead been done by the supply chain attacks that have punctuated the last few years.
"As reported in one case, the ransomware distributed using Active-Directory group policy, which means that attackers had privileged access to AD," explains Lavi Lazarovitz, head of security research at CyberArk Labs. “This scenario is most commonly used in targeted and manned actions (as in the case of Kaseya). It is important to note that the wiper takes advantage of elevated privileges on the compromised host to make it 'unbootable', overwriting boot records and configurations, clearing device configurations and deleting shadow copies (backups). It appears that the wiper is configured not to encrypt the domain controllers, that is, to keep the domain running and allow the ransomware to use valid credentials to authenticate itself to the servers and encrypt them. This further highlights that threat actors are using compromised identities to access the network and / or move sideways ”.
A risk also for Italy? For now, the attack has hit thousands of servers, PCs and other computer systems on Ukrainian territory, but insiders report that it could extend to other geographical areas. “Malware by its nature knows no borders and we expect the presence of HermeticWiper to be detected soon also in Western Europe, and consequently also in Italy. The security specialists are monitoring the situation carefully and taking the first countermeasures ”explains the Axitea Cyber Security Team. On the other hand, cases of recent years, such as that of Wannacry and NotPetya ransomware, demonstrate the ease with which particularly sophisticated attacks can spread globally.
Even the National Cybersecurity Agency does not rule out the possibility of an enlargement to Italy. "Although there are currently no indicators in this sense, the significant cyber risk deriving from possible collateral impacts on ICT infrastructures interconnected with the Ukrainian cyberspace is highlighted, with particular reference to entities, organizations and companies that have relationships with Ukrainian and with which telematic interconnections are in place (e.g., B2B connections, users in Ukrainian networks and vice versa, sharing of repositories or collaborative platforms) ", writes the Agency's Computer Security Response Team, then listing a series of recommendations on how to protect yourself from HermeticWiper danger.
COMMENT:
Everyone must be convinced that the best weapons must be adopted in a war, and not limited to the skirmishes between this and that arms manufacturer. Everyone must be convinced that the RSA public and private key encryption system is outdated and easily intercepted as we describe in other pages of this site. It is difficult to understand for those who consider it the TOP of cryptography. I remember when I was in school and elementary students explained to me that the Italian alphabet was made up of 21 letters. Later it became 26 letters like the English one, with the addition of J K X Y W. Now no one remembers the 21 letter alphabet anymore. In the field of cryptography, on the other hand, people consider what they have studied to be fundamental and are opposed to any progress. It is as if the supporters of the Italian alphabet of 21 letters waged war and found subterfuges to express the letters J K X Y W. In cybersecurity, nostalgics consider themselves pundits and have brand-persuasion. But then the war is won by the hackers. Read our solutions on other pages of the site. Leave a comment or fill out the contact form for further explanations.
Italy at risk