HermeticWiper and Cyclops Blink Cyberattacks: What You Need to Know

Over the last two days, a wave of cyberattacks has reportedly hit Ukrainian computers, including targeted distributed denial-of-service (DDoS) attacks on government websites and a new malware found on hundreds of computers.

Update: February 25, 2022 – Existing Armis customers can scroll to the end of this blog post for additional insights on how how to leverage the Armis Platform to discover malicious/anomalous activity in their environment.

HermeticWiper

Cybersecurity company ESET reported that a new data wiper malware was found to be installed on hundreds of compromised computers.

ESET’s research team said that based on the timestamp of the malware, the attacks could have been in preparation for several weeks/months. ESET named the malware HermeticWiper based on the Cypriot company, Hermetica Digital, to which the malware’s certificate was found to be issued.

HermeticWiper can erase all data from the system it has infected. One thing that makes this malware so dangerous is that once data has been deleted, it cannot be recovered. This malware is different from most, in that it doesn’t steal information. It just destroys it. The malware can even infect system recovery tools, leaving no traces of the attack.

Cyclops Blink

A joint report issued by U.K. and U.S. intelligence agencies claims that a new malware dubbed Cyclops Blink, believed to be built by the Russian hacker group Sandstorm, has replaced the earlier VPNFilter malware that infected more than half a million routers in 2018.

The report was published yesterday by the U.K. National Cyber Security Centre, the U.S. Cybersecurity and Infrastructure Security Agency, the U.S. National Security Agency, and the Federal Bureau of Investigation.

The groups said that the malware, which has been circulating for at least three years, is “sophisticated and modular with basic core functionality to beacon device information back to a server to enable files to be downloaded and executed”.

The new version of malware is said to be even more sophisticated, as they stated that “There is also functionality to add new modules while the malware is running, which allows Sandstorm to implement additional capability as required.”

What are the Implications of Such Attacks?

Events such as these are becoming more prolific, as malware, ransomware, and other malicious software are being leveraged by nation-state attackers worldwide in the form of modern cyberwarfare. These attacks and many like them make headlines on a daily basis and the implications can be heard, if not felt, globally.

Every organization is at risk of cyber threats that can disrupt essential services and even result in impacts to public safety. In the past year alone, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple industries and segments of the economy.

Threat Response Requires Contextual Asset Intelligence

Understanding your organization’s risk exposure is crucial for planning and implementing mitigation strategies. There are a few different security solutions that can detect and/or protect against these cyber threats. However, each of these solutions provides standalone protections and addresses different threat aspects. In order to truly understand your security posture, you need to have a full picture of your current assets, their state, their vulnerabilities, and security controls.

This requires the ability to gather data from different IT and security tools, and analyze it to get contextual intelligence about the assets at risk. This will help you understand:

• What assets are connected to the network?
• How are these assets communicating with each other?
• Do they have the right protections deployed on them? (for example – Are endpoint protection agents deployed on all assets? Are the agents operational? Are they up-to-date?)
• Are they any vulnerabilities that need to be patched? If so, who owns these vulnerable assets? And – Where are they physically located?

Without this data, it would be very difficult and time consuming to respond to emerging threats. It would also be difficult to take proactive measures to improve cyber hygiene and reduce your attack surface.

Want to know how Armis can help? Sign up for a free asset visibility assessment to see the power of contextual asset intelligence

If you don’t have access to Armis Asset Intelligence Platform, here are a number of recommended steps to improve your cyber hygiene:

4 Steps to Better Cyber Hygiene: Reducing Your Attack Surface

1. See Every Asset in Your Environment

Asset discovery is the first step to a successful cybersecurity strategy. Security teams need to know what they have across the operational and enterprise environments in order to assess their risk posture.

2. Know How Assets in Your Inventory Behave

Organizations also need to identify when devices behave unexpectedly, which might indicate they are compromised. Calculating a risk score for each device, helps security teams prioritize vulnerabilities and take proactive steps to minimize the attack surface.

3. Never Stop Monitoring Your Assets

Real-time monitoring of assets and traffic is crucial to active threat discovery. Passive monitoring ensures that your network, systems, and devices are continuously tracked without disruption.

4. Manage Risk With Automated Policy Enforcement

Organizations also need real-time policy enforcement and automated remediation to isolate devices, trigger alerts, and initiate software updates. Generate segmentation policies to reduce exposure to threats.

Armis is here to Help
If you’d like to consult with our experts, or see a demo of the Armis Asset Intelligence Platform contact us today (https://www.armis.com/demo/)

Update for existing Armis customers:

Summary

It is expected that additional cyber attacks will expand globally. And we realize that existing Armis customers will want to know how to utilize Armis to look for these attacks and respond appropriately. While we cannot anticipate every attack situation or company business risk profile. We can give some insight as to the type of Armis queries (AQL) that may help our customers to start looking for active threats in their environment that could point to malicious activity due to the ongoing threat presented.

Threat Expectations

Referencing the CISA alert that was released on Feb 16, 2022 CISA has identified areas that are expected threats but are not necessarily all encompassing.

For the vast majority of our customers these areas would likely be of concern:

1. Financial areas or the movement of finances
2. Energy operations
3. Medical/hospital operations
4. Food and agriculture industries
5. Water infrastructure operations
6. Emergency services
7. Transportation services

Armis Queries

Below are examples of Armis queries which might be helpful in looking for malicious/anomalous activity. Please note that the queries below include a time frame of 7 days. If a customer decides to use these queries as policies please ensure that the 7 day time frame is removed prior to saving as a policy.

1. Foreign domain target communications
   1. Possible query: in:activity timeFrame:”7 Days” .ru’
   2. Possible query: in:activity timeFrame:”7 Days” type:”DNS Query” .ru’
2. Unencrypted credentials to unknown external targets:
   1. Possible query: in:activity type:Credentials timeFrame:”7 Days” !decisionData:(serverAddress:(10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,)) !device:(type:”Vulnerability Scanners”)
3. Unauthorized Remote desktop services (rdp)
   1. Possible query: in:ipConnections timeFrame:”7 Days” endpointB:(role:Server networkLocation:External) serverPort:(3389) endpointA:(!device:(boundary:Guest))
4. Unauthorized Port Scanning (port scans from non-scanning devices)
   1. Possible query: in:activity timeFrame:”7 Days” type:”Port Scan Detected” decisionData:(scanType:Heavy) device:(!type:”Vulnerability Scanners” )
5. Unauthorized network mapping (nmap etc.)
   1. Possible query: in:activity timeFrame:”7 Days” type:”Application Usage” decisionData:(appName:(nmap))
6. Unauthorized red teaming tools (Burp Suite etc.)
   1. Possible query: in:activity timeFrame:”7 Days” type:”DNS Query” decisionData:(host:(%.portswigger.%,%.burpcollaborator.net)) device:(!tag:”DNS Server”,”Vulnerability Scanner”)

Additional Guidance

If you have any questions, please reach out to your Customer Success Manager or Technical Account Manager for assistance. Armis is here to help.