Skip to content

Latest commit

 

History

History
79 lines (55 loc) · 6.13 KB

playbook-WhisperGate_&_CVE-2021-32648_6_5_README.md

File metadata and controls

79 lines (55 loc) · 6.13 KB
Raw

  • On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine.

  • On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:

  • Collect related known indicators from Unit 42, CISA and Malware News blog.
  • Search for possible vulnerable servers using Xpanse.
  • Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
  • Block indicators automatically or manually.

Mitigations:

  • October CMS security recommendations
  • Deploy YARA detection Rules.

More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Rapid Breach Response - Set Incident Info
  • Block Indicators - Generic v3
  • Panorama query threat logs
  • Threat Hunting - Generic

Integrations

This playbook does not use any integrations.

Scripts

  • IsIntegrationAvailable
  • ParseHTMLIndicators
  • http

Commands

  • expanse-get-issues
  • xdr-xql-generic-query
  • closeInvestigation
  • extractIndicators
  • createNewIndicator

Playbook Inputs

Name Description Default Value Required
PlaybookDescription The playbook description for Rapid Breach Response layout. - On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine.

- On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.

CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework.
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
The issue has been patched in Build 472 and v1.1.5.

The playbook includes the following tasks:
- Collect related known indicators from Unit 42, CISA and Malware News blog.
- Search for possible vulnerable servers using Xpanse.
- Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
- Block indicators automatically or manually.

Mitigations:
* October CMS security recommendations
* Deploy YARA detection Rules.

More information:
UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict
Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement
Microsoft Blog
CVE-2021-32648 NVD

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.		 Optional
BlockIndicatorsAutomatically Whether to block the indicators automatically or not. False Optional
CollectedIndicatorsSeverity The verdict of the collected indicators. Default is "Malicious".
Other options can be "Suspicious" and "Unknown".		 Malicious Optional
RelatedCVE The WhisperGate malware related CVE. CVE-2021-32648 Optional
RunXQLHuntingQueries Whether to perform XQL hunting queries. Default is "False". False Optional
UserVerification Possible values: True/False.\nWhether to provide user verification for blocking IPs. \n\nFalse - No prompt will be displayed to the user.\nTrue - The server will ask the user for blocking verification and will display the blocking list False Optional
AutoBlockIndicators Should the given indicators be automatically blocked, or should the user be given the option to choose?
If set to False - no prompt will appear, and all provided indicators will be blocked automatically.
If set to True - the user will be prompted to select which indicators to block.		 True Optional

Playbook Outputs

There are no outputs for this playbook.

Playbook Image

WhisperGate and HermeticWiper & CVE-2021-32648