Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 263: BE WARY OF WIPER MALWARE
Reference Number ACG-CSB 081522263
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
This malware, a wiper malware specifically created to target the energy sector, was first identified as harmful software back in 2012 and is still active today. The main goal of this malware is to delete all the files on storage devices and wipe all the data, both logically and physically, rendering the information inaccessible. Wipers, which differ from ordinary cyberattacks in that they frequently don't demand a ransom, are riskier because their only goal is to harm people and/or organizations' reputations.
Different kinds of approaches are employed by threat actors or cybercriminals to disseminate and activate wipers. This malware's ability to corrupt or encrypt files is one of its functions; it does not, however, rewrite the entire hard drive because that would take a long time. Instead, wipers could write a specific amount of data at specific intervals. Files will be arbitrarily destroyed by this. This malware's encryption is keyless, which means that wiper does not have a decryption key to open the encrypted data.
The system recovery file is specifically targeted by this malware, which prevents the target from recovering the destroyed data. To comprehend the various techniques employed by attackers, a typical cleaner can be divided into three objectives: Files (data), the boot section of the machines operating system, system and data backups. Most wipers target those three.
Wiper malware has had a significant impact on several high-profile organizations and governments over the last decade. Here are some real-world examples of wiper variants that caused major problems around the world:
- Shamoon – one of the most common variants of wiper malware, targeted Saudi Aramco and other Middle Eastern oil companies between 2012 and 2016. This wiper is a self-propagating variant. It spreads from one device to another via shared network disks, leaving victims with no way to recover the destroyed data. Using the RawDisk driver overwrites disks before wiping the master boot record (MBR), preventing the system from booting.
- Meteor – is a reusability variant of the wiper malware. This variant can be configured externally and has malicious capabilities such as changing user passwords, disabling recovery mode, and issuing malicious commands.
- NotPetya – It is one of the most intriguing wiper strains because it presents itself as ransomware when it isn't. The confusion stems from one of its original strains, Petya, a ransomware attack in which victims' machines were provided with a decryption key after paying a ransom.
- ZeroCleare – The purpose of this infamous wiper malware version was to delete data from targeted systems. It first surfaced in 2019 when it launched attacks against numerous Middle Eastern energy companies. Following this attack, thousands of systems were compromised and were left vulnerable to other incidents.
- WhisperGate – According to Microsoft Threat Intelligence Center, this is the most recent variant of the wiper malware that launched targeted assaults against the Ukrainian government in January 2022. At least 70 government-owned website domains were defaced as a result of the hack.
Wipers are the ordeal about information security are made of. This type of malware is capable of wiping out nearly all sensitive data on drives and causing massive amounts of data and financial loss. While no defensive measures can guarantee complete protection from wipers, adhering to tight, well-founded cybersecurity response plans, backup and recovery schemes, and wise deployment of anti-malware solutions can significantly reduce the likelihood that your organization will fall victim to the next wiper attack.
The public are advised to follow these tips in order to understand the risks of Wiper Malware:
- Proven Cybersecurity Incident Response Plan: Knowing what to do is the short answer, and this is where CSIRPs come in. The CSIRP's roles and responsibilities must be clearly defined. They cannot be restricted to the cybersecurity or even the IT departments. Everyone in the organization must understand their role and the types of decisions that are expected of them.
- Risk-based patch management program: It is critical to keep all software up to date in order to reduce a company's attack surface. However, software patching can be difficult, so IT departments must carefully balance the risk of being vulnerable against the risk of disrupting business.
- Cybersecurity-aware and tried-and-true business continuity plan: It is critical to include recovery from wiper attacks in your continuity planning, especially protecting your organization's backup infrastructure. To accomplish this, backup software must be installed on non-Windows systems, the backup network must be segmented, and different usernames and passwords must be used.
- Network & User Segmentation on the Top Regular Software Security Stack: Network segregation is an important aspect of damage mitigation that is neither simple nor easy to achieve. Intent-based networking has the potential to make this task much easier and faster. Even if network segregation is not enforced during normal business operations, being able to perform emergency segregation can mean the difference between a major business disruption and a minor disruption.
For additional information, please refer to the following websites:
POINT OF CONTACT