2022-03-10 - Version 2

國際資安大廠ESET發現駭客對烏克蘭發動的網路攻擊中所使用的惡意程式，包括資料刪除程式HermeticWiper、IssacWiper，以及勒索軟體HermeticRansom

在俄羅斯攻擊烏克蘭前一日(2月23日)，ESET已經偵測到對烏克蘭基礎架構的資訊戰活動，而偵測到的一波攻擊包括3項元素，分別是HermeticWizard經由WMI（Windows Management Instrumentation）和SMB協定散布的HermeticWiper，以及用Go語言撰寫的勒索軟體HermeticRansom，這波攻擊至少影響烏克蘭5個組織的數百臺系統。

而在不到24小時內，ESET又發現另一隻資料刪除程式，他們將之命名為IssacWiper，IssacWiper目前的樣本是在Windows DLL或EXE檔中發現，不具程式碼簽章憑證。研究人員推測IssacWiper攻擊者可能是利用Imapcket等工具在受害者網路內橫向移動，此外，幾臺受害機器中也看到遠端存取木馬（RAT）RemCom，可能是和IssacWiper同時植入。從其編譯時戳來看，最早可追溯到2021年10月19日，因此研究人員相信IssacWiper可能已被用於幾個月前的攻擊。

這是繼一月的WisperGate以來，第三隻攻擊烏克蘭的資料刪除程式。

這幾波攻擊來源目前尚無法得知，主要是因為HermeticWiper、HermeticWizard和HermeticRansom與ESET過去所知的惡意程式相似性甚低，故未能找到IssacWiper的來源，或是它最初的攻擊管道。

目前研究人員還在分析兩者之間關聯性，但一些未受HermeticWiper影響的機構卻有見到IssacWiper；就程式碼相似性來看，IssacWiper和HermeticWiper的程式碼幾乎沒重疊，也較為粗糙；HermeticWiper相當兇惡，濫用硬碟分割軟體EaseUS Partition Master的合法驅動程式（如下圖所示），先毁損資料再將受害電腦重新開機。在研究人員分析的一項案例中，這隻程式是經由預設的網域GPO植入系統，意謂攻擊者可能已經接管受害機構的AD伺服器。

相較而言，攻擊者釋出的新版IssacWiper有除錯紀錄，顯示舊版未能將受害電腦資料刪除掉，攻擊者試圖了解原因所在。

研究人員相信，就目前烏克蘭危機來看，不論是烏克蘭或支持它的國家，都有持續遭遇網路攻擊的風險。

原文出處：https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/

About Version 2

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

關於ESET
ESET成立於1992年，是一家面向企業與個人用戶的全球性的電腦安全軟件提供商，其獲獎產品 — NOD32防病毒軟件系統，能夠針對各種已知或未知病毒、間諜軟件（spyware）、rootkits和其他惡意軟件為電腦系統提供實時保護。ESET NOD32佔用系統資源最少，偵測速度最快，可以提供最有效的保護，並且比其他任何防病毒產品獲得了更多的Virus Bulletin 100獎項。ESET連續五年被評為“德勤高科技快速成長500 強”（Deloitte’s Technology Fast 500）公司，擁有廣泛的合作夥伴網絡，包括佳能、戴爾、微軟等國際知名公司，在布拉迪斯拉發（斯洛伐克）、布裏斯托爾（英國）、布宜諾斯艾利斯（阿根廷）、布拉格（捷克）、聖地亞哥（美國）等地均設有辦事處，代理機構覆蓋全球超過100個國家。

ESET 2022

These are the technologies to be used by cybercriminals this year:

· Fake news

Cybercriminals will be creating and spreading fake news for fraud and phishing attacks. They are going to use AI and deepfake to make photos and videos with the aim to steal confidential information.

· Personal data theft

Theft of personal data of companies’ employees, clients and business partners is becoming more and more large-scale. Attackers are getting greedier, and ransom amounts are going to continue to grow.

· Using mobile malware

With mobile payment systems being used more frequently, malware attacks on consumers’ mobile devices in order to steal more will also become more frequent.

· Large-scale online attacks using new technology

Cybercriminals are keeping up with companies thatconstantly improve technologies and infrastructure to boost their security systems. In the current year criminals will be penetrating company networks using security system testing tools. Such attacks may lead to global failures in company operations.

· Cryptocurrency attacks

Attackers will be turning more attention to hacking crypto exchanges. They will be motivated by last year’s successful cyberattacks, Africryft hack being one of them. As a result of the attack on the South African crypto platform investors lost about $3.6 bln.Active growth of such crimes is expected this year.

Company managements should stay alert and work towards cybercrime prevention by securing every bit of their networks with the use of optimal solutions that will reveal and block more and more elaborate and global cyberattacks.