WhisperGate and HermeticWiper & CVE-2021-32648
This Playbook is part of the WhisperGate and HermeticWiper & CVE-2021-32648 Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine.
On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine.
CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5.
The playbook includes the following tasks:
- Collect related known indicators from Unit 42, CISA and Malware News blog.
- Search for possible vulnerable servers using Xpanse.
- Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products.
- Block indicators automatically or manually.
Mitigations:
- October CMS security recommendations
- Deploy YARA detection Rules.
More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD
Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Rapid Breach Response - Set Incident Info
- Block Indicators - Generic v3
- Panorama query threat logs
- Threat Hunting - Generic
Integrations#
This playbook does not use any integrations.
Scripts#
- IsIntegrationAvailable
- ParseHTMLIndicators
- http
Commands#
- expanse-get-issues
- xdr-xql-generic-query
- closeInvestigation
- extractIndicators
- createNewIndicator
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| PlaybookDescription | The playbook description for Rapid Breach Response layout. | - On January 14th, 2022, reports began on a malware operation dubbed "WhisperGate" targeting multiple -organizations in Ukraine. - On February 23, 2022, a new wiper malware known as "HermeticWiper" was disclosed by several cybersecurity researchers. The new wiper "HermeticWiper" was also being used against organizations in Ukraine. CVE-2021-32648 vulnerability has a CVSS score of 9.1 and was found in octobercms, which is a CMS platform based on the Laravel PHP Framework. In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request. The issue has been patched in Build 472 and v1.1.5. The playbook includes the following tasks: - Collect related known indicators from Unit 42, CISA and Malware News blog. - Search for possible vulnerable servers using Xpanse. - Indicators and exploitation patterns hunting using PAN-OS, Cortex XDR and SIEM products. - Block indicators automatically or manually. Mitigations: October CMS security recommendations Deploy YARA detection Rules. More information: UNIT42 Blog - Ongoing Russia and Ukraine Cyber Conflict Russia-Ukraine Cyberattacks: How to Protect Against Related Cyberthreats Including DDoS, HermeticWiper, Gamaredon and Website Defacement Microsoft Blog CVE-2021-32648 NVD Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional |
| BlockIndicatorsAutomatically | Whether to block the indicators automatically or not. | False | Optional |
| CollectedIndicatorsSeverity | The verdict of the collected indicators. Default is "Malicious". Other options can be "Suspicious" and "Unknown". | Malicious | Optional |
| RelatedCVE | The WhisperGate malware related CVE. | CVE-2021-32648 | Optional |
| RunXQLHuntingQueries | Whether to perform XQL hunting queries. Default is "False". | False | Optional |
| UserVerification | Possible values: True/False.\nWhether to provide user verification for blocking IPs. \n\nFalse - No prompt will be displayed to the user.\nTrue - The server will ask the user for blocking verification and will display the blocking list | False | Optional |
| AutoBlockIndicators | Should the given indicators be automatically blocked, or should the user be given the option to choose? If set to False - no prompt will appear, and all provided indicators will be blocked automatically. If set to True - the user will be prompted to select which indicators to block. | True | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
