SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Series of wiper campaigns hit Ukraine, globe as conflict escalates
Description: Cisco Talos is aware of a second wave of wiper attacks ongoing inside Ukraine, leveraging a new wiper that has been dubbed "HermeticWiper." Deployment of the destructive malware began on Feb. 23, 2022. HermeticWiper features behavioral characteristics similar to what was observed during the WhisperGate attacks that occurred in January. The malware has two components designed for destruction: one that targets the Master Boot Record (MBR) and another targeting partitions. There are several additional components of this campaign, including HermeticWizard, which allows HermeticWiper to be propagated to and deployed on additional systems within affected environments. There is also IsaacWiper, an additional wiper responsible for the destruction of systems and data and HermeticRansom, a ransomware family that has been observed being deployed at the same time as HermeticWiper as a diversionary tactic.
SNORT® SIDs: 59099 and 59100
ClamAV signatures: Win.RedTrixx.Wiper.tii.Hunt
Title: Wireless routers targeted with Cylops Blink malware
Description: Cisco Talos is aware of the recent reporting around a new modular malware family, Cyclops Blink, that targets small and home office (SOHO) devices, similar to previously observed threats like VPNFilter. This malware is designed to run on Linux systems and is compiled specifically for 32-bit PowerPC architecture. The modular nature of this malware allows it to be used in a variety of ways, including typical reconnaissance and espionage activity. It leverages modules to facilitate various operations such as establishment of C2, file upload/download and information extraction capabilities. Talos discovered compromised MikroTik routers inside of Ukraine being leveraged to conduct brute-force attacks on devices protected by multi-factor authentication. This continues a pattern we have seen since our investigation into VPNFilter involving actors using MikroTik routers. While it may not be Cyclops Blink specifically, it was yet another MikroTik router passing malicious traffic, a vendor widely abused by VPNFilter in the past.
SNORT® SIDs: 59095 – 59098
ClamAV signatures: Unix.Backdoor.CyclopsBlink