Tag Archive for: Wiper

Pro-Iranian Hacker Group Targeting Albania with No-Justice Wiper Malware


Jan 06, 2024NewsroomMalware / Cyber Attack

No-Justice Wiper Malware

The recent wave of cyber attacks targeting Albanian organizations involved the use of a wiper called No-Justice.

The findings come from cybersecurity company ClearSky, which said the Windows-based malware “crashes the operating system in a way that it cannot be rebooted.”

The intrusions have been attributed to an Iranian “psychological operation group” known as Homeland Justice, which has been active since July 2022, specifically orchestrating destructive attacks against Albania.

On December 24, 2023, the adversary resurfaced after a hiatus, stating it’s “back to destroy supporters of terrorists,” describing its latest campaign as #DestroyDurresMilitaryCamp. The Albanian city of Durrës currently hosts the dissident group People’s Mojahedin Organization of Iran (MEK).

Targets of the attack included ONE Albania, Eagle Mobile Albania, Air Albania, and the Albanian parliament.

Two of the primary tools deployed during the campaign include an executable wiper and a PowerShell script that’s designed to propagate the former to other machines in the target network after enabling Windows Remote Management (WinRM).

Cybersecurity

The No-Justice wiper (NACL.exe) is a 220.34 KB binary that requires administrator privileges to erase the data on the computer.

This is accomplished by removing the boot signature from the Master Boot Record (MBR), which refers to the first sector of any hard disk that identifies where the operating system is located in the disk so that it can be loaded into a computer’s RAM.

Also delivered over the course of the attack are legitimate tools like Plink (aka PuTTY Link), RevSocks, and the Windows 2000 resource kit to facilitate reconnaissance, lateral movement, and persistent remote access.

No-Justice Wiper Malware

The development comes as pro-Iranian threat actors such as Cyber Av3ngers, Cyber Toufan, Haghjoyan, and YareGomnam Team have increasingly set their sights on Israel and the U.S. amid continuing geopolitical tensions in the Middle East.

“Groups such as Cyber Av3ngers and Cyber Toufan appear to be adopting a narrative of retaliation in their cyber attacks,” Check Point disclosed last month.

“By opportunistically targeting U.S. entities using…

Source…

Defending Your Data: Ransomware Vs. Wiper Malware


Simon Jelley, General Manager for SaaS Protection, Endpoint and Backup Exec at Veritas Technologies.

First, some good news: Ransomware payments are down. One estimate suggests that ransomware groups extorted 40% less money from victims in 2022 compared to 2021 ($456.8 million versus $765.6 million). Could it be that the night truly is darkest before the dawn?

Perhaps, but that’s not to say that ransomware itself is decreasing—some reports show that ransomware activity actually increased by 16% during the second half of 2022, and nearly 90% of organizations experienced ransomware attacks on their multi-cloud environments.

What this implies is that organizations seem to be getting the message that ponying up ransom payments isn’t in their best interests—even if you pay, it’s unlikely that you’ll get your data back in good shape or get it back at all. In fact, as few as 4% of those that pay end up getting all of their data back.

As further evidence that ransomware hasn’t really gone anywhere, consider a similar category of malware that could even be considered an evolution of ransomware: wipers. Like ransomware, wiper malware targets your data, but instead of encrypting it to make it (in theory) temporarily inaccessible, it simply deletes it altogether.

And reports show that wiper malware activity is also increasing—a 53% jump between just the third and fourth quarters of 2022 alone.

While ransomware has an obvious financial motive, wiper malware, much like the old-fashioned distributed denial of service (DDoS) attack, is usually out to cause chaos by disrupting your business, though it has the potential to do much more long-term damage than DDoS attacks. Both are also often employed by so-called hacktivists who are out to make a point rather than make a buck. As Michael Caine playing Alfred Pennyworth so wisely put it, “Some [people] aren’t looking for anything logical, like money. They can’t be bought, bullied, reasoned or negotiated with. Some [people] just want to watch the world burn.”

The silver lining here is that the same steps used to increase your ransomware resilience can be used to increase your resilience against wiper malware. Here…

Source…

FortiGuard Labs Reports Destructive Wiper Malware Increases Over 50%


FortiGuard Labs Reports Destructive Wiper Malware Increases Over 50%
FortiGuard Labs Reports Destructive Wiper Malware Increases Over 50%

Adversarial Supply Chains Strengthen in Complexity and Sophistication to Counter Evolving Defenses

Bangalore, India, – February 27, 2023: Vishak Raman, Vice President of Sales, India, SAARC & Southeast Asia at Fortinet: “For cyber adversaries, maintaining access and evading detection is no small feat as cyber defenses continue to advance to protect organizations today. To counter, adversaries are augmenting with more reconnaissance techniques and deploying more sophisticated attack alternatives to enable their destructive attempts with APT-like threat methods such as wiper malware or other advanced payloads. To protect against these advanced persistent cybercrime tactics, organizations need to focus on enabling machine learning–driven coordinated and actionable threat intelligence in real time across all security devices to detect suspicious actions and initiate coordinated mitigation across the extended attack surface.”

News Summary:

Fortinet® (NASDAQ: FTNT), the global cybersecurity leader driving the convergence of networking and security, today announced the latest semiannual Global Threat Landscape Report from FortiGuard Labs. The threat landscape and organizations’ attack surface are constantly transforming, and cybercriminals’ ability to design and adapt their techniques to suit this evolving environment continues to pose significant risk to businesses of all sizes, regardless of industry or geography. For a detailed view of the report, as well as some important takeaways, read the blog.

Highlights of the 2H 2022 report follow:

  • The mass distribution of wiper malware continues to showcase the destructive evolution of cyberattacks.
  • New intelligence allows CISOs to prioritize risk mitigation efforts and minimize the active attack surface with the expansion of the “Red Zone” approach.
  • Ransomware threats remain at peak levels with no evidence of slowing down globally with new variants enabled by Ransomware-as-a-Service (RaaS).
  • The most prevalent malware was more than a year old and had gone through a large amount of speciation, highlighting the efficacy and economics…

Source…

Ukraine Hit with New Golang-based ‘SwiftSlicer’ Wiper Malware in Latest Cyber Attack


Jan 28, 2023Ravie LakshmananCyber Threat / Cyber War

Wiper Malware

Ukraine has come under a fresh cyber onslaught from Russia that involved the deployment of a previously undocumented Golang-based data wiper dubbed SwiftSlicer.

ESET attributed the attack to Sandworm, a nation-state group linked to Military Unit 74455 of the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).

“Once executed it deletes shadow copies, recursively overwrites files located in %CSIDL_SYSTEM%\drivers, %CSIDL_SYSTEM_DRIVE%\Windows\NTDS and other non-system drives and then reboots computer,” ESET disclosed in a series of tweets.

The overwrites are achieved by using randomly generated byte sequences to fill 4,096 byte-length blocks. The intrusion was discovered on January 25, 2023, the Slovak cybersecurity company added.

Sandworm, also tracked under the monikers BlackEnergy, Electrum, Iridium, Iron Viking, TeleBots, and Voodoo Bear, has a history of staging disruptive and destructive cyber campaigns targeting organizations worldwide since at least 2007.

The sophistication of the threat actor is evidenced by its multiple distinct kill chains, which comprise a wide variety of custom tools such as BlackEnergy, GreyEnergy, Industroyer, NotPetya, Olympic Destroyer, Exaramel, and Cyclops Blink

In 2022 alone, coinciding with Russia’s military invasion of Ukraine, Sandworm has unleashed WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, Industroyer2, Prestige, and RansomBoggs against critical infrastructure in Ukraine.

“When you think about it, the growth in wiper malware during a conflict is hardly a surprise,” Fortinet FortiGuard Labs researcher Geri Revay said in a report published this week. “It can scarcely be monetized. The only viable use case is destruction, sabotage, and cyberwar.”

The discovery of SwiftSlicer points to the consistent use of wiper malware variants by the Russian adversarial collective in attacks designed to wreak havoc in Ukraine.

Wiper Malware in Latest Cyber Attack

The development also comes as the Computer Emergency Response Team of Ukraine (CERT-UA) linked Sandworm to a recent largely unsuccessful cyber attack on the national news agency Ukrinform.

The intrusion, which is…

Source…