CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine

04/28/2022 10:00 AM EDT

Original release date: April 28, 2022

CISA and the Federal Bureau of Investigation (FBI) have updated joint Cybersecurity Advisory AA22-057A: Destructive Malware Targeting Organizations in Ukraine, originally released February 26, 2022. The advisory has been updated to include additional indicators of compromise for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware.

CISA and the FBI encourage organizations to review the update to AA22-057A as well as the Shields Up Technical Guidance webpage for ways to identify, respond to, and mitigate disruptive cyber activity. 

This product is provided subject to this Notification and this Privacy & Use policy.

Broadcom Software Discloses APT Actors Deploying Daxin Malware in Global Espionage Campaign

02/28/2022 10:01 AM EST

Original release date: February 28, 2022

Broadcom Software—an industry member of CISA’s Joint Cyber Defense Collaborative (JCDC)—uncovers an advanced persistent threat (APT) campaign against select governments and other critical infrastructure targets in a publication titled Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks. The Symantec Threat Hunter team, part of Broadcom Software, worked with CISA to engage with multiple governments targeted with Daxin malware and assisted in detection and remediation.

Daxin malware is a highly sophisticated rootkit backdoor with complex, stealthy command and control (C2) functionality that enabled remote actors to communicate with secured devices not connected directly to the internet. Daxin appears to be optimized for use against hardened targets, allowing the actors to deeply burrow into targeted networks and exfiltrate data without raising suspicions.  

CISA urges organizations to review Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks for more information and for a list of indicators of compromise that may aid in the detection of this activity.

Report incidents related to this activity to CISA and/or the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This product is provided subject to this Notification and this Privacy & Use policy.

CISA Releases Advisory on Destructive Malware Targeting Organizations in Ukraine

02/26/2022 10:00 AM EST

Original release date: February 26, 2022

CISA and the Federal Bureau of Investigation have released an advisory on destructive malware targeting organizations in Ukraine. The advisory also provides recommendations and strategies to prepare for and respond to destructive malware. 

Additionally, CISA has created a new Shields Up Technical Guidance webpage that details other malicious cyber activity affecting Ukraine. The webpage includes technical resources from partners to assist organizations against these threats. 

CISA recommends organizations review Destructive Malware Targeting Organizations in Ukraine and Shields Up Technical Guidance webpage for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

New Sandworm Malware Cyclops Blink Replaces VPNFilter

02/23/2022 10:00 AM EST

Original release date: February 23, 2022

The United Kingdom’s National Cyber Security Centre, CISA, the National Security Agency, and the Federal Bureau of Investigation have released a joint Cybersecurity Advisory (CSA) reporting that the malicious cyber actor known as Sandworm or Voodoo Bear is using new malware, referred to as Cyclops Blink. Cyclops Blink appears to be a replacement framework for the VPNFilter malware exposed in 2018, which exploited network devices, primarily small office/home office routers and network-attached storage devices.

CISA encourages users and administrators to review joint CSA: New Sandworm Malware Cyclops Blink Replaces VPNFilter for additional technical details and mitigations.

This product is provided subject to this Notification and this Privacy & Use policy.

Microsoft Warns of Destructive Malware Targeting Ukrainian Organizations

01/16/2022 09:13 AM EST

Original release date: January 16, 2022

Microsoft has released a blog post on possible Master Boot Record (MBR) Wiper activity targeting Ukrainian organizations, including Ukrainian government agencies. According to Microsoft, powering down the victim device executes the malware, which overwrites the MBR with a ransom note; however, the ransom note is a ruse because the malware actually destroys the MBR and the targeted files.
 
CISA recommends network defenders review the Microsoft blog for tactics, techniques, and procedures, as well as indicators of compromise related to this activity. CISA additionally recommends network defenders review recent Cybersecurity Advisories and the CISA Insights, Preparing For and Mitigating Potential Cyber Threats.

 

 

This product is provided subject to this Notification and this Privacy & Use policy.

CNMF Identifies and Discloses Malware used by Iranian APT MuddyWater

01/12/2022 03:34 PM EST

Original release date: January 12, 2022

U.S. Cyber Command’s Cyber National Mission Force (CNMF) has identified multiple open-source tools used by an Iranian advanced persistent threat (APT) group known as MuddyWater. According to CNMF, “MuddyWater has been seen using a variety of techniques to maintain access to victim networks. These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions.” U.S. Cyber Command has released malware samples attributed to MuddyWater to the malware aggregation tool and repository, VirusTotal.

CISA encourages users and administrators to review U.S. Cyber Command’s press release, Iranian intel cyber suite of malware uses open source tools, as well as their VirusTotal page for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Malware Discovered in Popular NPM Package, ua-parser-js

10/22/2021 09:57 PM EDT

Original release date: October 22, 2021

Versions of a popular NPM package named ua-parser-js was found to contain malicious software. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. 

CISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1   

For more information, see Embedded malware in ua-parser-js.
 

This product is provided subject to this Notification and this Privacy & Use policy.