# Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections **[trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html](https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/defenders-blog-on-cyberattacks-targeting-ukraine.html)** Cyberattacks Targeting Ukraine and HermeticWiper Protections ## Stories The latest cybersecurity trends, best practices, security vulnerabilities, and more By [Taylor Mullins · February 28, 2022](https://www.trellix.com/en-us/about/newsroom/stories/contributors/taylor-mullins.html) Trellix is monitoring the ongoing cyberattacks targeting the Ukraine and any threat activity targeting entities outside of the Ukraine. Trellix is continuing to add protections to our products via the Global Threat Intelligence (GTI) feed and content updates as new malware variants and behavior indicators are discovered. The Trellix Advanced Programs Group (APG) is also monitoring the threat actors currently targeting the Ukraine and the threat tools being observed in those attacks, monitoring for usage of these tools in your environment can be a proactive step in detecting compromise of your infrastructure. Analysis from the Trellix Advanced Threat Research (ATR) team into the activity of wipers being deployed within the Ukraine leads them to believe that there is a likely a connection between Whispergate, and the newly identified HermeticWiper. ----- **Figure 1. Breakdown of Activity in the Ukrainian Region in the past 30 Days. Source:** **Trellix APG Team** Recommended Steps to Prevent Initial Access Organizations should look to review the Initial Access Tactics, techniques, and procedures (TTPs) associated with Russian nation state activity to proactively protect their environment from infiltration. Phishing/Spearphishing attacks utilizing shortened URLs of malicious domains. Monitor for brute force activity to identify valid account credentials and Microsoft 365 Accounts. Enable multifactor authentication (MFA) for all users, without exception. Exploiting Public Facing Systems – CISA maintains a full list of CVEs that are known [to be exploited: CISA: KNOWN EXPLOITED VULNERABILITIES CATALOG](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) Disabling all ports and protocols that are not essential, especially anything related to remote services. unt and block open-source tools not related to business activities that have been seen in prior attacks – UltraVNC, AdvancedRun, wget, and Impacket Trellix Protections for the HermeticWiper Malware Trellix is currently monitoring the latest wiper malware dubbed "HermeticWiper" that has been observed in attacks against the Ukraine. Trellix Global Threat Intelligence (GTI) is currently protecting against all known indicators associated with "HermeticWiper" and MVISION Insights will note detections in your environment as well. ----- **Figure 2. Test system detections of HermeticWiper IOCS. Source: MVISION Insights** ----- **Figure 3. Event details of successful containment of HermeticWiper by ENS.** HermeticWiper Threat Intelligence from MVISION Insights MVISION Insights will provide the current threat intelligence and known indicators for HermeticWiper. MVISION Insights will alert to detections and process traces that have been observed and systems that require additional attention to prevent widespread infection. MVISION Insights will also include Hunting Rules for threat hunting and further intelligence gathering of the threat activity and adversary behind the campaign. **MVISION Insights Campaign Names: HermeticWiper Targeting Ukraine** ----- **Figure 4. HermeticWiper campaign description and detections** **Figure 5. Hunting Rules for HermeticWiper Malware** **Figure 6. MITRE ATT&CK Framework for HermeticWiper Malware** Detecting Malicious Activity with MVISION EDR ----- MVISION EDR is currently monitoring for the activity associated with HermeticWiper and will note the MITRE techniques and any suspicious indicators related to the adversarial activity. Detecting and preventing HermeticWiper from spreading throughout your environment is critical due to the destructive nature of the malware, once the HermeticWiper has infected a system it will remove the System Drivers and Windows files leaving the system inoperable. **Figure 7. MITRE Techniques and Threat Behavior noting deletion of System Drivers** **and Windows files** **Figure 8. Once the deletion of data is complete, a reboot executes, and the system is** **no longer operable** ### Featured Content PERSPECTIVES ### Our CEO On Living Security By [Bryan Palma · January 19, 2022](https://www.trellix.com/en-us/about/newsroom/stories/contributors/bryan-palma.html) Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning. ----- [Read More](https://www.trellix.com/en-us/about/newsroom/stories/perspectives/our-ceo-on-living-security.html) XDR ### Time to Drive Change by Challenging the Challengers By [Michelle Salvado · January 19, 2022](https://www.trellix.com/en-us/about/newsroom/stories/contributors/michelle-salvado.html) Dynamic threats call for dynamic security – the path to resiliency lies in XDR. [Read More](https://www.trellix.com/en-us/about/newsroom/stories/xdr/time-to-drive-change-by-challenging-the-challengers.html) THREAT LABS ### 2022 Threat Predictions By Trellix · January 19, 2022 What cyber security threats should enterprises look out for in 2022? [Read More](https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/2022-threat-predictions.html) ## Get the latest We’re no strangers to cybersecurity. But we are a new company. Stay up to date as we evolve. Please enter a valid email address. Zero spam. Unsubscribe at any time. -----