RL Blog
|

The Week in Security: Wiper malware rains down on 2022, Microsoft certificates abused

Carolynn van Arsdale
Blog Author

Carolynn van Arsdale, Writer, ReversingLabs. Read More...

wiper-malware-week-in-security

Welcome to the latest edition of The Week in Security, which brings you the newest headlines from both the world and our team across the full stack of security: application security, cybersecurity, and beyond. This week: Twelve malware wipers have been discovered in 2022. Also: The Cuba ransomware gang abused Microsoft certificates to sign malware.  

This Week’s Top Story

Wiper malware rains down on 2022… will it continue to pour?

Wiper malware is a destructive tool, and is used by cybercriminals to permanently delete files found on a victim’s network. While not the most popular form of cyber crime, malware wipers are famous for causing massive damage. 2017’s NotPetya, still considered to be one of the costliest cyber attacks in history, is a perfect example. Now, five years later, wiper malware is still a viable attack method for threat actors. Ars Technica reports that in 2022 alone, cybersecurity researchers identified 12 new malware wipers, including one found just this past week

Check Point researchers discovered the newest family of wiper malware, known as Azov, which has a devastating effect on victims. It is an “effective, fast, and unfortunately unrecoverable data wiper,” according to researchers. The threat actors behind Azov are most likely aligned with Russia’s motivations for its war in Ukraine, based on the ransomware-like post-deployment notes Check Point researchers uncovered. Check Point also found that Azov in particular is a complicated and sophisticated malware family, making it difficult for researchers to detect and analyze. 

Azov is just the most recent malware wiper to be found in recent weeks. Last week, we reported on Fantasy, a wiper malware being distributed via a software supply chain attack. And going back to the start of 2022, multiple malware wiper families have been discovered, some of them also having a Pro-Russian motive, such as HermeticWiper and IsaacWiper

Given the 12 malware families found this past year, the threat of malware wipers appears to not be going away anytime soon. 

News Roundup

Here are the stories we’re paying attention to this week…  

Ransomware gang abused Microsoft certificates to sign malware (WIRED)

New research has found that the Cuba ransomware gang has been using pieces of malware in its attacks that were certified, or given a seal of approval, by Microsoft.

New Python malware backdoors VMware ESXi servers for remote access (Bleeping Computer)

A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.

Microsoft-signed malicious drivers usher in EDR-killers, ransomware (Dark Reading)

Malicious drivers certified by Microsoft's Windows Hardware Developer Program have been used to juice post-exploitation efforts by cybercriminals, Redmond warned this week — including being used as part of a small toolkit aimed at terminating security software in target networks.

FBI's vetted info sharing network 'InfraGard' hacked (Krebs on Security) 

InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum.

EU takes another step towards US data-sharing agreement (The Register)

The EU has issued a draft decision agreeing that measures taken by the United States ensure sufficient protection for personal data to be transferred from the region to US companies.

 



Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts

Do More With Your SOAR

Do More With Your SOAR

Running an SOC is complex — and running without the best tools makes it more difficult. Learn how RL File Enrichment can automate and bolster your SOC.
Read More