Trellix logo
Trellix Introduction Video
Trellix Introduction

A living security platform with a pulse that is always learning and always adapting.

Gartner Magic Quadrant for Endpoint Protection Platforms
Gartner MQ (Endpoint)

Download the Magic Quadrant report, which evaluates the 19 vendors based on ability to execute and completeness of vision.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

Critical Flaws in Widely Used Building Access Control System
Critical Flaws in Widely Used Building Access Control System

At Hardwear.io 2022, Trellix researchers disclosed 8 zero-day vulnerabilities in HID Global Mercury access control panels, allowing them to remotely unlock and lock doors, modify and configure user accounts and subvert detection from management software.

Trellix Threat Labs Research Report: April 2022
Trellix Threat Labs Research Report: April 2022

Our report on the rise of cyberattacks in the fourth quarter and Ukraine in the start of the new year.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Trellix Introduction Video
Trellix Introduction

A living security platform with a pulse that is always learning and always adapting.

Stories

The latest cybersecurity trends, best practices,
security vulnerabilities, and more

trellix intelligence

Trellix Global Defenders: Cyberattacks Targeting Ukraine and HermeticWiper Protections

Trellix is monitoring the ongoing cyberattacks targeting the Ukraine and any threat activity targeting entities outside of the Ukraine. Trellix is continuing to add protections to our products via the Global Threat Intelligence (GTI) feed and content updates as new malware variants and behavior indicators are discovered. The Trellix Advanced Programs Group (APG) is also monitoring the threat actors currently targeting the Ukraine and the threat tools being observed in those attacks, monitoring for usage of these tools in your environment can be a proactive step in detecting compromise of your infrastructure.

Analysis from the Trellix Advanced Threat Research (ATR) team into the activity of wipers being deployed within the Ukraine leads them to believe that there is a likely a connection between Whispergate, and the newly identified HermeticWiper.

Figure 1. Breakdown of Activity in the Ukrainian Region in the past 30 Days. Source: Trellix APG Team
Figure 1. Breakdown of Activity in the Ukrainian Region in the past 30 Days. Source: Trellix APG Team

Recommended Steps to Prevent Initial Access

Organizations should look to review the Initial Access Tactics, techniques, and procedures (TTPs) associated with Russian nation state activity to proactively protect their environment from infiltration.

  • Phishing/Spearphishing attacks utilizing shortened URLs of malicious domains.
  • Monitor for brute force activity to identify valid account credentials and Microsoft 365 Accounts.
  • Enable multifactor authentication (MFA) for all users, without exception.
  • Exploiting Public Facing Systems – CISA maintains a full list of CVEs that are known to be exploited: CISA: KNOWN EXPLOITED VULNERABILITIES CATALOG
  • Disabling all ports and protocols that are not essential, especially anything related to remote services.
  • unt and block open-source tools not related to business activities that have been seen in prior attacks – UltraVNC, AdvancedRun, wget, and Impacket
Trellix Protections for the HermeticWiper Malware

Trellix is currently monitoring the latest wiper malware dubbed "HermeticWiper" that has been observed in attacks against the Ukraine. Trellix Global Threat Intelligence (GTI) is currently protecting against all known indicators associated with "HermeticWiper" and MVISION Insights will note detections in your environment as well.

Figure 2. Test system detections of HermeticWiper IOCS. Source: MVISION Insights
Figure 2. Test system detections of HermeticWiper IOCS. Source: MVISION Insights

Figure 3. Event details of successful containment of HermeticWiper by ENS.
Figure 3. Event details of successful containment of HermeticWiper by ENS.

HermeticWiper Threat Intelligence from MVISION Insights

MVISION Insights will provide the current threat intelligence and known indicators for HermeticWiper. MVISION Insights will alert to detections and process traces that have been observed and systems that require additional attention to prevent widespread infection. MVISION Insights will also include Hunting Rules for threat hunting and further intelligence gathering of the threat activity and adversary behind the campaign.

MVISION Insights Campaign Names: HermeticWiper Targeting Ukraine

Figure 4. HermeticWiper campaign description and detections
Figure 4. HermeticWiper campaign description and detections

Figure 5. Hunting Rules for HermeticWiper Malware
Figure 5. Hunting Rules for HermeticWiper Malware

Figure 6. MITRE ATT&CK Framework for HermeticWiper Malware
Figure 6. MITRE ATT&CK Framework for HermeticWiper Malware

Detecting Malicious Activity with MVISION EDR

MVISION EDR is currently monitoring for the activity associated with HermeticWiper and will note the MITRE techniques and any suspicious indicators related to the adversarial activity. Detecting and preventing HermeticWiper from spreading throughout your environment is critical due to the destructive nature of the malware, once the HermeticWiper has infected a system it will remove the System Drivers and Windows files leaving the system inoperable.

Figure 7. MITRE Techniques and Threat Behavior noting deletion of System Drivers and Windows files
Figure 7. MITRE Techniques and Threat Behavior noting deletion of System Drivers and Windows files

Figure 8. Once the deletion of data is complete, a reboot executes, and the system is no longer operable
Figure 8. Once the deletion of data is complete, a reboot executes, and the system is no longer operable

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.
Zero spam. Unsubscribe at any time.