Rewterz Threat Advisory – CVE-2022-0022 – Palo Alto Networks PAN-OS Vulnerability
March 14, 2022Rewtez Threat Advisory – Multiple Apache HTTP Server Vulnerabilities
March 15, 2022Rewterz Threat Advisory – CVE-2022-0022 – Palo Alto Networks PAN-OS Vulnerability
March 14, 2022Rewtez Threat Advisory – Multiple Apache HTTP Server Vulnerabilities
March 15, 2022Severity
Medium
Analysis Summary
CaddyWiper is another destructive data wiper suspected to be targeting Ukraine. The wiper, which erases user data and information from associated drives, was discovered on several systems in a limited number of companies. By overwriting the data with a NULL value, CaddyWiper removes all files under C:\Users as well as all files under accessible discs from D: to Z:.
If the size of the target file exceeds 0xA00000 bytes (10MB), it only wipes the first 0xA00000 bytes. CaddyWiper shares no code similarities with HermeticWiper or IsaacWiper, the other two new data wipes that have infected Ukrainian organizations. However, this wiper has a tactical overlap with HermeticWiper as it was deployed via the Windows domain controller, implying that the attackers had gained control of the Active Directory server.
Impact
- Data Exfiltration
- Credential Theft
- Financial Loss
Indicators of Compromise
Filename
- 4n1e0qlh8[.]dll
- caddy1[.]exe
MD5
- 42e52b8daf63e6e26c3aa91e7e971492
- 42e2b6e4fba51ec71235e28ddff27a76
- 3bac736dfc996976ebd089338cf38c8b
- 3a4b1c1f68811b38be74e99e572efae9
SHA-256
- a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
- 1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176
- ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72
- f1e8844dbfc812d39f369e7670545a29efef6764d673038b1c3edd11561d6902
SHA1
- 98b3fb74b3e8b3f9b05a82473551c5a77b576d54
- 4f3362ebac2503906179bd7c002f573886fa85a5
- fc11fb670300addfd203da826c3d0c7b8b8efe24
- c22e17dd8f7b2687011cecc8b2208ceb6cf9b995
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.