Wiper Malware Mitigation Strategies

Wiper malware threats have become a concern as geopolitical tensions rise. Security researchers have identified new strain of malware targeting Ukraine, dubbed HermeticWiper. Wiper malware is designed to render systems inoperable and irrecoverable without solid backups. Currently the wiper malware is targeting Ukraine and some surrounding countries including Latvia and Lithuania. But this attack could easily turn toward the US and its allies.

With reports that President Biden has been presented with a menu of cyberattack options to disrupt Russia’s military operations, US organizations need to prepare for Wiper malware attacks.

Organizations need to balance their preventative strategies with detect/respond/recover strategies to mitigate the wiper malware threat.

Let’s start with Recover since that is often overlooked.

Recover:

• Ensure your backups are isolated or “air-gapped” from your network and not joined to the primary Active Directory Domain. If the attacker gains Domain Admin access to your network, you don’t want them to be able to corrupt backups.
• Ensure you require multifactor authentication to access your backup application.
• Test your backups and ensure you can restore essential functions within a reasonable time (e.g., within 24 hours)

Respond:

• Ensure your Incident Response plan incorporates wiper malware threats. Let us know if you need help developing an Incident Response Plan.
• Ensure key systems are configured to log security-relevant events.
• Ensure logs are retained for at least 1 year including Active Directory logs, remote access logs, firewall logs, and all authentication logs. Best practice is to centrally store logs on a well-protected and isolated system.

Prevention:

• Ensure all remote access requires multifactor authentication.
• Apply all security patches, focusing initially on CISA’s Known Exploited Vulnerabilities Catalog. Vulnerability management services can be incredibly helpful here.
• Limit services exposed externally. Regular external vulnerability management can identify exposed services.
• Implement Microsoft Local Administrator Password Solution (LAPS) to limit the attacker’s ability to laterally move throughout your network.
• Implement multifactor authentication on all network administrator accounts and any other privileged user accounts.
• Conduct regular Penetration Testing to identify exploitable weaknesses. Remediate the identified weaknesses.

Detect:

• Utilize a centrally managed and monitored security solution that incorporates behavioral and anomaly detection in addition to signature-based detection.
• Ensure alerts are monitored and responded to 24×7.

Organizations should follow the strategies listed above to be better positioned to prevent and mitigate risks of wiper malware. Certainly, there are additional steps that can and should be taken. But this list forms a good starting point and can be the basis for a cybersecurity readiness plan.