Skip to main content
FSM_FTNT
Staff
FSM_FTNT
Staff
March 7, 2022

Technical Tip: Using FortiSIEM to detect HermeticWiper / FoxBlade Malware

  • March 7, 2022
  • 0 replies
  • 533 views
Description This article describes how to use custom Rules and Reports in FortiSIEM to raise alerts for incident response related to attacks that attempt to leverage the HermeticWiper virus.
Scope FortiSIEM
Solution

These Rules and Reports help to detect attempts to leverage the HermeticWiper virus to DDOS and wipe the target's disks based on logs from FortiGates, FortiADC, FortiClient, and FortiProxy.

 

This data wiper malware was first discovered on machines across multiple Ukrainian organizations.

 

It is also known as 'HermeticWiper' due to its digital certificate.

The malware will disable the Volume Shadow Copy Service (VSS) and modify registry keys to disable crash dumps. It will also adjust token privileges to enable SeBackupPrivilege.

It will then traverse through the physical drives, from 0 to 100, and partitions on the victim machine to destroy the data.

Upon reboot, a message will appear stating that there is an error loading the operating system.

 

For more information about this attack, see the following FortiGuard Outbreak Alert:

FortiGuard Outbreak Alert: HermeticWiper Malware

 

What is included in Fortinet_FortiSIEM_HermeticWiper_Malware.zip?

 

1)Fortinet_FortiSIEM_HermeticWiper_Malware_Rules_v1.xml

This rule helps identify HermeticWiper malware detected by FortiGates, FortiADC, FortiClient, and FortiProxy logs.

 

2)Fortinet_FortiSIEM_HermeticWiper_Malware_Report_v1.xml

This report displays the findings on HermeticWiper attacks from FortiGates, FortiADC, FortiClient, and FortiProxy logs.


The exploit allows a locally authenticated attacker to gain elevated local system or administrator privileges.


For more information about this attack, see the following FortiGuard Outbreak Alert.

 

1) Download the Fortinet_FortiSIEM_HermeticWiper_Malware.zip(contains 2 file).

 

2)Unzip Fortinet_FortiSIEM_HermeticWiper_Malware.zip

 

3)Use Fortinet_FortiSIEM_HermeticWiper_Malware_Report_v1.xml as the file to import the Reports.


- Navigate to Resource / Reports.
- It is recommended to create a new group under Resource / Reports / Security called 'Hermetic Wiper' and import reports to this group.


- Select the Import option under More.
- Select Fortinet_FortiSIEM_HermeticWiper_Malware_Report_v1.xml and import.

 

4) Use Fortinet_FortiSIEM_HermeticWiper_Malware_Rules_v1.xml as the file to import the Rules.


- Navigate to Resource / Rules.
- It is recommended to create a new group under Resource / Rules / Security / Threat Hunting is created called 'Hermetic Wiper' and import the rules to this group.


- Select the Import.

- Select  Fortinet_FortiSIEM_HermeticWiper_Malware_Rules_v1.xml and import.
- Filter the rules for those defined in content pack 104 and ensure they are enabled.

 

https://help.fortinet.com/fsiem/6-4-0/Online-Help/HTML5_Help/content_updates.htm
Terms & ConditionsAccessibility statement