Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy

Tenable Research Cyber Exposure Alert for Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy
Sandworm APT Deploys New SwiftSlicer Wiper Using Active Directory Group Policy

Sandworm, the Russian-backed APT responsible for NotPetya in 2017, has recently attacked an Ukrainian organization using a new wiper, SwiftSlicer.

Background

On January 27, ESET Research has published a thread on Twitter discussing its analysis of a new wiper malware used in a cyberattack in Ukraine. This new malware, dubbed "SwiftSlicer", was deployed in the target environment using Active Directory (AD) Group Policy. ESET has attributed the attack to Sandworm, an advanced persistent threat (APT) group most notably responsible for the NotPetya attacks in Ukraine in 2017.

Analysis

SwiftSlicer is a wiper malware written in the Go programming language. It was deployed against Ukrainian targets by using Domain Policy Modification: Group Policy Modification. Use of AD group policies indicates that, after gaining access to the target, the threat actor compromised the domain controller. SwiftSlicer then overwrites shadow copies, files in the driver directory "%CSIDL_SYSTEM%/drivers", NT Directory Services folder "%CSIDL_SYSTEM%/Windows/NTDS" and other non-system drives with random data before force rebooting the machine.

Sandworm, which has been operating since at least 2009, has targeted Ukraine in a years-long campaign, launching numerous high-profile attacks against Ukrainian infrastructure and entities, such as attacks on the national power grid in 2015 and 2016 and an attempted attack in 2022. The use of AD group policies is not new for Sandworm. In the first few months of 2022, two similar wiper variants, HermeticWiper and CaddyWiper, were dropped onto devices of target organizations in Ukraine using group policies.

Historical exploitation of vulnerabilities for initial access

Researchers from iSIGHT Partners detailed the Sandworm Team’s use of vulnerabilities as part of spearphishing attacks against targeted entities, including a zero-day in Windows Object Linking and Embedding (OLE), identified as CVE-2014-4114, as well as CVE-2013-3906, a remote code execution vulnerability in the Microsoft Graphics Device Interface (GDI+).

In 2020, the National Security Agency (NSA) issued a cybersecurity advisory detailing the Sandworm Team’s use of CVE-2019-10149, a remote command execution vulnerability in the Exim mail transfer agent.

In 2022, the Computer Emergency Response Team of Ukraine (CERT-UA) warned that Sandworm was observed exploiting CVE-2022-30190, a remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT), also known as Follina.

Identifying affected systems

Sandworm has been known to utilize zero days and spearphishing techniques to infiltrate networks and spread a variety of malware. As demonstrated in this attack, the group often takes advantage of AD in order to infect as many machines as possible. Their techniques are often destructive, as they continue to favor “wiper” type malware to render workstations inoperable, while generally leaving AD intact to maintain their foothold into a victims organization. We highly recommend reviewing your AD environment to focus on misconfigurations that may put your organization at risk. Tenable's Active Directory Security solution helps organizations gain visibility into your complex AD environment, predict what matters to reduce risk, and eliminate attack paths before attackers exploit them.

The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed Common Vulnerabilities and Exposures (CVEs). A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable has coverage for CVEs known to be used by Sandworm. A dynamic and filtered list can be found here.

Get more information

Join Tenable's Security Response Team on the Tenable Community

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today.

NEW - Nessus Expert Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Professional Trial.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now. To learn more about the trial process click here.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training