{"id":267142,"date":"2022-02-25T14:53:26","date_gmt":"2022-02-25T13:53:26","guid":{"rendered":"https:\/\/www.stormshield.com\/?p=267142"},"modified":"2024-02-15T11:38:15","modified_gmt":"2024-02-15T10:38:15","slug":"alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield","status":"publish","type":"post","link":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/","title":{"rendered":"Alerte s\u00e9curit\u00e9 HermeticWiper &#038; CaddyWiper : la r\u00e9ponse des produits Stormshield"},"content":{"rendered":"<p><strong>L\u2019Ukraine est actuellement au c\u0153ur d\u2019une v\u00e9ritable cyberguerre. Apr\u00e8s plusieurs s\u00e9ries de DDoS visant les sites du gouvernement et les banques, les organes gouvernementaux ukrainiens (dans leur ensemble) sont \u00e0 leur tour dans la ligne de mire d\u2019attaques malveillantes. Et apr\u00e8s les DDoS, ces cyberattaques embarquent un malware d\u00e9vastateur : HermeticWiper. Le point sur une vuln\u00e9rabilit\u00e9 critique, \u00e0 l\u2019int\u00e9rieur d\u2019une situation g\u00e9opolitique in\u00e9dite, avec l\u2019\u00e9quipe Stormshield Customer Security Lab.<\/strong><\/p>\n<p><em>EDIT : article mis \u00e0 jour le 18 mars 2022 pour d\u00e9crire les nouvelles souches CaddyWiper r\u00e9cemment d\u00e9couvertes (en fin d'article).<\/em><\/p>\n<p>&nbsp;<\/p>\n<h2>Le contexte de la cyberattaque HermeticWiper<\/h2>\n<p>Le 23 f\u00e9vrier, les \u00e9quipes de recherche de l\u2019entreprise Eset annon\u00e7aient avoir d\u00e9couvert un nouveau malware d\u2019effacement de donn\u00e9es <a href=\"https:\/\/twitter.com\/ESETresearch\/status\/1496581903205511181\" target=\"_blank\" rel=\"noopener\">dans une publication sur Twitter<\/a>. Surnomm\u00e9 <strong>HermeticWiper<\/strong> (un variant de KillDisk.NCV, d\u00e9soamis nomm\u00e9 Win32\/HermeticWiper.a), il serait actuellement utilis\u00e9 contre les diff\u00e9rents organes gouvernementaux ukrainiens, comme le minist\u00e8re des affaires \u00e9trang\u00e8res, les cabinets des ministres, ou encore le Parlement (le Rada). La question de l\u2019attribution officielle de l\u2019attaque est encore en ce moment en d\u00e9bat, m\u00eame si la situation g\u00e9opolitique actuelle et <a href=\"https:\/\/securityaffairs.co\/wordpress\/128349\/malware\/wiper-malware-hermeticwipe-ukrain.html\" target=\"_blank\" rel=\"noopener\">la pr\u00e9sence d\u2019un groupe APT li\u00e9 au pays<\/a> semblent d\u00e9signer la Russie.<\/p>\n<p>Ce malware, visiblement diffus\u00e9 par GPO et visant donc une compromission du syst\u00e8me informatique de la victime, d\u00e9tourne un driver l\u00e9gitime de partitionnement de disque pour corrompre les partitions du syst\u00e8me, entrainant la perte des donn\u00e9es d\u2019une machine (serveur ou poste de travail). L\u2019objectif de l\u2019attaque est clair et unique\u00a0: la destruction des donn\u00e9es. D\u2019o\u00f9 le nom attribu\u00e9 au malware (\u00ab\u00a0wiper\u00a0\u00bb en anglais se traduit par \u00ab\u00a0effacer\u00a0\u00bb).<\/p>\n<p>&nbsp;<\/p>\n<h2>Les d\u00e9tails techniques du malware HermeticWiper<\/h2>\n<p>\u00c0 ce jour deux variantes de ce malware HermeticWiper sont connues\u00a0:<\/p>\n<ul>\n<li>1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591<\/li>\n<li>0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da<\/li>\n<\/ul>\n<p>Une analyse approfondie du malware nous montre que ce wiper est sign\u00e9 par l'entreprise \"Hermetica Digital Ltd\" \u00e0 travers l\u2019autorit\u00e9 root Digicert. Le certificat a \u00e9t\u00e9 r\u00e9voqu\u00e9 dans l\u2019apr\u00e8s-midi du 24 f\u00e9vrier 202<em>2.<\/em><\/p>\n<div id=\"attachment_267097\" style=\"width: 760px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267097\" class=\"wp-image-267097\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-1.png\" alt=\"\" width=\"750\" height=\"487\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-1.png 797w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-1-300x195.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-1-768x499.png 768w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-1-400x260.png 400w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-1-700x455.png 700w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\" \/><p id=\"caption-attachment-267097\" class=\"wp-caption-text\"><small><em>Illustration 1 : le certificat signant le malware est valide bien que r\u00e9voqu\u00e9<\/em><\/small><\/p><\/div>\n<p>Le malware n\u2019a pas \u00e9t\u00e9 retouch\u00e9 post compilation pour rendre son analyse difficile. En ce sens, il n\u2019est pas compact\u00e9 (pack\u00e9) et les cha\u00eenes de caract\u00e8res apparaissent en clair.<\/p>\n<p>Autre \u00e9l\u00e9ment int\u00e9ressant dans cette analyse, une ancienne version aurait \u00e9t\u00e9 compil\u00e9e (d\u2019apr\u00e8s les m\u00e9tadonn\u00e9es du programme), le 28 d\u00e9cembre 2021. Un signe que l\u2019action est pr\u00e9m\u00e9dit\u00e9e de longue date\u00a0:<\/p>\n<div id=\"attachment_267102\" style=\"width: 410px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267102\" class=\"wp-image-267102\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-2.png\" alt=\"\" width=\"400\" height=\"40\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-2.png 405w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-2-300x30.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-2-400x41.png 400w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><p id=\"caption-attachment-267102\" class=\"wp-caption-text\"><small><em>Illustration 2 : dates de cr\u00e9ation du binaire selon les m\u00e9tadonn\u00e9es qu'il embarque<\/em><\/small><\/p><\/div>\n<p>Au niveau du fonctionnement, lorsque le malware d\u00e9bute son ex\u00e9cution, il vient puiser dans la section de ses ressources embarqu\u00e9es pour extraire l\u2019un des quatre drivers suivants\u00a0:<\/p>\n<div id=\"attachment_267107\" style=\"width: 310px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267107\" class=\"wp-image-267107\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-3.jpg\" alt=\"\" width=\"300\" height=\"79\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-3.jpg 317w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-3-300x79.jpg 300w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><p id=\"caption-attachment-267107\" class=\"wp-caption-text\"><small><em>Illustration 3\u00a0: les quatre drivers embarqu\u00e9s dans le malware<\/em><\/small><\/p><\/div>\n<p>Ces drivers correspondent aux syst\u00e8mes Windows 7\/8\/10\/11 et XP et sont disponibles \u00e0 la fois en 32 bits et 64 bits. On peut voir gr\u00e2ce \u00e0 la signature SZDD qu\u2019ils sont compress\u00e9s \u00e0 l\u2019aide de l\u2019algorithme LZSS (ancien format de compression historiquement utilis\u00e9 par Microsoft depuis Windows 3.x, par des utilitaires tels COMPRESS.EXE). Cela explique d\u2019ailleurs la d\u00e9pendance du malware \u00e0 LZ32.DLL.<\/p>\n<div id=\"attachment_267112\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267112\" class=\"wp-image-267112\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-4.jpg\" alt=\"\" width=\"600\" height=\"217\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-4.jpg 637w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-4-300x108.jpg 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><p id=\"caption-attachment-267112\" class=\"wp-caption-text\"><small><em>Illustration 4\u00a0: d\u00e9codage d\u2019un driver<\/em><\/small><\/p><\/div>\n<p>L\u2019extraction des fichiers est donc simple\u00a0:<\/p>\n<table class=\" aligncenter\" width=\"0\">\n<tbody>\n<tr>\n<td style=\"text-align: left;\" width=\"132\"><strong>Driver<\/strong><\/td>\n<td style=\"text-align: left;\" width=\"586\"><strong>SHA-256<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><strong>XP 32 bits<\/strong><\/td>\n<td width=\"586\">2C7732DA3DCFC82F60F063F2EC9FA09F9D38D5CFBE80C850DED44DE43BDB666D<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><strong>XP 64 bits<\/strong><\/td>\n<td width=\"586\">23EF301DDBA39BB00F0819D2061C9C14D17DC30F780A945920A51BC3BA0198A4<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><strong>Vista+ 32 bits<\/strong><\/td>\n<td width=\"586\">8C614CF476F871274AA06153224E8F7354BF5E23E6853358591BF35A381FB75B<\/td>\n<\/tr>\n<tr>\n<td width=\"132\"><strong>Vista+ 64 bits<\/strong><\/td>\n<td width=\"586\">96B77284744F8761C4F2558388E0AEE2140618B484FF53FA8B222B340D2A9C84<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><em><small>Illustration 5\u00a0: empreinte SHA-256 des drivers extraits<\/small><\/em><\/p>\n<p>&nbsp;<\/p>\n<p>Ces drivers sont ceux qu\u2019on retrouve dans le logiciel de gestion de partitions \u00ab <strong>EaseUS Partitionning<\/strong> \u00bb <em>a minima<\/em> en version 9.2.1. Ils sont sign\u00e9s et l\u00e9gitimes, mais le certificat est expir\u00e9 et le timestamp n\u2019est pas conforme.<\/p>\n<div id=\"attachment_267117\" style=\"width: 410px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267117\" class=\"wp-image-267117\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-6.jpg\" alt=\"\" width=\"400\" height=\"404\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-6.jpg 422w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-6-297x300.jpg 297w\" sizes=\"auto, (max-width: 400px) 100vw, 400px\" \/><p id=\"caption-attachment-267117\" class=\"wp-caption-text\"><small><em>Illustration 6\u00a0: signature des drivers<\/em><\/small><\/p><\/div>\n<p>Le bon driver \u00e0 charger est s\u00e9lectionn\u00e9 afin de correspondre au syst\u00e8me d\u2019exploitation de la machine h\u00f4te. Par la suite, le malware ouvre un canal de communication vers le driver <strong>\\\\.\\EPMNTDRV\\<\/strong> et les \u00e9criture disque se font au travers de ce moyen. Ce driver est id\u00e9al, \u00e0 la fois pour contourner les solutions de s\u00e9curit\u00e9 user-land et aussi pour \u00e9craser des zones du disque correspondant \u00e0 des volumes mont\u00e9s et utilis\u00e9s par Windows.<\/p>\n<p>Lors de l\u2019analyse du malware, il a \u00e9t\u00e9 constat\u00e9 que le malware n\u2019alt\u00e8re pas le MBR (donc conserve la table des partitions). En revanche, il alt\u00e8re les premiers secteurs des partitions FAT\/FAT32\/NTFS de chaque disque. La cons\u00e9quence est que le syst\u00e8me ne d\u00e9marre plus pour cause de corruption des partitions.<\/p>\n<div id=\"attachment_267122\" style=\"width: 260px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267122\" class=\"wp-image-267122\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-7.png\" alt=\"\" width=\"250\" height=\"200\" \/><p id=\"caption-attachment-267122\" class=\"wp-caption-text\"><small><em>Illustration 7\u00a0: \u00a0syst\u00e8me corrompu ne red\u00e9marrant plus<\/em><\/small><\/p><\/div>\n<p>Ici, le message affich\u00e9 provient de la gestion d\u2019erreur du MBR qui est rest\u00e9 intact\u00a0:<\/p>\n<div id=\"attachment_267127\" style=\"width: 760px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267127\" class=\"wp-image-267127\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-8.png\" alt=\"\" width=\"750\" height=\"571\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-8.png 777w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-8-300x229.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-8-768x585.png 768w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-8-500x380.png 500w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-8-700x533.png 700w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\" \/><p id=\"caption-attachment-267127\" class=\"wp-caption-text\"><small><em>Illustration 8\u00a0: MBR rest\u00e9 intact sachant afficher un message en cas d\u2019erreur de localisation des partitions d\u2019amorce<\/em><\/small><\/p><\/div>\n<p>Un examen des premiers secteurs des partitions permet de constater la corruption\u00a0:<\/p>\n<div id=\"attachment_267132\" style=\"width: 810px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267132\" class=\"wp-image-267132\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-9-1024x394.png\" alt=\"\" width=\"800\" height=\"308\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-9-1024x394.png 1024w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-9-300x115.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-9-768x295.png 768w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-9-1396x537.png 1396w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-9-700x269.png 700w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-9.png 1430w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><p id=\"caption-attachment-267132\" class=\"wp-caption-text\"><small><em>Illustration 9\u00a0: \u00e0 gauche, la partition FAT32 saine, et \u00e0 droite, la partition FAT32 corrompue<\/em><\/small><\/p><\/div>\n<div id=\"attachment_267137\" style=\"width: 810px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267137\" class=\"wp-image-267137\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-10-1024x391.png\" alt=\"\" width=\"800\" height=\"305\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-10-1024x391.png 1024w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-10-300x114.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-10-768x293.png 768w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-10-1396x533.png 1396w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-10-700x267.png 700w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-10.png 1426w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><p id=\"caption-attachment-267137\" class=\"wp-caption-text\"><small><em>Illustration 10\u00a0: \u00e0 gauche, la partition NTFS saine et, \u00e0 droite la partition NTFS corrompue<\/em><\/small><\/p><\/div>\n<p>Lors de l\u2019analyse, nous avons constat\u00e9 que les deux premiers secteurs \u00e9taient \u00e9cras\u00e9s pour les partitions FAT32 alors que bien plus de secteurs le sont pour les partitions NTFS. Sp\u00e9cificit\u00e9 NTFS\u00a0: le malware cible des fichiers particuliers pour que la r\u00e9cup\u00e9ration de donn\u00e9es devienne alors tr\u00e8s difficile.<\/p>\n<div id=\"attachment_267143\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267143\" class=\"wp-image-267143\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-11.png\" alt=\"\" width=\"600\" height=\"371\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-11.png 618w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-11-300x185.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><p id=\"caption-attachment-267143\" class=\"wp-caption-text\"><small><em>Illustration 11 : fichier sp\u00e9ciaux NTFS recherch\u00e9s par le malware<\/em><\/small><\/p><\/div>\n<h3>Les syst\u00e8mes cibl\u00e9s par la cyberattaque HermeticWiper<\/h3>\n<p>Ce malware s\u2019attaque aux syst\u00e8mes Windows XP, Vista, Seven, 10 et 11, \u00e0 la fois 32 bits et 64 bits, quel que soit le langage du syst\u00e8me.<\/p>\n<h3>Les autres informations de la cyberattaque HermeticWiper<\/h3>\n<p><strong>Signatures num\u00e9riques<\/strong><\/p>\n<p>A la fois pour le malware et pour les drivers, l\u2019algorithme d\u2019empreinte num\u00e9rique utilis\u00e9 est SHA-1. Pour rappel, cet algorithme d\u2019une puissance de 160 bits est d\u00e9pr\u00e9ci\u00e9 depuis plusieurs ann\u00e9es d\u00e9j\u00e0. Ceci \u00e9tant, en raison de compatibilit\u00e9 avec les anciens logiciels, il reste tol\u00e9r\u00e9 dans certains cas.<\/p>\n<p><strong>Droits administrateurs<\/strong><\/p>\n<p>Ce malware n\u00e9cessite absolument des droits administrateurs afin de pouvoir d\u00e9poser le driver et le charger. Cela n\u2019est pas un probl\u00e8me puisque dans le vecteur d\u2019attaque constat\u00e9, le d\u00e9ploiement du malware \u00e9tait fait au travers de GPO (donc avec des droits suffisamment \u00e9lev\u00e9s).<\/p>\n<p><strong>D\u00e9lai d\u2019ex\u00e9cution<\/strong><\/p>\n<p>Le malware effectue ses actions malveillantes tr\u00e8s peu de temps apr\u00e8s avoir d\u00e9marr\u00e9. Ainsi, d\u00e8s que son activit\u00e9 CPU tombe \u00e0 0%, le syst\u00e8me est d\u00e9j\u00e0 corrompu. La vie normale de Windows entrainera fatalement un probl\u00e8me dans les secondes ou minutes \u00e0 venir.<\/p>\n<p>\u00c0 noter que le malware ne se termine pas apr\u00e8s avoir corrompu un syst\u00e8me, son processus reste actif mais ne fait rien. Peut-\u00eatre est-il en attente de disques amovibles branch\u00e9s pour les corrompre \u00e0 leur tour.<\/p>\n<p><strong>Red\u00e9marrage<\/strong><\/p>\n<p>Le malware ne demande pas un red\u00e9marrage imm\u00e9diat de la machine apr\u00e8s corruption des partitions.\u00a0En revanche, le syst\u00e8me d\u2019exploitation peut paniquer suite \u00e0 la corruption en direct du syst\u00e8me de fichiers le faisant vivre. Les raisons imm\u00e9diates de la panique sont multiples mais ce qui est s\u00fbr est que lorsque le kernel de Windows panique, la suite est un BSOD avec potentiellement red\u00e9marrage forc\u00e9 selon le param\u00e9trage.<\/p>\n<div id=\"attachment_267148\" style=\"width: 810px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267148\" class=\"wp-image-267148\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-12-1024x831.png\" alt=\"\" width=\"800\" height=\"649\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-12-1024x831.png 1024w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-12-300x243.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-12-768x623.png 768w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-12-700x568.png 700w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-12.png 1039w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><p id=\"caption-attachment-267148\" class=\"wp-caption-text\"><small><em>Illustration 12\u00a0: un noyau Windows corrompu par le wiping de disque<\/em><\/small><\/p><\/div>\n<p><strong>D\u00e9sactivation des crash dumps<\/strong><\/p>\n<p>Le malware reconfigure le syst\u00e8me pour ne pas g\u00e9n\u00e9rer de crashdump suite \u00e0 BSOD. Il fait cela en \u00e9crivant la valeur 0 dans cet emplacement registre\u00a0:<\/p>\n<div id=\"attachment_267153\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267153\" class=\"wp-image-267153\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-13.png\" alt=\"\" width=\"600\" height=\"160\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-13.png 610w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-13-300x80.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><p id=\"caption-attachment-267153\" class=\"wp-caption-text\"><small><em>Illustration 13\u00a0: r\u00e9f\u00e9rence au param\u00e8tre registre de d\u00e9sactivation des crash-dumps de noyau<\/em><\/small><\/p><\/div>\n<p><strong>Divers<\/strong><\/p>\n<ul>\n<li>Le service VSS est recherch\u00e9 et stopp\u00e9 par le malware HermeticWiper.<\/li>\n<li>Certains param\u00e8tres d\u2019affichage des fichiers dans l\u2019explorateur de fichiers sont alt\u00e9r\u00e9s\u00a0: ShowCompColor (utilis\u00e9 pour rep\u00e9rer les fichiers compress\u00e9s via la couleur bleue) et ShowInfoTip (utilis\u00e9 pour l\u2019affichage d\u2019info bulles)<\/li>\n<\/ul>\n<div id=\"attachment_267158\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267158\" class=\"wp-image-267158\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-14.png\" alt=\"\" width=\"600\" height=\"190\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-14.png 620w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-14-300x95.png 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><p id=\"caption-attachment-267158\" class=\"wp-caption-text\"><small><em>Illustration 14 : r\u00e9f\u00e9rence aux param\u00e8tres registre de l\u2019explorateur de fichiers<\/em><\/small><\/p><\/div>\n<p>&nbsp;<\/p>\n<h2>Les moyens de protection fournis par Stormshield face au malware HermeticWiper<\/h2>\n<h3>Protection avec Stormshield Network Security<\/h3>\n<p>La solution Breach Fighter, sandboxing SaaS compl\u00e9mentaire de la solution Stormshield Network Security (SNS), d\u00e9tecte tous les malwares de type HermeticWiper.<\/p>\n<p>Lors du passage d\u2019un fichier sur le flux concern\u00e9, SNS va r\u00e9aliser un hash de celui-ci et contr\u00f4ler son innocuit\u00e9 aupr\u00e8s de Breach Fighter (en cas de fichier inconnu, il sera envoy\u00e9 sur notre environnement de d\u00e9tonation Cloud). Il sera par cons\u00e9quent imm\u00e9diatement bloqu\u00e9.<\/p>\n<p>Pour que cette d\u00e9tection soit efficace, il faut\u00a0:<\/p>\n<ul>\n<li>avoir la license Premium Security Pack et l\u2019option Breach Fighter<\/li>\n<li>activer le sandboxing sur l\u2019ensemble des flux transportant des fichiers (SMTP, HTTP, FTP)<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"67\" height=\"50\" \/><\/p>\n<p style=\"text-align: center;\">Indice de confiance de la protection propos\u00e9e par Stormshield<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"67\" height=\"50\" \/><\/p>\n<p style=\"text-align: center;\">Indice de confiance de l\u2019absence de faux positif<\/p>\n<h3>Protection avec Stormshield Endpoint Security<\/h3>\n<p><strong>SES v7.2<\/strong><\/p>\n<p>Le malware effaceur demande le privil\u00e8ge de chargement de pilote \u00ab\u00a0<strong>SeLoadDriverPrivilege<\/strong>\u00a0\u00bb pour d\u00e9marrer le pilote <strong>EaseUS<\/strong> utilis\u00e9 de mani\u00e8re malveillante. Ce comportement est d\u00e9tect\u00e9 et bloqu\u00e9 par la solution SES (v7.2) gr\u00e2ce \u00e0 la protection contre l\u2019\u00e9l\u00e9vation de privil\u00e8ges configur\u00e9e sur \u00ab\u00a0<strong>Haut<\/strong>\u00a0\u00bb ou \u00ab\u00a0<strong>Sup\u00e9rieur\u00a0<\/strong>\u00bb. Sans ce pilote, le malware n\u2019est plus en mesure de r\u00e9aliser d\u2019effacement de donn\u00e9es sur le poste.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"67\" height=\"50\" \/><\/p>\n<p style=\"text-align: center;\">Indice de confiance de la protection propos\u00e9e par Stormshield<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"67\" height=\"50\" \/><\/p>\n<p style=\"text-align: center;\">Indice de confiance de l\u2019absence de faux positif<\/p>\n<p><strong>SES Evolution<\/strong><\/p>\n<p>Un jeu de r\u00e8gle sp\u00e9cifique a \u00e9t\u00e9 mis gratuitement \u00e0 disposition des utilisateurs afin de contrer ce malware HermeticWiper.<\/p>\n<p>Concr\u00e8tement, les processus dont la signature r\u00e9f\u00e9rence le certificat vol\u00e9 \u00e0 \u00ab\u00a0<strong>Hermetica Digital LTD<\/strong>\u00a0\u00bb sont bloqu\u00e9s. Et quand bien m\u00eame un variant utiliserait un autre certificat (ou pas de certificat du tout), les cr\u00e9ations des fichiers de type \u00ab\u00a0<strong>drivers<\/strong> \u00bb sont contr\u00f4l\u00e9es et autoris\u00e9es uniquement aux programmes Microsoft.<\/p>\n<p><strong>Veuillez bien noter que cette configuration restreint strictement le d\u00e9p\u00f4t de drivers pour des programmes non Microsoft, pouvant donc entrainer de nombreux faux positif si l\u2019administrateur ne prend pas garde. Cette r\u00e8gle est d\u00e9sactiv\u00e9e dans le jeu de r\u00e8gles fourni.<\/strong> Voici le log de la r\u00e8gle bloquante\u00a0:<\/p>\n<div id=\"attachment_267163\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-267163\" class=\"wp-image-267163\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-15.jpg\" alt=\"\" width=\"600\" height=\"180\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-15.jpg 635w, https:\/\/www.stormshield.com\/wp-content\/uploads\/hermeticwiper-illus-15-300x90.jpg 300w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><p id=\"caption-attachment-267163\" class=\"wp-caption-text\"><small><em>Illustration 15 : illustration de la r\u00e8gle de blocage<\/em><\/small><\/p><\/div>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-227874\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice.png\" alt=\"\" width=\"67\" height=\"50\" \/><\/p>\n<p style=\"text-align: center;\">Indice de confiance de la protection propos\u00e9e par Stormshield<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-232004\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/indice-2.png\" alt=\"\" width=\"67\" height=\"50\" \/><\/p>\n<p style=\"text-align: center;\">Indice de confiance de l\u2019absence de faux positif<\/p>\n<p>&nbsp;<\/p>\n<hr \/>\n<h2>Addendum : les d\u00e9tails techniques du malware CaddyWiper<\/h2>\n<p>Le 14 mars, les \u00e9quipes de recherche de l\u2019entreprise Eset annon\u00e7aient <a href=\"https:\/\/twitter.com\/ESETresearch\/status\/1503436420886712321?s=20&amp;t=WnZQjac_AMqskq4keEfAtg\" target=\"_blank\" rel=\"noopener\">dans un tweet<\/a> avoir observ\u00e9 <strong>un nouveau malware d\u2019effacement de donn\u00e9es ciblant les infrastructures ukrainiennes.<\/strong> Cette nouvelle souche, baptis\u00e9 <strong>CaddyWiper<\/strong>, est identifi\u00e9 pour l\u2019instant sur quatre fichiers et reprend le m\u00eame objectif que son pr\u00e9d\u00e9cesseur : rendre totalement inop\u00e9rable les postes d\u00e9marrant la souche.<\/p>\n<p>M\u00eame si le but <em>in fine<\/em> est le m\u00eame, la technique pour y arriver diff\u00e8re enti\u00e8rement : le malware CaddyWiper n\u2019utilise plus le driver sign\u00e9 de l\u2019outil EaseUS ni le certificat Hermetika ltd. Pour purger le poste, le malware CaddyWiper commence par \u00e9craser les donn\u00e9es de tous les r\u00e9pertoires utilisateurs sur tous les disques. Dans le cas o\u00f9 ces fichiers sont la propri\u00e9t\u00e9 d\u2019un autre utilisateur, il tente de se les approprier via le privil\u00e8ge <em>SeTakeOwnershipPrivilege<\/em>. Ensuite, il acc\u00e8de aux disques physiques via \u201c<strong><em>\\\\.\\PHYSICALDRIVEX<\/em><\/strong>\u201d, efface les informations types MBR\/GPT et alt\u00e8re les tables des partitions de chaque disque pour les rendre inop\u00e9rants. Au prochain red\u00e9marrage du poste ou suite \u00e0 un BSOD, le poste ne d\u00e9marrera plus.<\/p>\n<p>Fait remarquable sur ces quatre fichiers, un seul est sign\u00e9 par un certificat chinois, invalide car expir\u00e9 :<\/p>\n<div id=\"attachment_270633\" style=\"width: 810px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-270633\" class=\"wp-image-270633\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-16.png\" alt=\"\" width=\"800\" height=\"504\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-16.png 805w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-16-300x189.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-16-768x484.png 768w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-16-700x441.png 700w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><p id=\"caption-attachment-270633\" class=\"wp-caption-text\"><small><em>Illustration 16 : le certificat signant le malware est expir\u00e9<\/em><\/small><\/p><\/div>\n<p>Au niveau des produits Stormshield, la r\u00e9ponse des protections est imm\u00e9diate.<\/p>\n<h3>Protection avec Stormshield Network Security<\/h3>\n<p>Breach Fighter, solution de sandboxing SaaS compl\u00e9mentaire des firewalls SNS, d\u00e9tecte tous les malwares de type CaddyWiper.<\/p>\n<div id=\"attachment_270638\" style=\"width: 810px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-270638\" class=\"wp-image-270638\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-17-1024x704.png\" alt=\"\" width=\"800\" height=\"550\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-17-1024x704.png 1024w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-17-300x206.png 300w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-17-768x528.png 768w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-17-700x482.png 700w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-17.png 1144w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><p id=\"caption-attachment-270638\" class=\"wp-caption-text\"><small><em>Illustration 17\u00a0: illustration d\u2019une analyse de Breach Fighter<\/em><\/small><\/p><\/div>\n<h3>Protection avec Stormshield Endpoint Security<\/h3>\n<p>Que ce soit la version 7.2 ou la version Evolution, <strong>les deux produits bloquent d\u00e8s la premi\u00e8re action des malwares.<\/strong> En effet le malware d\u00e9clenche directement la protection \u00ab HPP \u00bb ou \u00ab Execution Flow Hijack \u00bb des produits.<\/p>\n<div id=\"attachment_270643\" style=\"width: 633px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-270643\" class=\"wp-image-270643 size-full\" src=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-18.png\" alt=\"\" width=\"623\" height=\"76\" srcset=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-18.png 623w, https:\/\/www.stormshield.com\/wp-content\/uploads\/illustration-18-300x37.png 300w\" sizes=\"auto, (max-width: 623px) 100vw, 623px\" \/><p id=\"caption-attachment-270643\" class=\"wp-caption-text\"><small><em>Illustration 18\u00a0: blocage d\u2019une des souches par SES Evolution<\/em><\/small><\/p><\/div>\n<h2>IOC \/ Infos utiles des malwares HermeticWiper et CaddyWiper<\/h2>\n<p>Sha256 :<\/p>\n<ul>\n<li>a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea<\/li>\n<li>b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7<\/li>\n<li>ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72<\/li>\n<li>1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176<\/li>\n<\/ul>\n<p>Portail Breach Fighter :<\/p>\n<ul>\n<li><a href=\"https:\/\/breachfighter.stormshieldcs.eu\/ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72\" target=\"_blank\" rel=\"noopener\">breachfighter\/ea6a416b320f32261da8dafcf2faf088924f99a3a84f7b43b964637ea87aef72<\/a><\/li>\n<li><a href=\"https:\/\/breachfighter.stormshieldcs.eu\/b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7\" target=\"_blank\" rel=\"noopener\">breachfighter\/b66b179eac03afafdc69f62c207819eceecfbf994c9efa464fda0d2ba44fe2d7<\/a><\/li>\n<li><a href=\"https:\/\/breachfighter.stormshieldcs.eu\/1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176\" target=\"_blank\" rel=\"noopener\">breachfighter\/1e87e9b5ee7597bdce796490f3ee09211df48ba1d11f6e2f5b255f05cc0ba176<\/a><\/li>\n<li><a href=\"https:\/\/breachfighter.stormshieldcs.eu\/a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea\" target=\"_blank\" rel=\"noopener\">breachfighter\/a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>L\u2019Ukraine est actuellement au c\u0153ur d\u2019une v\u00e9ritable cyberguerre. Apr\u00e8s plusieurs s\u00e9ries de DDoS visant les sites du gouvernement et les banques, les organes gouvernementaux ukrainiens (dans leur ensemble) sont \u00e0 leur tour dans la ligne de mire d\u2019attaques malveillantes. Et apr\u00e8s les DDoS, ces cyberattaques&#8230;<\/p>\n","protected":false},"author":83,"featured_media":190179,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1503],"tags":[4368],"business_size":[],"industry":[],"help_mefind":[],"features":[],"type_security":[],"maintenance":[],"offer":[],"administration_tools":[],"cloud_offers":[],"listing_product":[1565,1530],"class_list":["post-267142","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-alertes","tag-la-cybersecurite-par-stormshield","listing_product-ses-fr","listing_product-sns-fr"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>HermeticWiper : les protections avec les solutions Stormshield<\/title>\n<meta name=\"description\" content=\"HermeticWiper &amp; CaddyWiper : le point sur les protections Stormshield face aux malwares utilis\u00e9s pour d\u00e9stabiliser l\u2019Ukraine.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"HermeticWiper : les protections avec les solutions Stormshield\" \/>\n<meta property=\"og:description\" content=\"HermeticWiper &amp; CaddyWiper : le point sur les protections Stormshield face aux malwares utilis\u00e9s pour d\u00e9stabiliser l\u2019Ukraine.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/\" \/>\n<meta property=\"og:site_name\" content=\"Stormshield\" \/>\n<meta property=\"article:published_time\" content=\"2022-02-25T13:53:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-15T10:38:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1422\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Stormshield Customer Security Lab\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:site\" content=\"@Stormshield\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Stormshield Customer Security Lab\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"14 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/\"},\"author\":{\"name\":\"Stormshield Customer Security Lab\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"headline\":\"Alerte s\u00e9curit\u00e9 HermeticWiper &#038; CaddyWiper : la r\u00e9ponse des produits Stormshield\",\"datePublished\":\"2022-02-25T13:53:26+00:00\",\"dateModified\":\"2024-02-15T10:38:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/\"},\"wordCount\":2434,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"keywords\":[\"La cybers\u00e9curit\u00e9 - par Stormshield\"],\"articleSection\":[\"Alertes\"],\"inLanguage\":\"fr-FR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/\",\"name\":\"HermeticWiper : les protections avec les solutions Stormshield\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"datePublished\":\"2022-02-25T13:53:26+00:00\",\"dateModified\":\"2024-02-15T10:38:15+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\"},\"description\":\"HermeticWiper & CaddyWiper : le point sur les protections Stormshield face aux malwares utilis\u00e9s pour d\u00e9stabiliser l\u2019Ukraine.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/www.stormshield.com\\\/wp-content\\\/uploads\\\/shutterstock_1534485395-scaled.jpg\",\"width\":2560,\"height\":1422},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/actus\\\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Alerte s\u00e9curit\u00e9 HermeticWiper &#038; CaddyWiper : la r\u00e9ponse des produits Stormshield\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#website\",\"url\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/\",\"name\":\"Stormshield\",\"description\":\"Stormshield\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.stormshield.com\\\/fr\\\/#\\\/schema\\\/person\\\/a05f467cec789f90c8a355b178743249\",\"name\":\"Stormshield Customer Security Lab\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g\",\"caption\":\"Stormshield Customer Security Lab\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"HermeticWiper : les protections avec les solutions Stormshield","description":"HermeticWiper & CaddyWiper : le point sur les protections Stormshield face aux malwares utilis\u00e9s pour d\u00e9stabiliser l\u2019Ukraine.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/","og_locale":"fr_FR","og_type":"article","og_title":"HermeticWiper : les protections avec les solutions Stormshield","og_description":"HermeticWiper & CaddyWiper : le point sur les protections Stormshield face aux malwares utilis\u00e9s pour d\u00e9stabiliser l\u2019Ukraine.","og_url":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/","og_site_name":"Stormshield","article_published_time":"2022-02-25T13:53:26+00:00","article_modified_time":"2024-02-15T10:38:15+00:00","og_image":[{"width":2560,"height":1422,"url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","type":"image\/jpeg"}],"author":"Stormshield Customer Security Lab","twitter_card":"summary_large_image","twitter_creator":"@Stormshield","twitter_site":"@Stormshield","twitter_misc":{"\u00c9crit par":"Stormshield Customer Security Lab","Dur\u00e9e de lecture estim\u00e9e":"14 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/#article","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/"},"author":{"name":"Stormshield Customer Security Lab","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"headline":"Alerte s\u00e9curit\u00e9 HermeticWiper &#038; CaddyWiper : la r\u00e9ponse des produits Stormshield","datePublished":"2022-02-25T13:53:26+00:00","dateModified":"2024-02-15T10:38:15+00:00","mainEntityOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/"},"wordCount":2434,"commentCount":0,"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","keywords":["La cybers\u00e9curit\u00e9 - par Stormshield"],"articleSection":["Alertes"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/","url":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/","name":"HermeticWiper : les protections avec les solutions Stormshield","isPartOf":{"@id":"https:\/\/www.stormshield.com\/fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/#primaryimage"},"image":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/#primaryimage"},"thumbnailUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","datePublished":"2022-02-25T13:53:26+00:00","dateModified":"2024-02-15T10:38:15+00:00","author":{"@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249"},"description":"HermeticWiper & CaddyWiper : le point sur les protections Stormshield face aux malwares utilis\u00e9s pour d\u00e9stabiliser l\u2019Ukraine.","breadcrumb":{"@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/#primaryimage","url":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","contentUrl":"https:\/\/www.stormshield.com\/wp-content\/uploads\/shutterstock_1534485395-scaled.jpg","width":2560,"height":1422},{"@type":"BreadcrumbList","@id":"https:\/\/www.stormshield.com\/fr\/actus\/alerte-securite-hermeticwiper-la-reponse-des-produits-stormshield\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.stormshield.com\/fr\/"},{"@type":"ListItem","position":2,"name":"Alerte s\u00e9curit\u00e9 HermeticWiper &#038; CaddyWiper : la r\u00e9ponse des produits Stormshield"}]},{"@type":"WebSite","@id":"https:\/\/www.stormshield.com\/fr\/#website","url":"https:\/\/www.stormshield.com\/fr\/","name":"Stormshield","description":"Stormshield","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.stormshield.com\/fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/www.stormshield.com\/fr\/#\/schema\/person\/a05f467cec789f90c8a355b178743249","name":"Stormshield Customer Security Lab","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/46b9416c400398c1a9fc878c7a35bd2ae4f79caeeda138facd5cb65a4ab91c5d?s=96&d=mm&r=g","caption":"Stormshield Customer Security Lab"}}]}},"_links":{"self":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/267142","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/users\/83"}],"replies":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/comments?post=267142"}],"version-history":[{"count":11,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/267142\/revisions"}],"predecessor-version":[{"id":493411,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/posts\/267142\/revisions\/493411"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media\/190179"}],"wp:attachment":[{"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/media?parent=267142"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/categories?post=267142"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/tags?post=267142"},{"taxonomy":"business_size","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/business_size?post=267142"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/industry?post=267142"},{"taxonomy":"help_mefind","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/help_mefind?post=267142"},{"taxonomy":"features","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/features?post=267142"},{"taxonomy":"type_security","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/type_security?post=267142"},{"taxonomy":"maintenance","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/maintenance?post=267142"},{"taxonomy":"offer","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/offer?post=267142"},{"taxonomy":"administration_tools","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/administration_tools?post=267142"},{"taxonomy":"cloud_offers","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/cloud_offers?post=267142"},{"taxonomy":"listing_product","embeddable":true,"href":"https:\/\/www.stormshield.com\/fr\/wp-json\/wp\/v2\/listing_product?post=267142"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}