Eric De Grasse, CTO
(with special thanks to FireEye and Palo Alto Networks)
28 June 2017 – Earlier today we participated in a Europol briefing and the major take-away was this: the “Petya” attackers knew that M.E.DOC would impact mostly Ukraine; all other infections were “side effects”. This was a cyberwar attack, not a criminal attack. See the video above which lays out the timeline and why they arrived at this conclusion.
Situation Summary
As we noted in yesterday’s brief, this attack was a new variant of the Petya malware which spread over the Microsoft Windows SMB protocol. The malware appears to use the ETERNALBLUE exploit tool to accomplish this. This is the same exploit the WanaCrypt0r/WanaCry malware exploited to spread globally in May, 2017. Multiple organizations have reported network outages, including government and critical infrastructure operators.
Several cyber security firms have tried to summarize the “NotPetya” outbreak. Here is a cut & paste compendium from several sources on what happened and what you should do:
- The malware uses a bunch of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Minikatz to extract network administrator credentials out of the machine’s running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them.
- It also uses a modified version of the NSA’s stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency’s stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.
- Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
- One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
- With admin access, the software nasty can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation’s hard drive’s MBR so that only it starts up when the machine reboots, rather than Windows, allowing it to display the ransom note; it can also encrypt the filesystem tables and files on the drive. NotPetya uses AES-128 to scramble people’s data. Needless to say, don’t pay the ransom – there’s no way to get the keys to restore your documents.
- Not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You’d be surprised how many outfits are too loose with their admin controls.
- The precise affected versions of Windows aren’t yet known, but we’re told Windows 10’s Credentials Guard spots NotPetya’s password extraction from memory.
- Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn’t stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn’t attempt to spread externally across the internet like WannaCry did.
Palo Alto Networks noted these general steps to protect yourselves :
- Apply security updates in MS17-010
- Block inbound connections on TCP Port 445
- Create and maintain good back-ups so that if an infection occurs, you can restore your data.
The scary shit
If hackers get into the firm’s computers, it’s trivially easy to use existing automatic update systems to push out malware to unsuspecting victims – in May Microsoft warned about just this point after catching miscreants at it. As more details about this malware come in … we have received 18 separate reports come in as we were writing this post … the whole affair is a confluence of little pieces of evidence that suggest this is not a run-of-the-mill malware attack, but might serve a darker purpose.
Putin and his pals in action?
The original Petya ransomware that popped up last year encrypted hundreds of file types, and the new code makes some interesting choices in what it encrypts. Justin Cappos, assistant professor of security, operating systems and networks at the New York University Tandon School of Engineering, was interviewed by The Register and (with its permission) we’ve done a cut & paste some of his key comments:
The whole thing is a bit odd. The image types like .png don’t seem to be among those encrypted and usually those would be the kinds of things people want to encrypt because the victims will care about their baby pictures, if you were targeting consumers. I find this suspicious; it’s targeting code and even Python scripts and Visual Basic to lock down developers’ work.
There’s also the method of extracting money from the attack. Ransomware has been exploding of late because it makes it easy for criminals to collect funds without having to recruit a lot of money mules around the world to harvest payments.
Bitcoin has helped with this and, as you’d expect, this infection also asks for the digital currency but with a crucial difference. This time, users wanting to get their files back had to email details to a specific address.
And another hint comes in the timing of the attack. Today, June 28, is a national holiday in Ukraine, its annual Constitution Day. Criminal hackers typically attack on holidays and weekends to avoid detection, but doing so the day before looks like an attempt to cause maximum disruption for the largest number of people in the country.
And who is Ukraine’s main enemy at the moment?
Russia, since it’s currently fighting a proxy in the country by supporting the Donetsk People’s Republic that has set itself up in the east of the country. Russia has also been accused of hacking Ukrainian systems in the past.
That said, Russian firms have been hit by the ransomware too. State oil giant Rosneft has reported infections, although it says oil productions and processing wasn’t harmed in the outbreak, and local steel maker Evraz has also been infected.
As is so often the case in online attacks, we may never know the truth behind the source of the infection, but Interpol and police forces in at least three countries are investigating the source and motivations behind the attacks. Microsoft will be doing its own detective work and says Defender has been updated to block the ransomware.
And, yes. Having been deeply involved in cybersecurity issues over the past 4 years we certainly are not eliminating the issue of a “false flag”. But while we would not go as far as say “false flag”, the primary malware production facilities in the ex-USSR are presently in Ukraine and the war zones bordering it – Donetsk and TransDnestr. It used to be all over Russia. Not any more – they started getting in the way of legitimate business so the police got pressured by banks and businesses to start paying attention.
So our guess it was probably written in Ukraine. Now, who paid for the kids to write it – that is a different story. We are least likely to know that any time soon. Investigating the organized criminal industry in Ukraine (or the politicians related to it) always finishes with a bomb under your hood, a bullet in the back of your head or your head cut off and sent to your wife. We are not going to quote the actual examples – they are in the news going as far back as Kuchma’s government. Do your own research.
Oh, irony you say? You want irony?
But the way we see it, the true people to blame is in fact the Americans, more specifically, the NSA. Why? Simple. These attacks are using exploits NSA have known about for years which is ironic when you think about the fact they claim to keep them in the name of “National Security”. Had they just found the exploits, and reported them to Microsoft (or whatever application developer has the bug) this would of been prevented years ago.
But, no. Instead the NSA chose to harbor these security bugs, refusing to fix them and instead have them for their own malicious intents. The fact remains had these bugs been fixed instead of used then none of these attacks such as WannaCry would of been as effective as they are now.
Personally, we think the NSA should stand up and admit it did wrong by harboring the bugs and apologize to the effected businesses. That’s not to say the creators of the malware are not responsible, which of course, they are. But to us the NSA still had a hand it in it all.
Yes. Let’s stop the bullshit of being polite about this. Global Security is harmed mainly by the “security services” … every major intelligence organization is doing it … in multiple ways:
1) They create incentive to find security problems AND keep them secret by buying them on the black market.
2) They then hoard these problems to transform them into attack weapons against state-actors, terrorists and criminals alike.
3) Defenders (OEMs and anti-virus companies) are intentionally kept in the dark in order to not de-value the attack weapons.
This system is fully concentrated on each actor’s ability to attack, not to defend. So there is a global incentive for the “security services” to keep potential targets on each side vulnerable. So when … not if … the weapon cache is breached, as soon as the thieves learn to control the weapons, they are able to do harm on a global scale.
Yes, yes, yes. We do understand the thinking behind collecting attack vectors. But in effect the “security services” do NOT raise the global security level, they lower it to dangerous levels. So, brave hearts, NSA, GCHQ, BND, FSB, et al will become responsible for a major hit against the global infrastructure. It’s just a matter of time.
That said, we are not holding the commercial world blameless. Do the spooks have form in using any weakness to attack perceived enemies of their respective state with little concern for moral/legal scruples? Yes. Are they responsible for the failure of commercial organizations to implement basic, proper IT maintenance when the necessary defenses have been in the public domain for months? No. You have been adequately warned and how to patch/update.
And always, always, always remember the basic rule in sigint …
“Always assume the other guy is smarter than you”
As Bob Norr, cyber expert extraordinaire emailed us earlier today:
This is the basic foundation of modern security infrastructure, and has been since World War 2. Basically, the Nazis assumed that they were smarter than their opponents, and that the Enigma code was invulnerable. But it turned out the Allies were working on stuff that the Germans hadn’t even begun to imagine, and so they were able to break the code in ways that the Axis assumed would be impossible. The Allies knew where the Axis were going to attack within hours of the order being issued, but the Germans remained convinced that Enigma was unbreakable.
This is why, since the end of the war, whenever we come up with a new encryption method we publish it and invite people to have a go at cracking it. Because the assumption is that someone out there is smarter than you and will figure it out even if you think it’s unbreakable. It’s effectively the same “many-eyes” principle which works in Open Source; if everyone is working on the problem and still can’t crack it, then it’s probably securer than if you’re the only person working on it and hoping that some combination of obscurity and your own genius makes it uncrackable. This is one of the problems many infosec researchers have with Apple’s walled garden; it’s a bad philosophical approach to security even if you do a very good job of implementing it, and when someone smarter does decide to target it the result will be devastating.
The assumption should always be that the Bad Guy – whomever they happen to be at a given moment – knows your movements, has access to all your information, has slightly better resources than you do, and can do a bit more than you can at any given time. That makes hording exploits directly equivalent to arming your enemies.
Other suggested reads on the Petya cyber attack
WEBCAST
When we were at the Cyber Security Forum in Lille, France earlier this year we spent a lot of time with security vendors explaining the “multiple layers” approach to network security. The bottom line is that the individual strengths of each layer cover any gaps that other defenses may lack.With this assumption in mind, each individual layer in a multi-layered security approach focuses on a specific area where the malware could attack. By working in concert, these layers of security offer a better chance of stopping intruders from breaching company networks than using a single solution.The types of security layers you can use in your network defense include:
- Web protection
- Patch management
- Email security and archiving
- Vulnerability assessment and analytics
- Antivirus software
- Data encryption
- Firewalls
- Digital certificates
- Anti-spam and spam filters
- Privacy controls
WatchGuard has a webcast this Friday, June 30th, which will put this all in perspective, using the “Petya 2.0” and WannaCry attacks as “lessons to learn”. You can register via the link below: