NotPetya: Ransomware Or a Cyber Attack in Disguise Panel

Talking notes from recent BrightTALK panel I was invited to participate in.

Aftermath/Lessons learned

NotPetya took advantage of weakness in security architecture. The type of weaknesses that security professionals know about but often are not empowered to change or are simply too busy to change. Lesley Carhart wrote a great blog article "Why NotPetya Kept Me Awake (& You Should Worry Too)”

From that article:

"NotPetya may not have been the most sophisticated malware ever written. However, it was exceptionally effective due to the authors’ savvy exploitation of common security misconceptions and their deep understanding of poor security architecture."

She then goes on to talk about how NotPetya abused mandatory software (Me Doc being only one of two choices in the Ukraine for businesses to do their taxes), the fact it looked deceptively like Petya while functioning differently and last how it took advantage of flat network architecture and abused excessive privileges through credential reuse.

According to the Cisco Talos reports, NotPetya was introduced through a non cryptographically signed update to Me Doc. Once a machine was infected, the malware would attempt to propagate laterally across the network.

EternalBlue (same exploit as WannaCry). - Released in April
EternalRomance - an SMBv1 exploit. - Released in April

One lesson to be learned is to have your machines updated with OS patches and have network access controls in place where possible.

The other ways NotPetya would propagate will work on a fully patched network. It did this through traditional pen testing methodologies of pivoting into a network and living off the land in terms of tools.

As Omir said NotPetya used a modified version of mimikatz to scrape passwords and credentials and then use PSExec and WMI, windows management tools, to further propagate the virus through the local network. If it ran into a domain controller it would query for DHCP subnets looking to further propagate itself.

If the machine was vulnerable to either exploit vectors, EternalBlue or EternalRomance, a modified version of the DoublePulsar backdoor was dropped on the machine.

Worth pointing out that all of this spread super fast. 5K systems hit in under 10 minutes. - Dave Kennedy

The Cisco Talos believes that the team behind NotPetya did not intend for the boot sector to be restorable, thus destructive malware. But there has been a few reports of being able to recover data if the malware had administrative access during the infection due to implementation errors in the cryptography.

It’s safe to say that things will get worse. As we’ve already seen a rise in ransomware over the years the incorporation of pen testing methodologies into malware will only make it more important to have security basics and defense in depth already in place. Everybody outside of Ukraine got really lucky that they weren’t targeted. Criminals know that ransomware is great for making money and nation states and terrorist organizations have publicly shown that fake ransomware makes a misleading and effective weapon.

Impact of NotPetya across industries and countries:

While the Ukraine was targeted, NotPetya did have a global impact. NotPetya hit many multinational firms that had ties to Ukraine. After careful research the Cisco Talos team concluded that for the delivery of the NotPetya malware, all installations came through the M.E.Doc update system affecting many countries that Joe mentioned such as Ukraine, India, France, Russia, Spain, US, Belgium, Brazil, Germany.

The Guardian reported that Nurofen maker Reckitt Benckiser is taking an estimated £100m hit in revenue. Reckitt Benckiser said it was still assessing the financial impact of the attack on the company, and while they expect to recover some revenue lost from the second quarter in the third quarter, continued production difficulties is leading to expected permanent loss of revenue. They expect 2017 profits to be up 2%, down from an earlier growth forecast of 3%. With the company making almost £10bn in revenues in 2016, that would equate to about £100m in lost revenue. Reckitt’s shares were among the biggest fallers on the FTSE 100 in early trading on Thursday, down 2%.

Another example of the global impact of NotPetya is Maersk. Maersk has been the largest container ship and supply vessel operator in the world since 1996. Reuters reported that company operates 76 ports via its APM Terminal division and was one of the many firms hit by NotPetya.

Maersk has said it is too early to predict the financial impact of Junes global NotPetya attack that hit the shipping giant's computers and delayed cargoes, but added that normal operations had resumed at its ports.

The attack did not impact Maersk's physical loading of goods, but disrupted data-reliant processes such as creating arrival notices and obtaining customs clearance - leading to congestion at some of its ports, including in the United States, India, Spain and the Netherlands.

It is not believed that Maersk was deliberately targeted, given the virus’ geographic reach. Maersk has said that it would continue to work with cybersecurity and software firms to ensure it was as protected as it could be. ”There was nothing in terms of patches that we missed, there was no cyber security measures that we didn't take, so we were already in quite a strong position," they said.

Top recommendations for improving security

Lots of basics that could be done like patching, antivirus, disaster recovery plans, offline backups, tested restores, network segmentation, defense in depth, things that would be best covered by buying a copy of Defensive Security Handbook, so I’ll give a more high level top 5.

Accept that things are going to go bad
Monitor outside, but don’t just rely on humans, or just one feed (or type of feed)
Set thresholds to alert on outbreaks = notable lateral movement
Have the tools to respond (people - IR and SOC, multiple event sources - to hunt, multiple levels orchestrated response = endpoint, network, perimeter, alarms)
Don’t be complacent (just because you think you escaped an attack, doesn’t mean you have - be proactive, threat hunting, automate what you can to allow your humans to better use their time.