An outbreak of the nasty Petya ransomware family hit companies in over 60 countries yesterday. The scale of the attacks, as well as the fact it was designed to hit organizations, has many comparing it with last month’s WannaCry pandemic.
And while there are similarities, there are also important differences that companies need to know if they want to protect themselves. Here’s a few things companies should keep in mind to make sure they’re protected.
Petya’s using your own login credentials against you
One of the techniques Petya is using to spread is to gain access to local administrative credentials. It has several different mechanisms to help it do this. Once it’s able to gain access to administrative login credentials, it’s able to jump from machine to machine using standard Windows mechanisms.
Solution: According to F-Secure Labs Lead Researcher Jarno Niemelä, it’s best to be cautious when using administrative passwords until companies can ensure they have other protective measures in place.
“Companies concerned that they may be vulnerable should instruct employees to avoid logging into workstations with domain admin credentials,” says Jarno. “If you do, reboot the system after finishing whatever task needed to be done. Organizations should also ensure that all computers that have local admin accounts use unique passwords for those accounts.”
Petya has more ways to spread through networks than the SMB exploit
EternalBlue is an exploit developed by the NSA that takes advantage of a vulnerability in the SMB protocol used by most versions of Windows. A patch for the vulnerability is available, and obviously, companies should apply this patch immediately if they haven’t done so already.
But it’s become clear that the current Petya outbreak has additional ways of spreading. So patching the SMB vulnerability used by WannaCry is not enough to prevent an infection from spreading.
Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That's why patched systems can get hit.
— Mikko Hypponen (@mikko) June 27, 2017
The other infection vectors involve using legitimate Windows processes to spread. Specifically, it tries to execute the ransomware through PSEXEC and WMIC, which are Windows administrative tools. It does this with the administrative login credentials (as mentioned above).
Solution: According to F-Secure Principal Security Consultant Tom Van de Wiele, there are several steps companies should take to protect themselves from having the infection spread using these tools:
- Pro-actively create the file C:\windows\perfc and disable read/write rights from it for all Windows machines. Petya should not engage when it sees that file.
- Replace the call to psexec.exe: Create a key called “psexec.exe” in “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” and then create a REG_SZ value for it called “Debugger” and set it to “svchost.exe”. This way the real psexec will not launch
- Disable the use of local AD / GPO accounts for remote logins to disable the psexec/wmic combo
- Disable WMIC where possible in Windows wherever it’s not needed
- Firewall incoming requests to 135/tcp (winrpc) for the wmic requests
- Firewall incoming requests to 445/tcp (cifs) for the incoming Eternalblue requests, which should already be the case as a result of WannaCry
Reports are chalking this up as a vendor supply chain attack
How Petya is moving through networks is becoming clearer. But what’s less clear is how the initial infection occurs. There are now reports suggesting that the earliest infections came from a malicious software update originating from a Ukrainian company that develops accounting software.
This could mean the vendor had their systems infected, or it could mean that the attackers were able to infect the vendor’s customers via a man-in-the-middle attack.
“Supply chain vendor attacks work by targeting a specific set of clients through a service they use,” says F-Secure Technology Expert Andy Patel. “Via these ‘semi-targeted’ attacks, multiple companies or individuals can be infiltrated with a single operation. In the case of yesterday’s Petya attack against Ukrainian targets, we don’t know if M.E.Doc’s infrastructure was breached, or if the updates were served to victims via a man-in-the-middle attack.
Furthermore, the vendor supply chain attack doesn’t explain how the outbreak spread so rapidly throughout the globe. But this is an attack that many companies are unprepared for. And that’s clearly a problem, so it’s something companies need to address.
Solution: The targeted nature of these attacks make them difficult to spot. The best defense is to have a breach-detection system in place. F-Secure’s Rapid Detection Service, for example, would detect any anomalous behavior exhibited by malicious files once it’s in a network.
Many security solutions, including F-Secure’s, offer companies a variety of ways to protect themselves from the various tactics, techniques, and procedures used in attacks like these. You can check out this blog post for more information.