Europe woke up Tuesday to massive attacks on both governments and some of the world’s largest brands. While the story is sure to develop, here’s what we’ve learned so far, and what enterprises need to take into account whether they have been affected or are trying to protect their organizations from becoming the next victim.
- Currently, most victim companies are in Russia and the Ukraine with some much smaller volumes observed in Western Europe. Unless the malware has some form of geo fencing, this will likely change throughout the day as the rest of world wakes up and logs on to their systems.
- This malware only has passing resemblance to the historic Petya malware and thus should NOT be considered the same. This is much more sophisticated than both Petya and the recent Wannacry.
- The campaign is using multiple propagation vectors:
- Email (multiple PDF and Word attachment samples have been collected)
- The EternalBlue exploit used by Wannacry
- Harvesting of credentials via a custom capability against the lsass process and subsequent use of WMIC to move laterally
- An attack against the update process of a third-party Ukrainian software product called MEDoc
- Even a machine patched against the EternalBlue exploit is still vulnerable if a user clicks on the email vector. This malware is nastier than WannaCry because it can continue to propagate even in fully patched environments.
- The worst case for an organization is if a user with domain admin credentials is compromised as the entire network becomes at risk via WMIC and remote process execution (psexec).
- For non-admin victims, the files on the machine are encrypted using a standard AES routine (thus it is unlikely there will be an implementation bug found to allow for non-keyed decryption).
- For admin (local or domain) victims, the Master Boot Record (MBR) is encrypted (but not the files on disk). Thus, the machine seems bricked but is actually relatively easy to recover. However, this seems to go to a motive that this may actually be more of a disruption attack than a financially motivated crime.
- There was a single bitcoin account setup for ransom payments but it has already been taken down. Thus, there is currently no way for victims to get decryption keys even if they want to pay the ransom. Again, this hints at motive, in the sense there was possibly never any real intention of collecting significant ransom or of providing a decryption pathway.
- Because of the attempt to move laterally, environments that have adopted Software-Defined Perimeterarchitectures to limit lateral movement are likely to see far reduced impact compared to traditional open enterprise networks.
- A number of next-gen AV systems are now detecting and stopping this.
[su_box title=”About Chris Day” style=”noise” box_color=”#336588″][short_info id=’102680′ desc=”true” all=”false”][/su_box]
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.