Patching Not Enough to Stop Petya
Voluminous amounts of information have already been disseminated regarding the “Petya” (or is it “NotPetya”? [1]) ransomware that hit the Ukraine hard [2] along with organizations such as “the American pharmaceutical giant Merck, the Danish shipping company AP Moller-Maersk, the British advertising firm WPP, Saint-Gobain of France, and the Russian steel, mining and oil firms Evraz and Rosneft” [3].
Not surprisingly, nearly every Petya write-up references the WannaCry outbreak that wreaked havoc about a month-and-a-half ago. This is reasonable given the recentness of WannaCry and that both malwares are ransomware known to leverage the EternalBlue exploit against patched vulnerability MS17-010 [4].
Amidst this deluge of information (and misinformation), we wanted to make sure that the association of Petya with WannaCry did not obscure some important differences. In particular, the EternalBlue-based propagation mechanism, mitigated by patching MS17-010, is not the only method employed by Petya to spread. Another propagation method employed by Petya is not thwarted by simply patching. According to Kaspersky [5], once Petya has compromised a machine, it will begin to hijack local credentials from the Windows Local Security Authority (lsass.exe) then leverage those credentials via PsExec or WMI in an attempt to remotely compromise other systems on the local network. In many enterprises, this activity will not be blocked and is likely to fly under the radar as typical remote administration activity. Afterall, PsExec is a legitimate Windows SysInternals command line tool and WMI stands for Windows Management Instrumentation. If a widely used administrative credential is compromised, it could very quickly be game over for many systems regardless of whether the patch for MS17-010 has been applied or not.
Another important difference between Petya and WannaCry is that there is no “KillSwitch” [6] for Petya. Indeed, contrary to many reports, ASERT has found no evidence that Petya has any form of command-and-control.
In conclusion, avoid any false sense of security that may derive from patching MS17-010 and heed the longstanding calls for appropriate network segmentation to limit the damage from Petya and other malware. Finally, note that the following ET Pro rules appear to fire on Petya propagation behavior and, thus, can be used for detection using network security products such as Arbor Networks Spectrum:
- 2001569 - ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
- 2012063 - ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference
- 2024297 - ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010
References
[1] https://twitter.com/hashtag/notpetya
[3] https://www.nytimes.com/2017/06/27/technology/global-ransomware-hack-what-we-know-and-dont-know.html
[4] https://en.wikipedia.org/wiki/EternalBlue
[5] https://securelist.com/schroedingers-petya/78870/
[6] https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/
- threat analysis