This week’s malware outbreak that removed computer data capabilities from large enterprises worldwide is now thought to have been designed to damage, not to earn profit. Therefore, it only masquerades as traditional ransomware. First seen on Tuesday, NotPetya/Petya is like last month’s WannaCry in that it displayed a ransom request of $300 in Bitcoin on compromised machines. However, this time the attacks were not widespread nor intended for individual machines. They were targeted at faulty enterprise networks and the data was generally not recoverable.
According to Reuters, the main purpose of the attack appears to be the installation of new malware on computers at government and commercial organizations, primarily in the Ukraine. These organizations have offices worldwide; thus, a total of 65 countries were affected. The WannaCry and NotPetya/Petya attacks aren’t so much ransomware as they are early warnings of how future malware will take advantage of existing cracks in the enterprise network.
As with WannaCry, the ransom aspect, Bitcoin collection and distribution of keys, for NotPetya/Petya appears to be layered on as an afterthought. This time the email address for contact and data recovery was disabled by the provider shortly after the attack began. And on the Bitcoin side, the account appears to have been set up with no way to correlate who paid and who didn’t. This is also true of WannaCry.
NotPetya/Petya contains a variety of features, not all enabled. For example, there appears to be a data wiper in the code. A wiper destroys the data and hardware of a computer. Shamoon, which targeted the oil and gas industry in 2012, is a classic example of such malware. The wiper feature here, however, is either buggy or disabled. Nonetheless, the codebase could be a sign of bigger, more damaging attacks looming in the future.
There is a ransomware package called Petya, and NotPetya/Petya contains much of its code. However, it is also different. This caused confusion within the attack’s first 24 hours where a variety of names where given for this malware. Names have been a problem in general with malware since the late 1990s. Attempts to codify the naming of viruses, worms, and Trojan Horses have been undermined by vendors advocating their solution’s name. Thus, confusing the end user.
However, with the move toward more sophisticated Advanced Persistent Threats (APTs) it has become clearer that there are definable groups responsible for exploits. Some vendors have started numbering and cataloging these.
When Petya first appeared in March, anti-malware vendors were mostly in agreement that the name was Petya. Additionally, subsequent variations were identified as such. This most recent attack contains enough of the original Petya malware to be called that. However, deeper analysis suggests that the authors of the new malware only copied certain parts and added others. Hence, by late Wednesday, some InfoSec experts had already switched to calling it NotPetya. For this article we use both names.
The NotPetya/Petya outbreak is thought to have started as a compromised update in the MeDoc accounting software, widely used in the Ukraine. According to Fortune, criminal hackers broke into the MeDoc servers on or around June 22. The compromised software update is now thought to have included a compromised Word document. This is a classic characteristic of a virus: requiring an end user to click on the infected email and open the attachment in order to spread. This technique also allows for a more targeted attack.
Where WannaCry spread like wildfire across the globe within a day, Petya was more focused, using spear-phishing to target strategic databases (i.e., companies doing business in the Ukraine). Initially it was thought that NotPetya/Petya was simply a virus. As it turns out, it is a hybrid virus and worm.
Once a device within an organization is infected, NotPetya/Petya looks for vulnerabilities within the enterprise network. It then spreads itself like a computer worm. Like WannaCry, NotPetya/Petya leverages the EternalBlue exploit, looking for systems with exploitable SMB vulnerabilities. Microsoft patched its latest SMB vulnerability in a March 2017 update. Most organizations have a process for dealing with “Patch Tuesday” updates as they’re expected, they’re important. Organizations that didn’t patch certainly should have done so in May, in the wake of WannaCry. But the authors are smart. Even if a system had been patched with the latest SMB patch from Microsoft, Petya still had other opportunities to infect.
Any time data needs to move from one server to another, or one system to another, there is opportunity. Additionally, Microsoft-based networks have inherently had a lot of trust built in. That’s because the support issues with a “trust no one” model—where everything is turned off and is enabled as needed—would be staggering. Here’s where a good penetration test would benefit an organization to help define what should be trusted and what should not.
A pen test involves consultants that analyze your network like an attacker—either human or malware. They look for cracks that might allow the escalation of privileges. NotPetya/Petya appears to have settled on a few paths, seeking lateral movement with WMI and PsExec. This is often very effective in environments with poor network security architecture and implementation. Another way it spreads is along flat networks without segmentation. In addition, it can spread in environments where desktop users commonly have workstation admin or domain admin permissions, and networks not restricted or tightly controlled. A pen tester can map out these issues and help enterprises mitigate them.
These recent malware attacks also serve to remind us how prevalent software is today with gas pumps and digital billboards displaying the ransom requests. Enterprises today need to change fundamentally how their software is developed or adopted, updated, and accessed. World economies and infrastructures depend on the quality and security of software and applications more than ever.
Yet The State of Software Composition 2017 report finds that software components are still in use in applications today. In particular, the report identifies that vulnerable versions of components are still in use after patched updates become widely available. Vulnerabilities in components such as free and open source software (FOSS) can affect thousands of applications worldwide.
Whether utilizing a software vendor or an in-house development team, quality and security must be a priority. As development teams build out their software, they need to test the supply chain code with software composition analysis.
With every piece of software, security must be built in, not bolted on after the fact with WAPs or network firewalls. Rigorous testing throughout the software development life cycle (SDLC) not only improves the quality and security, customer relationships, and integrity of the data. It also reduces the man hours necessary to develop, test, and ship one-off patches and updates. Fuzz testing is a great technique to identify zero-day vulnerabilities proactively and further reduces the need for future patches.
If security is truly built in, it also needs to be understood and supported from the CEO, board rooms, and throughout the organization. It needs to be the culture. In security, only one weak link is necessary for a bad actor to take root. Enterprises need a culture of security throughout. If the security team isn’t talking regularly to the C-suite or board about security, then how might this change come about?
A good way to see how your security organization performs compared to others is to request a Building Security In Maturity Model (BSIMM) assessment. This provides a baseline and suggestions on how to get to that next level.
Enterprises should always have an updated incident response plan. This should include how the business will continue if its hardware or data become compromised. Just as you should be testing and monitoring your software, you should also test and update your incident response plan to consider the latest attacks.
Clearly, WannaCry and NotPetya/Petya are just shots across the bow. Proof of concepts that have been successful to varying degrees. The next one could have more damaging consequences. Consider what happened at Maersk this week where paper and pen had to be used with global shipments. If your enterprise is not currently taking software security seriously, then consider yourself forewarned.