Hello All,
On June 27th, 2017 we all became aware of a new variant of the Petya malware which is spreading over the Microsoft Windows SMB protocol. The malware appears to use the ETERNALBLUE exploit tool to accomplish this. This is the same exploit the WanaCrypt0r/WanaCry malware exploited to spread globally in May, 2017. Multiple organizations have reported network outages, including government and critical infrastructure operators.
Windows users should take the following general steps to protect themselves:
- Apply security updates in MS17-010
- Block inbound connections on TCP Port 445
- Create and maintain good back-ups so that if an infection occurs, you can restore your data.
Overview
Petya is a ransomware family that works by modifying the Window’s system’s Master Boot Record (MBR), causing the system to crash. When the user reboots their PC, the modified MBR prevents Windows from loading and instead displays an ASCII Ransom note demanding payment from the victim.
The latest version of the Petya ransomware is spreading over Windows SMB and is reportedly using the ETERNALBLUE exploit tool, which exploits CVE-2017-0144 and was originally released by the Shadow Brokers group in April 2017.
After the system is compromised the victim is asked to send US $300 in Bitcoin to a specific Bitcoin address and then send an e-mail with the victim’s bitcoin wallet ID to wowsmith123456@posteo[.]net to retrieve their individual decryption key. As of 16:00 UTC on Jun 27th, 13 payments have already been made to attackers wallet.
Lifecycle
We are aware of the following information about how the Petya attack lifecycle works.
Exploitation
We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.
We have seen public speculation that a Ukrainian Tax software package was compromised and delivered the Petya DLL via an update on the morning of June 27th. This infection vector would explain the high concentration of infections in Ukraine, but we have not been able to independently confirm this information.
Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: "On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!"
Installation
This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.
Command and Control
Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.
Lateral Movement
Petya uses three mechanisms to spread to additional hosts.
- Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share.
- Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
- Petya finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed.
Affected countries: UK, Ukraine, India, the Netherlands, Spain, Denmark, and others
Behavior:
Encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
Prevention Steps:
1. Block below source E-mail address:
emails: wowsmith123456@posteo.net
emails: wowsmith123456@posteo.net
emails: iva76y3pr@outlook.com
emails: carmellar4hegp@outlook.com
emails: amanda44i8sq@outlook.com
2. Block below domains and URL's :
domain: coffeinoffice.xyz
domain: french-cooking.com
domain: sundanders.online
url: http[:]//french-cooking[.]com/myguy[.]exe
url: http[:]//84[.]200[.]16[.]242/myguy[.]xls
url: http://84[.]200[.]16[.]242/Profoma[.]xls
url: http://84[.]200[.]16[.]242/Lucky[.]exe
url: http://185.165.29.78/~alex/svchost.exe
url: http[:]//mischapuk6hyrn72.onion/
url: http[:]//petya3jxfp2f7g3i.onion/
url: http[:]//petya3sen7dyko2n.onion/
url: http[:]//mischa5xyix2mrhd.onion/MZ2MMJ
url: http[:]//mischapuk6hyrn72.onion/MZ2MMJ
url: http[:]//petya3jxfp2f7g3i.onion/MZ2MMJ
url: http[:]//petya3sen7dyko2n.onion/MZ2MMJ
url: http[:]//benkow.cc/71b6a493388e7d0b40c83ce903bc6b04.bin
3. Block below IPs:
ip: 95.141.115.108
ip-dst: 185.165.29.78
ip-dst: 84.200.16.242
ip-dst: 111.90.139.247
4. Apply latest below patches:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
5. Disable SMBv1
6. Update Anti-Virus hashes
md5: 9B853B8FE232B8DED38355513CFD4F30
md5: CBB9927813FA027AC12D7388720D4771
md5: a809a63bc5e31670ff117d838522dec433f74bee
md5: bec678164cedea578a7aff4589018fa41551c27f
md5: d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
md5: aba7aa41057c8a6b184ba5776c20f7e8fc97c657
md5: 0ff07caedad54c9b65e5873ac2d81b3126754aac
md5: 51eafbb626103765d3aedfd098b94d0e77de1196
md5: 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
md5: 7ca37b86f4acc702f108449c391dd2485b5ca18c
md5: 2bc182f04b935c7e358ed9c9e6df09ae6af47168
md5: 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
md5: 82920a2ad0138a2a8efc744ae5849c6dde6b435d
sha256: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
sha256: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
sha256: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
sha256: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
sha256: fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206
sha256: ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6
sha256: EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6
sha256: 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD
sha256: 22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
sha256: 1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5
sha256: EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95
filename: C:\0487382a4daf8eb9660f1c67e30f8b25.hta
filename: petwrap.exe
filename: C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll
filename: Order-20062017.doc
filename: myguy[1].hta
filename: myguy.xls
filename: dllhost.dat
named pipe: {df458642-df8b-4131-b02d-32064a2f4c19}
Recommendations
- In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
https://technet.microsoft.com/library/security/MS17-010
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1.
https://support.microsoft.com/en-us/help/2696547
- Applocker policies to block execution of files having name perfc.dat as well as psexec.exe utility from sysinternals.
- A quick fix to prevent by creating the files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions. A brief description is here:
https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/ [ NOTE: This is not a Kill Switch but only a vaccine with no Guarantees ]
- Don't open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization's website directly through browser.
- Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
- Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
- Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
- Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Maintain updated Antivirus software on all systems.
- Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
- Block the attachments of file types,
exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
- Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
- Keep the operating system third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
- Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
- Network segmentation and segregation into security zones - help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
- Disable remote Desktop Connections, employ least-privileged accounts.
- Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, Check regularly for the integrity of the information stored in the databases.
- Restrict users' abilities (permissions) to install and run unwanted software applications.
- Employ data-at-rest and data-in-transit encryption.
What are the details of Symantec's protection?
Network-based protection
Symantec has the following IPS protection in place to block attempts to exploit the MS17-010 vulnerability:
Symantec encourages to install all features of Symantec Endpoint Protection on all the machines for best protection.
Antivirus
SONAR behavior detection technology
Conclusion
Ransomware attacks are very common, but they are rarely coupled with an exploit that allows the malware to spread as a network worm. The WannaCry attacks in May, 2017 demonstrated that many Windows systems had not been patched for this vulnerability. The ideas behind the Trojan have been seen before in earlier malware; the creators of Petya have simply combined them all in a single creation. That said, it should be acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and decrypt data prior to OS booting.
Secondly, the spread of Petya using this vulnerability indicates that many organizations may still be vulnerable, despite the attention WannaCry received.