Blog Post created by Ian Arazo, Senior Consultant
"Just another Petya blog"
Several weeks ago, the incident response team from Diamond Cyber Security encountered a variant of the recent 'Petya/PetrWrap/GoldenEye/Nyetya' cyber-attack, which has caused such widespread chaos across Europe. In the instance we encountered, it caused workstation hard drives and their Master Boot Records (MBR) to be encrypted, with further demands to pay a bitcoin ransom to decrypt the infected host.
At the time of infection, this caused widespread system outages that affected end users, impacted user workstations through the centrally administered infrastructure that prevented the organisation trading for a prolonged period and left the organisation performing disaster recovery efforts for weeks after the initial compromise.
We see similarities between this recent attack and the cyber incident we assisted with triaging and remediating, where the attackers leveraged the legitimate PsExec Windows administrator tool to propagate the malware across their network. Additionally, the WMI – Windows Management Instrumentation is another legitimate Windows Component,1 that is being used to propagate the malware, although the use of WMI was not apparent in infection spread seen in our client.
The recent malware variant is also reported to leverage the EternalBlue exploit as was seen in the WannaCry outbreak to spread the malicious payload to locally connected network hosts.2 This illustrates the need for vigilance when applying critical security updates in a timely fashion, as the Windows Update patch (MS17-010) to mitigate the SMB vulnerability was released in mid-March earlier this year.
Email being the original threat entry vector has not yet been confirmed for this latest attack, however reports have suggested that still unpatched Windows hosts with the SMBv1 vulnerability provide attackers with an entry vector of attack.3 This was the case during our response which took place in the following manner:
- A staff member received an email containing a macro embedded Excel file
- The staff member opened the file and enabled macros which allowed the malicious macro to execute
- The macro script then downloaded a Trojan containing a cryptor, PsExec, a start-up persistence executable and a memory dumping tool to extract usernames and passwords. Note: this tool could execute as the staff member held local administrator privileges
However, given the depth of the intrusion into the network it was difficult to determine an ‘at-fault’ account.
For systems that are compromised, the file “perfc.dat” is dropped onto the end-point, with the file containing the functionality to compromise the target system. The library then attempts to obtain administrative privileges for the current user, and if successful will overwrite the workstation’s MBR. A scheduled task is then created to reboot the system after an hour of the infection, regardless of whether the MBR is overwritten or not.
When working with the client, impacted users reported they were forced to reboot their workstations and then were prompted with a chkdsk, hard disk checking utility prompt screen. After the ‘pseudo-check disk’ completed, users were presented with a notification screen reporting their disk drive was encrypted, with further instructions to obtain the decryption keys to recover their data. We note that businesses and individuals should NEVER pay the ransom, as this only perpetuates the business model of using ransomware as a way of extorting funds.
As part of the malware propagation process, the malware scans for an open TCP port of either 139 or 445 that is visible on machines in the network and can potentially be compromised. There are three propagation mechanisms available upon a device being infected:
- EternalBlue – the exploit used by the WannaCry incident
- PsExec – a legitimate Windows administrator tool
- WMI – A legitimate component of windows
The above mechanisms are used to spread and execute perfc.dat on networked devices, propagating through the network. It was through the execution of a memory dump to analyse and use legitimate credentials enabled the attacker to hijack an admin account to use the PsExec utility.
What are the issues being encountered now, that we'd seen uncovered in the past?
Unpatched software. As with the WannaCry ransomware incident, one of the propagation mechanisms the Petya ransomware reportedly uses, spreads malware via the unpatched SMB v1 vulnerability in Windows hosts (MS17-010). This is despite the patch being available since mid-March of this year. Ensure that your software is patched with the latest updates against known software vulnerabilities, especially when patches have been released that can mitigate known exploits that have been developed by highly sophisticated threat actors (i.e. nation states).
Social engineering, via spear phishing and targeted emails. Unsuspecting end users are falling victim to targeted phishing campaigns that have malicious attachments, with the opening of these files exacerbating the malware to spread through the environment. Invest in security training and education activities to upskill the workforce’s ability to detect questionable email and web content, thereby improving the security culture and elevating awareness.
Have a documented and rehearsed backup & disaster recovery strategy. Even with backup software in place, implementing a Disaster Recovery strategy that allows system backups to be encrypted, and not having up-to-date offline/offsite backups can have detrimental impacts to your business. Periodically review the disaster recovery processes and rehearse the backup strategy for ransomware situations.
Software Restriction Policies and Application Whitelisting. Lock down the use of PsExec and WMI within the environment where there is no business justification for the use of these tools. For static environments, consider implementing an Application Whitelisting Solution to allow only known software applications to run on endpoints.