Petya Early Observations
Yet another critical ransomware threat has taken the world by storm. Speculation will be rampant on the source of the attack over the next few days as we begin to unfold the layers of the code. Until then, we can still make some early observations that should absolutely be on the minds of anyone involved in cyber security. This malware introduced a highly sophisticated approach to how it spreads, in a way rarely seen before.
The consolidated version of the analysis thus far is this threat was likely introduced into patient zero by attackers injecting a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. The threat actors hacked the M.E.Doc update server, organizations using the M.E.Doc software inadvertently downloaded the ransomware through the software update service. It’s also likely the payload was delivered through traditional phishing techniques. It’s believed that the ransomware is based on a variant of the Petya ransomware. The Petya ransomware itself has been around since 2016; however, it’s now more effective since being weaponized with some new features, like leveraging the Eternal Blue exploit and lateral movement techniques to spread more effectively.
When we start dissecting the way the ransomware spreads there is one very strong differentiator we really haven’t seen much of before, and that’s guaranteed to take the spotlight in the media moving forward.
This ransomware is spreading so effectively due to the way it uses lateral movement to propagate. It uses one of the exact methods, the CBI Red Team uses for lateral movement and privilege escalation, taking advantage of tools like PsExec and Mimikatz. PsExec is a tool that allows you to execute processes on other systems. Mimikatz is a tool known to all penetration testers designed to extract plaintexts passwords, hash, PIN code, and Kerberos tickets from memory.
Let’s take a more detailed look at how this latest variant of Petya propagates:
- Petya scans the local /24 to discover ADMIN$ shares on other systems then copies itself to those hosts and executes the malware using PsExec. This is only possible if the infected user has the rights to write files and execute them on the system hosting the share.
- Using the Windows Management Instrumentation Command-line (WMIC) tool, Petya connects to other hosts on the local subnet and attempts to execute itself remotely on those hosts. It can then use Mimikatz to extract credentials from the system and use them to execute itself on the targeted host.
- Finally, Petya attempts to use the Eternal Blue exploit tool against hosts on the local subnet. This will only be successful if the targets don’t have the MS17-010 patches deployed.
The CBI Red Team is batting 100% for gaining domain administrator access into our new customer's environments this year. I recently gave a talk at the Converge/BSides Detroit security conference that focused on the prioritized workflow we follow when leveraging these attacks and what organizations can do to detect and prevent them. One of the most effective and common recommendations we make to reduce the impact of the attacks we use against local administrator password vulnerabilities is to implement Microsoft’s free utility called Local Administrator Password Solution (LAPS).
From the Microsoft website:
“For environments in which users are required to log on to computers without domain credentials, password management can become a complex issue. Such environments greatly increase the risk of a Pass-the-Hash (PtH) credential replay attack. The Local Administrator Password Solution (LAPS) provides a solution to this issue of using a common local account with an identical password on every computer in a domain. LAPS resolves this issue by setting a different, random password for the common local administrator account on every computer in the domain. Domain administrators using the solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
LAPS simplifies password management while helping customers implement recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers. LAPS stores the password for each computer’s local administrator account in Active Directory, secured in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.”
The attack vectors used here are a huge reinforcement for conducting frequent penetration testing. Besides the MS17-10 technique, vulnerability scanning alone would never detect the vulnerabilities this threat is using to spread. Only through advanced manual penetration tests, can we identify the vulnerabilities used in this attack. In addition, there are plenty of other ways this ransomware could have spread more efficiently, taking things to a new level.
Eventually, we will see these threats using techniques like token impersonation, ARP poisoning, Man in the Middle (MiTM), and Kerberos/SPN weaknesses to gain domain administrator rights in order to grow a larger foothold in the compromised environment. Armed with domain administrator rights, the attacks that can be leveraged against an environment are endless, and much more impactful.
When attacks such as these do occur, the amount of impact depends on how fast the techniques can be identified and the exploitation stopped. It was the incident response program, in many organizations hit by this ransomware, that contained the damage. Whether done as part of frequent penetration testing or as part of security exercises, organizations should run frequent incident response drills. These exercises evaluate the prevention and detection controls for specific threats, such as the ransomware outlined here, and ensure both the controls and the human element are prepared. Successful deflection of attacks and outbreaks comes down to consistent readiness.
Overall, this latest round of ransomware reinforces what we already suspected. That security teams are inevitably going to encounter more sophisticated malware leveraging lateral movement, privilege escalation, and other advanced attacks. These vectors are not detected by traditional vulnerability management programs and tools. The “bad guys” see this as an opportunity to capitalize, their resources and efforts will be escalated. It’s essential that IT security teams and organizations enhance their vulnerability management programs to incorporate frequent penetration testing from reputable firms.