notPetya, Ransomware and Making sure you maintain the SNR.

Note to self: When thinking of an article, ensure you write about it at the time otherwise procrastination wins out and it takes me forever to get around to it!

There's an obsession within IT Security right now, Ransomware. Can I blame the industry? Not entirely, however I would happily share blame between Vendors, Analysts, Media and Consultants amongst others for over-hyping many areas that fall out from a ransomware attack. However, it's important that we maintain a level head and do not let the SNR become too much and allow ourselves to be overwhelmed by the marketing, 'great ideas' and other such snake oil that we see, hear and read.

Read: Ransomware makes up less than 1% of threats

In the instance of notPetya, just as there was with WannaCry and has been with many malware outbreaks before it. There was a dominant force within industry in which many have been shamed into 'omg, why haven't you patched?' I'm sure businesses had their reasons, whether we agree or not. As I've stated on my page previously, patching is vitally important to any holistic InfoSec plan but it is not the be all and end all of InfoSec, you have to consider when there isn't a patch available for instance.

notPetya has had some amazing teams do some in depth analysis far beyond my ability 1 2 3. The general analysis is that the source of the infection was a third party accounting software provider called W.E.DOCS, the source code for this software was, as they say "owned". Meaning that the hostile actors had complete control over what got published to end users, in this case; a number of publicly available exploits and a series of legitimate administration tools, a trend we've seen in recent years.

So whilst vendors, consultants all peddle 'Secure your Perimeter', 'Phishing Training today!' and 'Buy this blinky box and all your InfoSec problems go away!' what could have actually been done to prevent this?

Let's start with patching, which, ironically was the primary infection vector. Updating the W.E.Doc software created the potential for this malware to be introduced to the environment. However, had the Windows Patches from March been installed then propagation via EternalBlue and EternalRomance would have been prevented. Would this have stopped the Ransomware? No. The ransomware component is separate from the propagation components and as such, would not have been outright prevented.

This piece of malware, something I've described as a bit of a frankenstein, didn't rely upon just a single propagation method. Once a machine was infected it would also use a tool called (or certainly inspired by) "Mimikatz", in which any credentials floating in Memory it could extract via the lsass.exe process. These credentials are then passed to legitimate windows administration tools PsExec and WMIC for further propagation.

Read: Security Hygiene Tips to prevent infection and lateral movement

Would patching have prevented the aforementioned propagation method? Probably not. Using obfuscation and legitimate windows administration tools for gaining footholds and persistance within systems is nothing new and there are so many ways you can do this (4). Including a paper from Trend Micro from all the way back in July 2010 on "Understanding WMI Malware" (5). If you don't know what WMI or PsExec are, I would highly recommend making yourself familiar with them (PsExec (6)) at least at a high level. The capability of these two tools within a network environment (and armed with the correct credentials, for the most part) can be staggeringly impressive, if not frightening.

Sidenote, in reading further into this to write this article I have discovered that there was indeed a Phishing component of this campaign. CyberReason (8, 9) completed a write up suggesting that this was indeed a vector. However, as per the WannaCry campaign confirming Phishing as a vector has been somewhat like grasping at smoke.

So what have we learnted from Schroedingers Petya? Note, not an exhaustive list.

• Patching works, it's important but it's not the only focus.
• Auditing of Legitimate Administrative tools is vital to any environment
• User Account Management/Credential Management is key. (Principle of Least Privilege 7).
• Internal or MSSP SoC is pivotal to any modern enterprise (I might be biased) to allow active and engaged monitoring/auditing of your estate.
• Third parties, are key to all enterprises but they are also a serious cause for concern and potential weakness, consider how you audit/vet/manage them.

Glossary: (I'm aware my annotations/references are poorly formatted can't seem to get Superscript to work)

1. Cisco Talos Blog. Accessed 12th July 2017 (Blog last updated 06th July 2017)
2. Kaspersky Secure List. Accessed 12th July 2017 (Blog last updated 28th June 2017)
3. LogRhythm Technical Analysis Blog. Accessed 12th July 2017 (Blog last updated 30th June 2017)
4. PowerShell obFUsk8tion Techniques & How To (Try To) D""e`Tec`T 'Th'+'em' by Daniel Bohannon. Accessed 12th July 2017.
5. Understanding WMI Malware. Trend Micro. Accessed 12th July 2017
6. PsExec Examples, How Remote Execution Works by David Maloney of Rapid7. Accessed 12th July 2017.
7. Implementing Least Privilege, Sans Reading Room. Accessed 12th July 2017.
8. NotPetya intrusion vectors and propagation, Cybereason. Accessed 12th July 2017.
9. Lingering questions around notPetya, Cybereason. Accessed 12th July 2017.

Obligatory these thoughts are my own and do not necessarily reflect those of my employer past, present or future. Which, if I ever become self employed could get interesting.