On June 27, 2017, a new cyberattack spread across the globe, starting in Europe. This attack is similar to a 2016 virus called “Petya,” but its spread is reminiscent of the “WannaCry” attack of May, 2017. This “2017 Petya Attack” is already affecting thousands of computers and is spreading quickly. Its full impact on businesses, governments, and people is yet to be determined.
What is the 2017 Petya Attack?
The 2017 Petya Attack uses what we call a “Ransomware Worm” that infects Windows computers and requires users to pay money – the ransom – to get their files back. It was initially distributed from a Ukranian tax software package called “MeDoc,” but it also spreads across an internal network from one vulnerable Windows computer to another (the “worm” part). Because it can spread across a network on its own, it has the potential to affect large numbers of machines very, very quickly. It is logical to expect that it might be delivered via phishing e-mail, but this distribution vector has not yet been confirmed.
How does it Work?
The 2017 Petya Attack appears to be a variant of a 2016 virus called “Petya,” combined with propagation capabilities used by the “WannaCry” worm from May, 2017, and then further enhanced to be more malicious. The 2017 Petya attack propagates by exploiting a vulnerability in Windows called “EternalBlue” that was also used by WannaCry. This exploit is believed to have been first developed by the US National Security Agency (NSA) but was leaked on the Internet in early 2017. The vulnerability resides in Microsoft’s Server Message Block protocol version 1 (SMBv1) which is used for Windows file sharing and is enabled by default in all versions of Windows. Microsoft identifies this vulnerability as “CVE-2017-0144” in the Common Vulnerabilities and Exposures catalog, and identifies its patch to the vulnerability as security bulletin “MS17-010.” To address this vulnerability, Microsoft has taken the unusual step of releasing patches not only for supported versions of Windows, but also for some unsupported versions such as Windows XP.
While the EternalBlue vulnerability allows the 2017 Petya Attack to spread on an internal network, that does not explain how it gets onto the internal network in the first place, as most enterprise and home networks do not permit Windows networking protocols to enter. Early reports indicate that infection was delivered through a modified update to the “MeDoc” tax software used in the Ukraine, and that it then spread from there via Windows networking. We have not seen indications of it being distributed through phishing e-mails, but of course that remains a possibility. Once the malware is installed on a victim’s computer, it then searches the local network for other vulnerable machines and infects them as well, and then encrypts the files on the victim’s computer. Finally, the 2017 Petya Attack malware puts up a banner message instructing the victim to pay Bitcoins to get their files back.
How does the 2017 Petya Attack Compare to WannaCry?
The WannaCry attack began on Friday, May 12, 2017, and infected more than 200,000 computers around the world in a couple of days. The initial infection was greatly slowed on Monday, May 15, when 22-year-old researcher Marcus Hutchins registered a domain name used to control the malware’s propagation, and the initial versions stopped spreading on local networks. However, since the initial infection there have been newer variants of the malware that lacked the original “kill switch.”
The 2017 Petya Attack appears to be a WannaCry variant that lacks the kill switch, and has been at least slightly revised and updated. Some key characteristics of 2017 Petya Attack that we have observed:
- It is believed to have been initially distributed through a compromised update to the “MeDoc” tax software used in the Ukraine, although the MeDoc vendor has disputed that claim. We have not seen evidence of it being distributed via phishing e-mails, but that remains a possibility.
- It uses the Windows “EternalBlue” vulnerability in the SMBv1 protocol to compromise remote systems and spread its malware to them.
- It also uses the Windows “PSExec.exe” tool to connect to remote computers and spread itself using cached credentials from the compromised machine. Note that this capability does not depend on the EternalBlue vulnerability to work.
- It encrypts a long list of user file types, including most common office documents, virtual hard drives, and common backup files types.
- If the victim has administrative privileges on their computer, it embeds itself in Windows through a modification to the Master Boot Record (MBR) of the hard drive, as well as a Windows scheduled task.
- It clears the Windows system logs, to make attack analysis more difficult.
- Finally, the ransom notification channel has been blocked, so if you pay the ransom you will NOT get your data back.
Who is Vulnerable?
In general, organizations that “immunized” themselves against WannaCry should be only minimally affected by this new attack. Organizations most likely to be affected may have the following characteristics:
- Affected by the WannaCry attack earlier this year.
- Running large numbers of old versions of Windows, or automatic updates are disabled.
- Large numbers of unmanaged Windows machines not centrally tracked or administered.
- The SMBv1 protocol and “PSExec” tools are permitted on the internal network.
- Embedded systems—like MRI machines—that run Windows and are not on isolated networks.
- Users are permitted to connect personal devices or removable media to internal networks.
- Users have administrative access to their personal business computers.
What if I am Affected?
If you find instances of this malware on your internal network, you should immediately take measures to contain the outbreak and prevent its spread across the network. You want to stop the malware from spreading as quickly as possible, since an uncontrolled propagation can quickly spread enterprise-wide. Some techniques that may help to slow down your rate of infection:
- Inform users of the attack, and tell them to be extra-vigilant of the behavior of their systems. Users who suspect they may have been infected should immediately turn off their computers and request assistance.
- Disable the Windows SMBv1 protocol on your managed computers.
- Change system administrator passwords, to guard against the malware’s use of cached credentials.
- Monitor your network for signs of scanning and broadcast traffic from compromised computers.
- Isolate affected computers from the rest of the network as quickly as possible by blocking Windows networking protocols at site and datacenter boundaries.
- Do NOT pay the ransom. The channel for releasing your data has been blocked, so if you pay the ransom your money will be gone but you will not get your data back.
How do I Defend against It?
There are a number of immediate actions you can take to reduce your enterprise’s vulnerability to the 2017 Petya Attack, and potentially stop initial intrusions that may breach your perimeter defenses. Here are some actions you can take:
- Install the MS17-010 patch on Windows machines within your network. Machines that cannot be patched—such as embedded systems—should be moved to isolated networks, with Windows networking blocked at the network boundary.
- Disable the “SMBv1” protocol on your enterprise network, according to Microsoft’s published documentation. SMBv1 is a very obsolete protocol, so it is unlikely (but certainly not impossible) that you are actively using it on your network.
- Scan your network for hosts that still accept SMBv1 connections, and remediate them.
- Detect use of the “PSExec” tool on your network. This can be done using network tools to detect its protocol patterns, or using endpoint scripts.
- Detect attempts to modify scheduled tasks and system logs on your endpoint and server Windows computers.
- Update your malware detection software and Intrusion Detection/Prevention Systems (IDS/IPS) to the latest signatures as they are released by supporting vendors.
- Use 24x7 monitoring with incident response to aggressively detect and respond to any outbreaks within your network. This may include disabling affected computers, cutting network connectivity between sites, or isolating datacenters to protect key systems.
- Have offline backups of critical data and systems, so you can restore if necessary.
What Should I do Next?
Business Insider magazine quoted the head of the French military’s digital crime unit, “This is a bit like a flu epidemic in winter…We will get many of these viral attack waves in coming months.” Sadly, this is most likely true. While this attack is unique and interesting because of the speed at which it is spreading and the impact it has had on daily lives in the countries hardest-hit, it is likely more of an instance of the “new normal” than a “one-off” that can be brushed off as a fluke. We believe that attacks like this are most likely a harbinger of things to come. Our digital systems are so large, complex, and difficult to manage that the prospect of “immunizing” ourselves against cyberattacks like these are as challenging as our doctors’ efforts to eradicate the common cold.
With that said, there are certainly things we can and should do, to reduce the impact of this and future cyberattacks. Some of these measures are as follows:
- Assume that Internet-facing servers and endpoint personal computers will sometimes become compromised, and layer your defenses so that those infections can be quickly detected, contained, and remediated.
- Regularly patch endpoint systems and servers, and keep enterprise defense and vulnerability scanning systems up-to-date with the latest signatures and configuration data.
- Reduce the probability of user computers becoming compromised by using secure operating system configurations, managing user administrative privileges, and screening e-mails entering the enterprise for malicious software and web links.
- Use advanced endpoint protection on the most important endpoints and servers, to reduce the chance of them becoming infected. This should include behavior-based endpoint security that can detect malware based on its activity rather than its signature, and application whitelisting that only permits authorized software to run.
- Use strong authentication inside your network to protect access to the most powerful system administrator accounts, and to protect remote access and system administration connections.
- Segment your internal network to isolate datacenters, user spaces, and security infrastructure from each other. Configure network defenses, including firewalls and IDS/IPS technologies, on these internal network boundaries.
- Plan and rehearse enterprise intrusion contingency plans, including plans to compartmentalize the network to contain an outbreak, isolate non-critical systems from the Internet, and have contingency resources identified and on-contract.
- Employ 24x7 monitoring of your cybersecurity environment, with real-time incident response, containment, and remediation capabilities.
- Have robust offline backups, and test them regularly.
How Can Leidos Help?
Leidos has many capabilities that can help businesses and governments improve their cyberdefenses and protect themselves from cyberattacks like this one. These services include:
- Cybersecurity strategy and architecture development.
- Technology solutions for threat intelligence, insider threat detection, industrial control systems management, and advanced threat monitoring.
- Cyberdefense assessment, evaluation, penetration testing, and training.
- Security Operations Center (SOC) development, deployment, and operation.
- Managed Security Services (MSS) with 24x7 cybersecurity monitoring and incident response.