A ransomware attack is currently ongoing and targeting organisations across the globe, Ukraine is hit particularly badly, but the virus is spreading. The ransomware is called notPetya, and below is a detailed write-up about of a ransomware that it is inspired by from March 2017 (Petya):
https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/
The attack seems to be using a Microsoft/Microsoft Office Vulnerability CVE-2017-0199 to enter the network and it uses MS17-010 for lateral movement.
It contains 4 resources, 3 PE files and the 4th is psexec (version 1.98 with valid signature).
This virus encrypts the files as well as the MBR (Master Boot Record) which makes it impossible to boot the disk into a live OS CD and attempt to retrieve some files that way. Once the encryption is complete, the system is forcefully crashed so the computer is unusable and the ransomware notice is displayed.
For lateral movement it completes an ARP scan on the local network and it is using WMIC with remote admin credentials.
The mechanism seems to resemble a golden ticket attack as is described below:
https://blog.stealthbits.com/complete-domain-compromise-with-golden-tickets/
This is very hard to defend against but in this case specifically PSExec is used.
Customer can use Windows GPO to block the execution of PSexec the SysInternals utility that is included and used by NotPetya. Be aware that this utility might be used for regular system maintenance and therefore please confer with your Windows system administrators.
The Antivirus vendors are catching up in terms of ability to detect:
ITC is currently deploying a SIEM Use Case to try and detect this virus or its activity, and the use case is currently based on the IOCs listed in this document, and the detection will require the following log sources:
- Antivirus
- Sandbox
- Potentially Next Generation Firewalls (Palo Alto for example)
- Firewalls and IPS/ODS Systems (for the lateral movement detection)
Ports:
To be confirmed. SMB ports for lateral movement do apply: TCP/UDP 138, 139, 445.
Kill Switch:
create file “C:\Windows\perfc”
‘This file could be created on each asset that is believed to be vulnerable and is unable to be patched’
Prevent:
- Patch:
- Patch CVE-2017-0199:
- Apply MS17-010:
If this was applied at the time of the Wannacry incident, the chance for lateral movement and spreading of the virus may decrease.
- Antivirus:
- Install AV updates ASAP
- Block Communication to and from the following IP addresses:
- 200.16.242
- 90.139.247
- 165.29.78
- 141.115.108
- In the event, you are not able to patch:
- Technical controls:
- Restrict access on TCP and UDP ports 138, 139 and 445 to the host.
- Disable SMBv1
- Disable RDP (TCP/UDP port 3389) access from the Internet.
- If that is also not possible, restrict access either via a VPN or IP access control lists.
- Policy Controls
- Check with external service providers providing in house, nearshore or offshore services they have performed their own due diligence activities.
- Ask for a written confirmation that any system used for administration activity by the external vendor is patched and up to date.
- Technical controls:
Detect:
Please see the IOCs below:
- https://community.blueliv.com/#!/s/5952789182df413d634047ce
- https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
Additional information:
React:
- Restore backups
- Check for additional systems infected
- Send out communications reminding internal/external personnel not to connect personal/external laptops to company networks without verification.
Sources:
Malware Details:
https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
Virus Detection:
Malware Analysis:
https://malwr.com/analysis/NzA4Y2RiYjJhNWEyNDgzNmEwZGIxZWM5OTFjNGI0OWE/
