We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry. With echoes of WannaCry, infections spread fast. The research is still in progress -Some security researchers describe malware as variant of Petya; others say it’s a brand new sample. The low-level attack works in the same style as the first Petya. The ransomware has been wreaking havoc across the globe this week, locking hard drive MFT and MBR sections and preventing computers from booting. The massive outbreak of not-really ransomware that has caused significant damage to both Ukrainian targets and strategic global logistics companies.Where WannaCry focused on poorly patched systems, Petya seems to have hit hardest among large corporate networks. This new outbreak once again highlights the disruptive power of ransomware like never before. Simply by encrypting and blocking access to files, critical national services and valuable business data can be damaged. Hackers are targeting those that cannot afford to have downtime.
Ukraine was hardest hit by the attack, which came one day before the country’s Constitution Day. It seem that this was a straight forward cyber attack with a target space of basically every company that does business in Ukraine. Ukraine were affected, including those at hospitals, airports, and even at the Chernobyl plant. In Ukraine, the hardest hit nation in Tuesday’s outbreak, the ransomware spread across government institutions, banks and even radiation monitoring at the Chernobyl nuclear facility. While the finance sector was hit hardest, more than 50 percent of the remaining targets fell into the categories of manufacturing or oil and gas. The attack hit Ukraine central bank, government computers, airports, the Kiev metro, the state power distributor Ukrenergo, Chernobyl’s radiation monitoring system, and other machines in the country.
Also other countries were affected as the virus has also spread internationally. The Petya/NotPetya attack hit a total of 65 countries in first 24 hours, including Belgium, Brazil, Germany, Russia, and the United States, Microsoft reveals. It also affected Russian oil giant Rosneft, DLA Piper law firm, U.S. biopharmaceutical giant Merck, British advertiser WPP, and Danish shipping and energy company Maersk, among others. Rosneft, the giant Russian energy firm was also infected, but they could continue their operations by simply switching to their backup system -suffered no downtime or outages.
Danish shipping and energy company Maersk reported a cyberattack on Tuesday. Maersk, the world’s largest shipping company reported systems down across multiple sites: Maersk has largely gone back to operating manually after malware attack. Some experts are calling this a “Y2K moment” for the shipping industry.
This has no killswitch, and it looks like they had a development budget. While initial analysis suggested that this was a Petya-powered ransomware attack similar to WannaCry, further investigation revealed that the malware is actually designed to overwrite the master boot record (MBR) of compromised machines. There is no way to recover encrypted files, even if the ransom is paid. Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options. The hackers behind the cyberattack have received less than $10,000 from victims.
It seems that this is definitely not designed to make money. Research by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for successfully recovering from an attack. There are at least three issues (post MBR sector corruption, random garbage installation ID, buggy encryption code) that indicate successful decryption of an infected computer was not a developer priority.Once the malware takes hold of a computer, it waits 10 to 60 minutes to reboot the infected computers.
What’s the difference between a wiper and a ransomware? The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. It looks like the Petya/NotPetya attack was pretending to be a ransomware while being in fact a nation state attack.
This ransomware variant is coded to erase a unique and randomly generated key that is used to encrypt the MFT (Master File Table). It seems that it very unlikely that users can receive a working decryption key. The e-mail service which hosted the address which victims were instructed to send payment to has closed the account so trying to pay the ransom will result in a returned e-mail. Also the victim ID is just trash.
The code is well written, obfuscated to protect against AV detection using at least two techniques: Fake Microsoft signature (apparently fools some AV) and XOR encrypted shellcode payload (to bypass signature checks). The worm uses three different infection vectors: ETERNALBLUE, Harvested password hashes and
psexec.Once a single computer on a network was infected, Petya leveraged Windows networking tools like Windows Management Instrumentation (WMI) and PsExec to infect other computers on the same network. Once it’s able to gain access to administrative login credentials, it’s able to jump from machine to machine using standard Windows mechanisms. Even networks that had patched against the EternalBlue exploit were sometimes vulnerable to attacks launched from within the network.
As the whole world deals with another massive ransomware outbreak, it appears the variant may have spread in different ways among the various impacted countries. The initial attack vector has been attributed to a software update from accounting company MeDoc, which sent an infected file out to customers, according to Ukrainian officials as well as security researchers at Kaspersky and Cisco.Attackers managed to deliver the ransomware through the update process.
Based on information released by security researchers, a Ukrainian accounting software company called Me Doc pushed an update at 6/27/2017, which installed the malware on the “victim zero” system. Then, using a mix of PSExec, WMI, and EternalBlue, it was able to spread to every other computer on the network. Practically everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc (one of only two approved accounting software packages.)
The infection vectors for other countries remains less clear.
Because of the ransomware’s global outreach, many researchers flocked to analyze it. Researchers have discovered what might be a “Vaccine” for the current version of the Petya-esque ransomworm. The researcher’s initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft. Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers : victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing – simply create a file called perfc in the C:\Windows folder and make it read only. This method is more of a vaccination than a kill switch. Batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat (I am not sure if that is safe to use or not).
In an in-depth analysis of the infection, Microsoft explains that the new ransomware is a form of the already-known Petya with worm capabilities, emphasizing that up-to-date Windows systems are fully secure. In the wake of global malicious attacks such as WannaCry and NotPetya, Microsoft this week announced a new feature meant to keep users’ data safe from ransomware and other type of malware: Controlled folder access is meant to monitor the changes applications make to files in certain protected folders and blacklists any app that attempts to make such modifications.
Malware attack raises concern that the NSA has lost control over cyberweapons they developed, and that damage from the Shadow Brokers leaks could be much worse. Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States — Britain and Ukraine. Petya Ransomware Outbreak Proves WannaCry was Only the Beginning. For example F-Secure Labs has been warning about the dangers of leaked government surveillance tools being weaponized by criminals for years
Sources:
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
https://www.cyberscoop.com/petya-ransomware-medoc-hacked-auto-update/
https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
http://www.securityweek.com/free-eternalblue-vulnerability-scanner-released
http://www.securityweek.com/microsoft-tackles-ransomware-controlled-folder-access
http://www.securityweek.com/industry-reactions-destructive-notpetya-attacks-feedback-friday
http://splash247.com/back-future-maersk-wake-petya-attack/
http://www.nytimes.com/2017/06/28/technology/ransomware-nsa-hacking-tools.html
https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b
http://www.securityweek.com/petyanotpetya-what-we-know-first-24-hours
https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry
http://www.cnbc.com/2017/06/28/ransomware-cyberattack-petya-bitcoin-payment.html
https://business.f-secure.com/petya-ransomware
https://business.f-secure.com/petya-ransomware-outbreak-proves-wannacry-was-only-the-beginning
60 Comments
Tomi Engdahl says:
Same with another name:
Massive GoldenEye ransomware attack affects users worldwide
https://www.bitdefender.com/news/massive-goldeneye-ransomware-attack-affects-users-worldwide-3330.html?cid=soc%7Cc%7Ctw%7Cgoldeneye
Our internal telemetry shows that some infections with #GoldenEye have been triggered by the compromised update of the MeDOC accounting software. A number of our customers in Ukraine where our solutions intercepted the attack clearly show explorer.exe starting up ezvit.exe (the accounting app binary) which in turn execute rundll32.exe with the ransomware’s DLL as parameter.
Bottom line, we can confirm the MeDOC update as an infection vector. This makes Ukraine “patient zero” from where the infection spread across VPN networks to headquarters or satellite offices.
We strongly advise all companies who have offices in Ukraine to be on the lookout and to monitor VPN connections to other branches.
Tomi Engdahl says:
The Petya ransomware is starting to look like a cyberattack in disguise
The ransomware that wasn’t
https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russia
The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.
Petya seems to have been incapable of decrypting infected machines, and its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines. As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.
It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.)
But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.
In each case, the infections seem to specifically target Ukraine’s most vital institutions, rather than making a broader attempt to find lucrative ransomware targets.
The broader political context makes Russia a viable suspect. Russia has been engaged in active military interventions in Ukraine since former president Viktor Yanukovych was removed from power in 2014. That has included the annexation of Crimea and the active movement of troops and equipment in the eastern region of the country, but also a number of more subtle activities. Ukraine’s power grid came under cyberattack in December 2015, an attack many interpreted as part of a hybrid attack by Russia against the country’s infrastructure. That hybrid-warfare theory extends to more conventional guerrilla attacks: the same day that Petya ripped through online infrastructure, Ukrainian colonel Maksim Shapoval was killed by a car bomb attack in Kiev.
Tomi Engdahl says:
Russia behind cyber-attack, says Ukraine’s security service
http://www.bbc.com/news/world-europe-40471310
Ukraine says it has proof that Russian security services were involved in the cyber-attack that targeted businesses around the world earlier this week.
The country’s security service, the SBU, said it had obtained data that points to a link with an attack on the nation’s capital, Kiev, in December.
Ukrainian firms were among the first to report issues with malicious software on Tuesday, before the virus spread.
Moscow denied any involvement, adding that the allegations were “unfounded”.
The virus, which disrupted IT systems across the globe, froze computers and demanded a ransom be paid in the digital currency Bitcoin, which is untraceable.
However, the attack also hit major Russian firms, leading some cyber security researchers to suggest that Moscow was not behind it.
But on Saturday, Ukraine’s SBU said in a statement that – through data obtained from international anti-virus companies – it had established a connection with a previous attack involving the so-called Petya virus, which it alleges was not designed to secure ransom payments.
The SBU later said the ransom demand was a cover, adding that the attack was aimed at disrupting the operations of state and private companies in Ukraine and causing political destabilisation.
Tomi Engdahl says:
SBU claims Russia was behind NotPetya
So does ESET, which reckons the malware spread better than its authors expected
https://www.theregister.co.uk/2017/07/04/sbu_claims_russia_was_behind_notpetya/
Ukraine’s security service, which last week called on international help to trace the “NotPetya” outbreak, has upped the ante, accusing Russia of being the source of the malware.
On Saturday, the SBU went public with the claim, saying the outbreak came from the same sources that launched last December’s attack on the country’s electricity infrastructure.
The SBU says it has “reason to believe that the same hacking groups are involved in the attacks. Which in December 2016 attacked the financial system, transport and energy facilities of Ukraine using TeleBots and BlackEnergy.”
“This testifies to the involvement of the special services of Russian Federation in this attack.”
The SBU reckons NotPetya’s failed attempt at extorting Bitcoin was never a serious ransom demand, but rather a cover for malware whose purpose was mayhem.
The SBU statement is here.
Slovakian security outfit ESET agrees, at least in part.
SBU establishes involvement of the RF special services into Petya.A virus-extorter attack
https://ssu.gov.ua/en/news/1/category/2/view/3660#sthash.nR2mk3wT.dpbs
The cyber-attack, taking place on June 27, 2017 against state institutions, facilities of financial, power-generating and transport sector and also private enterprises by means of malware “Petya.A” is aimed at task-oriented destabilization of social and political situation in the country.
According to the SBU researches, the infection was planned and conducted in advance. It took place in several stages and started the day before of state National Day. The cyber-attack gives the impression of usual ransomeware type virus (software for money extortion), created for offenders treatment. In fact the virus is a cover of large-scale attack, oriented against Ukraine.
It stands to mention originality and singularity of large-scale vector of infection, connecting with the usage of applied book-keeping software. According to the SBU sources data it occurred only once during cyber-attack from the side of North Korea.
Now therefore, the main task of virus is destroying of important data and disorder in state and private institutions of Ukraine for distribution of panic feelings among population.
Tomi Engdahl says:
Slovakian security outfit ESET agrees, at least in part. On Friday, it issued this analysis also linking NotPetya to the TeleBots and BlackEnergy groups.
The company speculates that the malware spread better than its authors expected: rather than staying in the Ukraine, it hopped on VPNs companies with a presence in the country used to connect to other international operations.
TeleBots are back: Supply-chain attacks against Ukraine
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
The latest Petya-like outbreak has gathered a lot of attention from the media. However, it should be noted that this was not an isolated incident: this is the latest in a series of similar attacks in Ukraine. This blogpost reveals many details about the Diskcoder.C (aka ExPetr, PetrWrap, Petya, or NotPetya) outbreak and related information about previously unpublished attacks.
TeleBots
In December 2016 we published two detailed blogposts about disruptive attacks conducted by the group ESET researchers call TeleBots, specifically about attacks against financial institutions and a Linux version of the KillDisk malware used by this group. The group mounted cyberattacks against various computer systems in Ukraine; systems that can be defined as critical infrastructure. Moreover, this group has connections with the infamous BlackEnergy group that was responsible for the December 2015 power outages in Ukraine.
In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks. Putting the cart before the horse: collecting ransom money was never the top priority for the TeleBots group. The KillDisk malware used in the first wave of December 2016 attacks, instead of encrypting, simply overwrites targeted files. Further, it did not provide contact information for communicating with the attacker; it just displayed an image from the Mr. Robot TV show.
In the second wave of attacks, the cybersaboteurs behind the KillDisk malware added contact information to the malware, so it would look like a typical ransomware attack. However, the attackers asked for an extraordinary number of bitcoins: 222 BTC (about $250,000 at that time).
In 2017, the TeleBots group didn’t stop their cyberattacks; in fact, they became more sophisticated.
Conclusions
The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of spearphishing emails with documents containing malicious macros, they used a more sophisticated scheme known as a supply-chain attack. Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities. That’s why the malware went out of control.
Tomi Engdahl says:
https://www.viestintavirasto.fi/viestintavirasto/blogit/2017/kestaisimmekomepetyan.html
Tomi Engdahl says:
Ukraine authorities raid M.E. Docs in NotPetya investigation
Equipment seized to head off new attack, Cyberpolice says
https://www.theregister.co.uk/2017/07/05/ukraine_authorities_raid_me_docs_in_notpetya_investigation/
There’s a new wrinkle to the NotPetya story: authorities in the Ukraine have seized equipment from M.E.Docs, the online accounting firm implicated in spreading the malware.
The country’s cybercrime unit has seized the servers after saying it had detected new activity, and was acting to “immediately stop the uncontrolled proliferation” of malware.
Associated Press’s Raphael Satter quotes a Cyberpolice spokesperson, Yulia Kvitko, as saying the company’s systems had either sent or were preparing to send a new (presumably compromised) update.
The Cyberpolice says the company’s management and staff fully assisted in the investigation, adding that equipment will be “sent for detailed analysis”.
The department now recommends people stop using the software until further notice, turn off any computers it’s installed on, change their passwords, and get new digital signatures.
The AP story says the Ukrainian infrastructure ministry alone has incurred “millions” in the costs of the attack, which hit two servers and hundreds of workstations.
Tomi Engdahl says:
Lorenzo Franceschi-Bicchierai / Motherboard:
NotPetya malware-linked hackers empty BTC wallet, ask for 100BTC for private decryption key in attempt to reset narrative that it’s ransomware, not wiperware
Hackers Connected to NotPetya Ransomware Surface Online, Empty Bitcoin Wallet
https://motherboard.vice.com/en_us/article/8xagk4/hackers-connected-to-notpetya-ransomware-surface-online-empty-bitcoin-wallet
Whoever is in control of the NotPetya bitcoin wallet has moved around $10,000 of funds, and a mysterious group has offered to unlock all of the ransomed files.
Hackers connected to the disruptive world-wide ransomware attack that crippled Ukraine and hit computers all over the world have surfaced online. Bitcoin sent to the hackers by victims has been moved from an online wallet, and someone seemingly connected to the group is now asking for more money.
In fact, some security researchers reached the conclusion that the hackers’ real goal was to wipe computers, while pretending to infect them with ransomware. In other words, the hackers didn’t really care about getting money, and just wanted to wreak havoc.
In an unexpected twist on Tuesday, the hackers gave their first sign of life since the attack.
At 10:10 PM UTC, the hackers emptied the bitcoin wallet they were using to receive ransom payments, moving more than $10,000 to a different wallet. A few minutes earlier, the hackers also sent two small payments to the bitcoin wallets of Pastebin and DeepPaste, two websites that let people post text online and are sometimes used by hackers to make announcements.
The authors of the announcement asked for 100 bitcoin (roughly $256,000 at the time of writing) in exchange for the private key that supposedly decrypts any file encrypted with the NotPetya ransomware. Curiously, the authors didn’t provide a bitcoin address where to send the payment, but did publish a link to a dark web chatroom where people could contact them.
In an interview in the chatroom, someone purporting to be one of the hackers told Motherboard that the price was so high because it’s for the key “to decrypt all computers.”
Motherboard could not confirm that the people who posted the announcement, as well as the people in the chatroom, were the hackers behind NotPetya.
Matt Suiche, a security researcher who has analyzed NotPetya, was skeptical about the alleged hackers’ motives, saying they are just “trolling journalists.”
“This is a fear, uncertainty and doubt case,”
At this point, it’s unclear if the hackers behind NotPetya are the same people who wrote the announcement and asked for 100 bitcoin.
Tomi Engdahl says:
Reuters:
Ukraine scrambles to mitigate backdoor found in M.E. Doc software used by 80% of Ukrainian firms, says all devices on networks that had M.E. Doc are vulnerable
Ukraine scrambles to contain new cyber threat after ‘NotPetya’ attack
http://www.reuters.com/article/us-cyber-attack-ukraine-backdoor-idUSKBN19Q14P
The Ukrainian software firm used to launch last week’s global cyber attack warned on Wednesday that all computers sharing a network with its infected accounting software had been compromised by hackers.
The attack used a virus, dubbed “NotPetya” by some experts, to take down thousands of computers in dozens of countries, disrupting shipping and businesses. Investigators now say the hack may be far more nefarious than previously thought.
A top official in the Ukrainian Presidential Administration said it remained unclear how many computers had been compromised and the state security service was trying to establish what the hackers would do with data stolen during the attack.
M.E.Doc is used by 80 percent of Ukrainian companies and installed on about 1 million computers in the country. Interior Minister Arsen Avakov said police had blocked a second cyber attack from servers hosting the software.
The company previously denied its servers had been compromised but when asked on Wednesday whether a back door had been inserted, Chief Executive Olesya Bilousova said: “Yes, there was. And the fact is that this back door needs to be closed.”
Any computer on the same network as machines using M.E.Doc was now vulnerable to another attack, she said.
“We need to pay the most attention to those computers which weren’t affected (by last week’s attack),” she told reporters.
SMOKESCREEN
Cyber security experts said that while hackers have previously been known to insert viruses into software updates – thus tricking computers and system administrators into installing the malware on their own systems – the attack on Ukraine is the largest and most disruptive such assault to date.
“We are in a new phase of cyber security and the way that sophisticated actors behave,” said Leo Taddeo, a former FBI cyber investigator and executive with cyber security firm Cyxtera Technologies. “I can’t think of a supply chain attack that has been this thorough.”
Security experts from U.S.-based Cisco Systems Inc.(CSCO.O) said they had examined Intellect’s machines at its invitation and determined that an attacker had used a password stolen from an employee to log in on company computer.
After escalating the access rights of that user, the attacker rewrote configuration files, directing customers seeking updates to tampered versions stored elsewhere, at a French web hosting company.
The software with the back doors could spread through other means and the attackers might have used those back doors to install other tools
the big worry is what else might have been pushed out by earlier tainted updates
“This wasn’t made for any other purpose but to destabilize businesses in the Ukraine,” Williams said.
Tomi Engdahl says:
Beyond WannaCry and NotPetya / Petya: What’s next for enterprises?
https://www.synopsys.com/blogs/software-security/beyond-notpetya-petya/
This week’s malware outbreak that removed computer data capabilities from large enterprises worldwide is now thought to have been designed to damage, not to earn profit. Therefore, it only masquerades as traditional ransomware. First seen on Tuesday, NotPetya/Petya is like last month’s WannaCry in that it displayed a ransom request of $300 in BitCoin on compromised machines. However, this time the attacks were not widespread nor intended for individual machines. They were targeted at faulty enterprise networks and the data was generally not recoverable.
According to Reuters, the main purpose of the attack appears to be the installation of new malware on computers at government and commercial organizations, primarily in the Ukraine. These organizations have offices worldwide; thus, a total of 65 countries were affected. The WannaCry and NotPetya/Petya attacks aren’t so much ransomware as they are early warnings of how future malware will take advantage of existing cracks in the enterprise network.
Intentional sloppiness
As with WannaCry, the ransom aspect, BitCoin collection and distribution of keys, for NotPetya/Petya appears to be layered on as an afterthought. This time the email address for contact and data recovery was disabled by the provider shortly after the attack began. And on the BitCoin side, the account appears to have been set up with no way to correlate who paid and who didn’t. This is also true of WannaCry.
NotPetya/Petya contains a variety of features, not all enabled. For example, there appears to be a data wiper in the code. A wiper destroys the data and hardware of a computer. Shamoon, which targeted the oil and gas industry in 2012, is a classic example of such malware.
NotPetya/Petya
There is a ransomware package called Petya, and NotPetya/Petya contains much of its code. However, it is also different. This caused confusion within the attack’s first 24 hours
A sophisticated attack
The NotPetya/Petya outbreak is thought to have started as a compromised update in the MeDoc accounting software, widely used in the Ukraine. According to Fortune, criminal hackers broke into the MeDoc servers on or around June 22. The compromised software update is now thought to have included a compromised Word document. This is a classic characteristic of a virus: requiring an end user to click on the infected email and open the attachment in order to spread. This technique also allows for a more targeted attack.
Where WannaCry spread like wildfire across the globe within a day, Petya was more focused, using spear-phishing to target strategic databases (i.e., companies doing business in the Ukraine). Initially it was thought that NotPetya/Petya was simply a virus. As it turns out, it is a hybrid virus and worm.
Exploiting other holes in the network
Any time data needs to move from one server to another, or one system to another, there is opportunity. Additionally, Microsoft-based networks have inherently had a lot of trust built in. That’s because the support issues with a “trust no one” model—where everything is turned off and is enabled as needed—would be staggering. Here’s where a good penetration test would benefit an organization to help define what should be trusted and what should not.
Software is everywhere
These recent malware attacks also serve to remind us how prevalent software is today with gas pumps and digital billboards displaying the ransom requests. Enterprises today need to change fundamentally how their software is developed or adopted, updated, and accessed. World economies and infrastructures depend on the quality and security of software and applications more than ever.
Internal testing required
Whether utilizing a software vendor or an in-house development team, quality and security must be a priority. As development teams build out their software, they need to test the supply chain code with software composition analysis.
Shared responsibility
If security is truly built in, it also needs to be understood and supported from the CEO, board rooms, and throughout the organization. It needs to be the culture. In security, only one weak link is necessary for a bad actor to take root. Enterprises need a culture of security throughout. If the security team isn’t talking regularly to the C-suite or board about security, then how might this change come about?
And if all else fails…
Enterprises should always have an updated incident response plan. This should include how the business will continue if its hardware or data become compromised. Just as you should be testing and monitoring your software, you should also test and update your incident response plan to consider the latest attacks.
Clearly, WannaCry and NotPetya/Petya are just shots across the bow. Proof of concepts that have been successful to varying degrees. The next one could have more damaging consequences. Consider what happened at Maersk this week where paper and pen had to be used with global shipments. If your enterprise is not currently taking software security seriously, then consider yourself forewarned.
Tomi Engdahl says:
Petya Ransomware Authors Demand $250,000 In First Public Statement Since Attack
https://it.slashdot.org/story/17/07/05/2128218/petya-ransomware-authors-demand-250000-in-first-public-statement-since-attack?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot%2Fto+%28%28Title%29Slashdot+%28rdf%29%29
The group responsible for last week’s globe-spanning ransomware attack has made their first public statement. Motherboard first spotted the post, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya authors offer the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000 at current rates. Crucially, the message includes a file signed with Petya’s private key, which is strong evidence that the message came from the group responsible for Petya.
https://it.slashdot.org/story/17/06/27/1433255/ukrainian-banks-electricity-firm-hit-by-fresh-cyber-attack-reports-claim-the-ransomware-is-quickly-spreading-across-the-world
Tomi Engdahl says:
‘NotPetya’ Hackers Demand $256,000 In Bitcoin To Cure Ransomware Victims
https://www.forbes.com/sites/thomasbrewster/2017/07/05/notpetya-hackers-demand-256000-in-bitcoin-to-cure-ransomware-victims/#2c5e88d16cf9
It looks like the hackers responsible for the massive ransomware outbreak that crippled Ukraine last week and infected some of the world’s biggest industrial companies, from Maersk to Merck, are posting messages demanding more Bitcoin to unlock victims’ files. Indeed, they’re after 100 Bitcoin, currently worth an astonishing $256,000.
In a post on Pastebin, an unnamed party wrote: “Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks).”
They also provided proof they were the real hackers with a signature for the the malware’s private key. The key was checked by two separate malware researchers for Forbes, both confirming it was the real deal.
What does that mean? “It means that whoever posted this message has private key to decrypt the data encrypted by the NotPetya malware,” said Anton Cherepanov, ESET senior malware researcher, the first to check the private key’s validity. “With this key it is possible to decrypt only files, but not boot disks. Because in the case of boot disk a different encryption method is used.” After it infects PCs, NotPetya first encrypts certain files, then moves on to separate encryption of parts of the boot disk (i.e. the part of the computer responsible for launching the operating system and all the data it controls) after the PC is rebooted.
In other words, the hackers making the demand are likely those responsible for NotPetya, but they can’t completely recover hard drives, only certain files.
A researcher going by the name MalwareTech, who also verified the key’s legitimacy, was baffled as to why the hackers hadn’t come good on a demo where a file would be unlocked by the key and thereby proving once and for all they were the true NotPetya perpetrators.
Meanwhile, the hackers have also been moving Bitcoin around.
But almost all remaining funds, totalling 3.96 Bitcoins, went to a new address of unknown origin.
Originally, researchers feared files were entirely unrecoverable, firstly because the email address controlled by the hackers for communicating with victims was shut down by the provider. Secondly, the key for the boot disk appeared to be inaccessible.
While the latest revelations from the hackers offer some hope, the high price they’ve set has researchers wondering whether this isn’t just another piece of purposeful misdirection from cybercriminals Ukraine has claimed are backed by a nation state: Russia.
https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know
Tomi Engdahl says:
Hackers Linked to NotPetya Ransomware Decrypted a File for Us
The hackers successfully decrypted a file provided by Motherboard, but that does not necessarily mean victims will be able to get their files back.
https://motherboard.vice.com/en_us/article/evdxj4/notpetya-ransomware-hackers-decrypt-file
Hackers linked to the crippling NotPetya ransomware attack, which encrypts files on infected machines, have proved to Motherboard they have the ability to decrypt some locked files.
Security researchers have spent much of the last week debating whether victims of NotPetya will ever get their files back, with many arguing that the malware was designed to cause disruption rather than generate funds.
After resurfacing online on Wednesday, hackers connected to the NotPetya ransomware are now offering to release a key they say would unlock all files affected by the malware for 100 bitcoins (worth roughly $250,000). The hackers didn’t publicly specify where to send the money, but told Motherboard that victims could pay to a new bitcoin wallet unaffiliated with the one that individual users have been paying ransom to until this week.
Tomi Engdahl says:
Fake WannaCry Ransomware Uses NotPetya’s Distribution System
http://www.securityweek.com/fake-wannacry-ransomware-uses-notpetyas-distribution-system
The NotPetya wiper wasn’t the only piece of malware distributed last week using the compromised M.E.Doc update mechanism: a fake WannaCry ransomware variant was delivered using the same channel, Kaspersky Lab reports.
Called FakeCry, the ransomware was delivered to M.E.Doc users on June 27, the same day as the NotPetya outbreak started.
Written in .NET and including a “WNCRY” string, the ransomware was clearly making reference to the massive WannaCry epidemic in May 2017
However, the malware also pretends to be “made in China,” which researchers suggest is a false flag
“Unfortunately ExPetr/Petya was not the only ransomware that was distributed via MeDoc updates on June 27. In parallel, another ransomware, FakeCry, was also distributed to MeDoc users at exactly the same time as ExPetr/Petya. Our telemetry shows about 90 attacked organizations received the FakeCry ransomware, almost all in Ukraine,” Kaspersky notes.
Ukraine’s authorities this week announced they raided and seized M.E.Doc servers fearing that the cybercriminals behind the NotPetya attack might still have access to these resources.
Tomi Engdahl says:
NotPetya Connected to BlackEnergy/KillDisk: Researchers
http://www.securityweek.com/notpetya-connected-blackenergykilldisk-researchers
Last week’s devastating NotPetya attack might have been launched by the same threat group that previously used the Russia-linked BlackEnergy malware family in attacks against Ukraine, security researchers reveal.
Initially believed to be a ransomware incident employing the same distribution tools as WannaCry, the NotPetya malware eventually proved to be a disk wiper spreading with the sole purpose of damaging infected computers. Similar to WannaCry, NotPetya hit Windows 7 machines the most.
The malware eventually hit systems in more than 65 countries, but most of its victims are located in Ukraine. Of a total of less than 20,000 machines infected by NotPetya (also referred to as PetrWrap, exPetr, GoldenEye, and Diskcoder.C), more than 70% are in Ukraine, Microsoft says.
Late last week, security researchers also discovered the reason why Ukraine was hit the most: the attack was apparently launched by the same threat group that initiated numerous other attacks against the country’s power grid, mining and railway systems, and Ukrainian government organizations.
Dubbed TeleBots, the group was previously referred to as BlackEnergy or Sandworm Team.
The NotPetya sample used in last week’s attack includes a series of similarities with the BlackEnergy and KillDisk malware families
The security researchers also believe that M.E.Doc’s server, where they discovered a malicious PHP backdoor medoc_online.php in a FTP directory, might have been used as infection vector for other malware as well. Using malicious updates, the group supposedly deployed their own nefarious tools “in a stealthy way to computer networks that belong to high-value targets.”
Tomi Engdahl says:
Researchers Dissect Stealthy Backdoor Used by NotPetya Operators
http://www.securityweek.com/researchers-dissect-stealthy-backdoor-used-notpetya-operators
ESET security researchers have performed a detailed analysis of a stealthy backdoor used by the group behind the NotPetya destructive wiper and injected into the legitimate resources of tax accounting software M.E.Doc earlier this year.
Masquerading as ransomware, NotPetya was eventually found to be a wiper designed mainly to destroy data rather than hold it for ransom, and security researchers connected it to the persistent threat group TeleBots, which has launched several cyber-attacks against Ukraine before.
Previously referred to as BlackEnergy and Sandworm, the group allegedly compromised M.E.Doc earlier this year and injected their own code into one of the application’s modules. The malicious module was then pushed as an update to M.E.Doc clients and then used to distribute malware into the networks of these companies.
“It seems very unlikely that attackers could” inject a “very stealthy and cunning backdoor” into one of the software’s legitimate modules “without access to M.E.Doc’s source code,”
The malicious module was part of at least three updates released this year, on April 14, May 15, and June 22, yet M.E.Doc doesn’t appear to have been aware of the compromise, as several updates between April 24 and June 21 didn’t contain the backdoor.
The attackers, ESET researchers say, knew exactly which organizations in Ukraine were using the backdoored M.E.Doc
The backdoor was using the M.E.Doc’s regular update check requests to the official M.E.Doc server upd.me-doc.com[.]ua to send the collected information in cookies. By not using external servers for command and control and not generating abnormal network traffic, the backdoor could remain completely hidden on the compromised networks.
Although forensic analysis on the M.E.Doc server wasn’t performed, ESET believes the server was compromised, especially since a PHP backdoor was found in a FTP directory on it.
The backdoor also includes code that allows the attackers to control the infected machines through a binary blob received via the official M.E.Doc server. After decryption and decompression, the binary reveals “an XML file that could contain several commands at once.”
“This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time,” ESET notes.
“As our analysis shows, this is a thoroughly well-planned and well-executed operation. We assume that the attackers had access to the M.E.Doc application source code.”
Tomi Engdahl says:
Petya Weren’t Expecting This: Ransomware Takes Systems Hostage Across the Globe
https://securityintelligence.com/petya-werent-expecting-this-ransomware-takes-systems-hostage-across-the-globe/
Basic Technical Details
Lateral Movement: SMB Wormholes
One of the ways Petya moves around and propagates is by scanning transmission control protocol (TCP) port 445 to identify and target machines that use unpatched versions of server message block (SMB). If that sounds familiar from your reading during the WannaCry outbreak, you’re right. It’s the same.
Remote Execution: EternalBlue, WMIC and PsEXEC
Tomi Engdahl says:
A ‘Wiper’ in Ransomware Clothing: Global Attacks Intended for Destruction Versus Financial Gain
https://securityintelligence.com/a-wiper-in-ransomware-clothing-global-attacks-intended-for-destruction-versus-financial-gain/
Further analysis of impacted victims also led our team to conclude that this attack was specifically aimed at organizations within Ukraine:
IBM has data to confirm that MeDoc, the tax software specific to organizations doing business in Ukraine, was the initial vector for the attacks.
For all of the attack victims IBM security experts analyzed, the initial host machine infected was based in Ukraine.
The attackers also leveraged an element of Strategic Web Compromise, or “watering hole” attacks, in which the malware was hidden within compromised websites. The websites that were compromised in this attack were frequented by Ukrainian visitors versus a global audience.
Tomi Engdahl says:
Free Scanner Finds 50,000 EternalBlue-Vulnerable Systems
http://www.securityweek.com/free-scanner-finds-50000-eternalblue-vulnerable-systems
More than 50,000 computers vulnerable to the NSA-linked EternalBlue exploit were found by a free vulnerability scanner in recent weeks.
Dubbed Eternal Blues, the tool was designed to provide network administrators with visibility into the EternalBlue-vulnerable machines in their networks, but without actually exploiting the flaw. In the wake of WannaCry, NotPetya, and other global infections leveraging the NSA-linked exploit, knowing whether a network is vulnerable or not is certainly a good idea.
Eternal Blues – Worldwide Statistics
http://omerez.com/eternal-blues-worldwide-statistics/
Tomi Engdahl says:
Malware Attack Disrupts Merck’s Worldwide Operations
http://www.securityweek.com/malware-attack-disrupts-mercks-worldwide-operations
American pharmaceutical giant Merck revealed in its financial results announcement for the second quarter of 2017 that a recent cyberattack has disrupted its worldwide operations, including manufacturing, research and sales.
While Merck has not provided details about the incident in its financial report, the June 27 attack referenced by the company is most likely the NotPetya malware outbreak that affected tens of thousands of systems in more than 65 countries. Many of the victims were located in Ukraine, the home of a tax software firm whose product was used as the main attack vector.
Researchers initially believed NotPetya (aka PetrWrap, exPetr, GoldenEye and Diskcoder.C) was a piece of ransomware, similar to WannaCry. However, a closer analysis revealed that it was actually a wiper and it was unlikely that victims could recover their files, even if they paid the ransom.
Tomi Engdahl says:
NotPetya Ransomware Victims Preparing Lawsuit Against Ukrainian Software Firm
https://yro.slashdot.org/story/17/08/03/2145226/notpetya-ransomware-victims-preparing-lawsuit-against-ukrainian-software-firm
The Juscutum Attorneys Association, a Ukrainian law firm, is rallying NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software — the point of origin of the NotPetya ransomware outbreak. The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police. A subsequent investigation revealed that Intellect-Service had grossly mismanaged the hacked servers, which were left without updates since 2013 and were backdoored on three different occasions.
Ukrainian Firm Facing Legal Action for Damages Caused by NotPetya Ransomware
https://www.bleepingcomputer.com/news/security/ukrainian-firm-facing-legal-action-for-damages-caused-by-notpetya-ransomware/
The lawsuit is in its incipient stages. Juscutum representatives are currently spreading their message and encouraging victims to join the lawsuit via social media posts and articles in local Ukrainian press.
NotPetya spread via backdoored M.E.Doc update server
The NotPetya ransomware spread via a trojanized M.E.Doc update, according to Microsoft, Bitdefender, Kaspersky, Cisco, ESET, and Ukrainian Cyber Police.
Juscutum’s legal endeavor comes on the civil front, akin to a class-action lawsuit.
Because the NotPetya ransomware contained buggy code (some called it a wiper disguised as ransomware), many victims couldn’t recover all the encrypted data.
FedEx said damage from NotPetya was permanent and might have lost some user shipping details for good. Similarly, US pharma giant Merck said last week that production of active ingredients used for key drugs is still down because of the NotPetya attack.
Juscutum says that on Tuesday, Ukrainian Cyber Police confirmed that M.E.Doc servers were backdoor on three different occasions in an official document.
The company is now using this document as the primary driving force behind its legal action.
Tomi Engdahl says:
Customers ‘furious’ with TNT after cyber-attack meltdown
http://www.bbc.com/news/technology-40861982
When Leah Charpentier ordered a vintage coffee table, on 8 June – a birthday present for her brother – she didn’t think it would take more than six weeks to be delivered.
She also didn’t expect for the furniture to arrive with one of its casters broken off.
This particular coffee table was just one of hundreds of thousands of items caught up in an extraordinary meltdown at courier TNT, which was badly affected by the NotPetya cyber-attack that hit many companies around the world on 28 June.
Businesses in Ukraine were hit hardest, and since many TNT operations and communications are based in the country, a significant proportion of its systems were infiltrated and data encrypted – locking employees out – as a result.
“Manual processes” are still being used to put packages through the system, and TNT says it is “reasonably possible” that some information will never be fully recovered.
The BBC has spoken to several customers who have had exasperating experiences with the courier, which is owned by FedEx.
‘Furious’
Ms Charpentier’s table faced the disruption of the cyber-attack after its initial delivery had been delayed because of its size.
Ms Charpentier still doesn’t know who is responsible for the broken leg, but because of the confusion and the fact that the table was sent back to Italy without TNT contacting her first, she says: “I’m still furious at TNT.”
Total shipping costs were 150 euros (£135), and Ms Charpentier says she might have to spend a further 180 euros to get the furniture repaired.
A source with knowledge of operations in Europe says that until very recently some depots were finishing the day with tens of thousands of packages still waiting to be processed, instead of just a handful as usual.
“They didn’t have enough loading units to face this,” the source says. “It was crazy.”
The source adds that some physical hardware – such as conveyor belts – was having to be fixed much more frequently than usual because of the stress caused by increased volumes.
‘Medical supplies delayed’
The sheer range of customers affected by the breakdown in operations at TNT is staggering – some were left distraught as critical supplies were held up in transit.
“We have urgent air freight stuck at Stansted [airport],” wrote one woman on the courier’s Facebook page, “medical equipment required in theatres.”
In another case, TNT narrowly missed depriving a bride of her dress on her wedding day, according to the staff at Dolly Blue Bridal Studios in Shrewsbury.
Despite having used TNT for six years, Mr Hammersley says he is now planning to switch couriers.
The list of cases goes on.
It’s nearly a month and a half since NotPetya struck, but TNT has still not recovered operations.
The last update from the company was published on 17 July. It said all TNT depots, hubs and facilities were operational, but added: “Customers are still experiencing widespread service and invoicing delays, and manual processes are being used to facilitate a significant portion of TNT operations and customer service functions.
“We cannot estimate when TNT services will be fully restored.”
Tomi Engdahl says:
Ukrainian Man Arrested For Distributing NotPetya Ransomware And Helping Tax Evaders
http://thehackernews.com/2017/08/ukraine-petya-ransomware-hacker.html?m=1
Ukrainian authorities have arrested a 51-year-old man accused of distributing the infamous Petya ransomware (Petya.A, also known as NotPetya) — the same computer virus that massively hit numerous businesses, organisations and banks in Ukraine as well as different parts of Europe around 45 days ago.
According to a press release published on Thursday by the Ukrainian cyber police department, Neverov uploaded a video, showing how to infect a computer with Petya.A ransomware—and also shared a download link for NotPetya malware to his social media account.
However, the police confirmed that Neverov was neither the actual author of the NotPetya virus, nor he was behind the massive ransomware attack that crippled many businesses and banks in this summer.
The authorities charged Neverov of spreading a copy of NotPetya virus via his social media account that eventually infected at least 400 computers in Ukraine, and also believe that he had helped tax evaders — directly or indirectly
Tomi Engdahl says:
Hundreds of millions of losses on the malware – the conglomerate suffered a lot of damage
The malicious program, plagued by the Petya and NotPetya names in June and July, caused enormous losses to the Danish multinational AP Møller-Mærsk.
In its interim report released today, the company reported that a cyberattack would make losses of up to $ 200 to $ 300 million in the current quarter.
The malware attacked Møller-Mærsk on July 27 via a Ukrainian accounting program. The program was affected by three of the nine segments of the company, and mainly in the freight business. There was no risk to the vessels or workers employed by the company.
As a precautionary measure, the company had to shut down some of its logistics systems, which hindered the company’s business and caused losses.
Source: http://www.tivi.fi/Kaikki_uutiset/haittaohjelmasta-satojen-miljoonien-tappiot-monialayhtio-karsi-melkoiset-vahingot-petyan-vuoksi-6669502
Tomi Engdahl says:
Jordan Novet / CNBC:
Shipping giant Maersk says the NotPetya cyberattack will likely cause $200M-$300M in lost Q3 revenue
Shipping company Maersk says June cyberattack could cost it up to $300 million
https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html
Maersk has put in place “different and further protective measures” following the attack.
Merck and WPP were among the companies that were also affected by NotPetya.
Container shipping company A.P. Moller Maersk on Tuesday said it expects that computer issues triggered by the NotPetya cyberattack will cost the company as much as $300 million in lost revenue.
“In the last week of the [second] quarter we were hit by a cyber-attack, which mainly impacted Maersk Line, APM Terminals and Damco,” Maersk CEO Soren Skou said in a statement. “Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m.”
Maersk Line was able to take bookings from existing customers two days after the attack, and things gradually got back to normal over the following week, the company said. It said it did not lose third-party data as a result of the attack.
“Business volumes were negatively affected for a couple of weeks in July and as a consequence, our Q3 results will be impacted. We expect that the cyber-attack will impact results negatively by USD 200-300m.”
“This cyber-attack was a previously unseen type of malware, and updates and patches applied to both the Windows systems and antivirus were not an effective protection in this case,” Maersk said on Tuesday. “In response to this new type of malware, A.P. Moller Maersk has put in place different and further protective measures and is continuing to review its systems to defend against attacks.”
Tomi Engdahl says:
NotPetya Attack Costs Big Companies Millions
http://www.securityweek.com/notpetya-attack-costs-big-companies-millions
Some of the big companies hit by the NotPetya malware in late June have reported losing hundreds of millions of dollars due to the cyberattack.
The NotPetya malware outbreak affected tens of thousands of systems in more than 65 countries, including ones belonging to major organizations such as Rosneft, AP Moller-Maersk, Merck, FedEx, Mondelez International, Nuance Communications, Reckitt Benckiser and Saint-Gobain. Many of the victims were located in Ukraine, the home of a tax software firm whose product was used as the main attack vector.
Researchers initially believed NotPetya (aka PetrWrap, exPetr, GoldenEye and Diskcoder.C) was a piece of ransomware, similar to WannaCry. However, a closer analysis revealed that it was actually a wiper and it was unlikely that victims could recover their files, even if they paid the ransom.
Financial reports published by the affected companies in the past few weeks show that the cyberattack has caused serious damage in many cases. FedEx-owned international delivery services company TNT Express, for instance, said there was a possibility that some business data may never be recovered.
Danish shipping giant AP Moller-Maersk estimates that the attack has cost it $200-$300 million. The conglomerate believes the cyberattack will have a significant impact on its finances in the third quarter due to revenue lost in July.
American pharmaceutical giant Merck had still been working on restoring operations in late July. In its latest financial results announcement, the firm said the cyberattack had disrupted its worldwide operations, including manufacturing, research and sales, but did not specify the exact losses caused by the incident.
Reckitt Benckiser, the British consumer goods company that makes Nurofen, Dettol and Durex, said the attack disrupted its ability to manufacture and distribute products. It estimated that the incident could have an impact of $130 million on its revenue.
Voice and language solutions provider Nuance Communications reported GAAP revenue of $486.2 million and non‑GAAP revenue of $495.6 million in the third quarter. The company estimates that the third-quarter GAAP revenues would have been $501.6 million and non-GAAP revenues $511.0 million had the malware incident not taken place.
Mondelez International, owner of U.K. chocolate maker Cadbury, estimated the cost of the attack at just over $150 million in lost sales and incremental expenses.
French construction giant Saint-Gobain said the attack led to donwtime of IT systems and supply chain disruptions. The NotPetya attack has had a negative impact of €220 million ($258 million) on sales and €65 million ($76 million) on operating income in the first half of 2017.
Tomi Engdahl says:
Overcoming the Lost Decade of Information Security in ICS Networks
http://www.securityweek.com/overcoming-lost-decade-information-security-ics-networks
If you thought things were bad in the world of IT network security over the past decade, I have an incredibly bleak thesis to present to you.
Despite the collective failures in that space – leading to billions in stolen intellectual property, massive intelligence gains like OPM, hundreds of millions of stolen identities, etc. – there were clearly major advances in terms of security controls. Countless innovations – tons of investment in terms of people and money, the birth and evolution of an industry/subindustries, a proven ability to respond to (although not foresee) emerging threats – depict a tremendous number of positives hidden behind the losses. That focus is why we currently have a market of approximately 2,000 security solutions (the value of which is a topic for another discussion).
In the world of critical infrastructure/industrial control systems (ICS) security (aka operational technology), despite nearly two decades of discussion around nightmarish cyberattack scenarios and outcomes, the past 10 years can arguably be labeled “The Lost Decade of Information Security.”
I would argue that we are no better off today in terms of cybersecurity readiness than we were 10 years ago. This belief keeps me up at night and wakes me before the sun many mornings as the threat landscape is clearly growing more active and dangerous by the day. The theoretical is becoming reality and, unfortunately, we aren’t prepared to counter the threat just over the horizon.
What is encouraging is that in the past two years – and notably the past few months – we have seen an accelerated pace of awareness and prioritization being given to ICS security.
Where We Went Wrong
• Failing to “bridge the gap” between IT and ICS (Engineering) staff – These teams approach the world with completely different viewpoints, backgrounds and missions. ICS staff have safety and uptime as the core thought in every decision they make – and they have zero tolerance for the introduction of security controls which jeopardize either. Even a concept as basic as patching is problematic as it brings downtime to production. These teams have made strides in terms of working with one another; but a lack of solutions built specifically for ICS, that don’t jeopardize uptime and safety and offer a demonstrable value to both teams has resulted in a closed-door policy in most cases. “I own the shop floor. I need to keep production moving. I need to make sure nothing fails that could cause safety concerns for our teams or the public. “NO – you are NOT putting that in my network.”
• Falling victim to the notion that prescriptive commands/standards could and would be implemented – Kudos for giving ICS security focus.
• Trying to force the “square pegs” of IT security into the “round holes” of ICS networks – IT security tools were not designed for fragile ICS networks. Approaches like active scanning, active querying and other “standard IT tools” have crashed PLCs, interrupted uptime and caused significant problems when implemented.
• Delaying investment because “these attacks are theoretical – they aren’t happening” – Logically, cybersecurity budgets over the past decade were dedicated to the areas where the bleeding was occurring. Have no idea who’s inside your network? Full packet capture and forensics tools. Dealing with a million point solutions? SIEMs and orchestration tools. Suffering under the scourge of spear-phishing? Advanced endpoint solutions, etc. Makes sense and you can’t really fault people for investing this way.
• Believing that the concept of “air-gapped” networks were ever a reality/would stand up against business and efficiency demands – “We’ll design the network so it can’t be accessed from the outside/so there is no interconnectivity with the IT network.” Sounded good for a time, but business demands have eradicated the notion of an “air-gapped” ICS network. Maintenance requirements, connectivity to the supply chain, remote analytics, managing “top floor to shop floor” KPIs, the desire to drive predictive analytics – these needs have seen “air gapping” go the way of the dinosaur. As a result, air gaps now have one thing in common with unicorns – they don’t exist.
• Difficult to implement, hard to consume, cumbersome to maintain previous-generation ICS specific solutions – There have been a number of promising ICS specific cybersecurity solutions that have emerged and failed to gain mainstream traction over the years. Difficulty in implementation (let’s put this firewall in front of every PLC), difficulty in consumption (massive installation projects, significant upfront time to configure) and unwieldy/unrealistic maintenance requirements saw these promises fail. They simply didn’t understand the unique needs of the ICS consumer.
So, practically, what actions can we take – right now – to vault the state of ICS security forward?
First, we need to stop “studying” the problem.
We need immediate focus and investment from government, board rooms, CIOs/CISOs, ICS owner/operators, security vendors and ICS equipment manufacturers on the problems confronting us.
We need a reference architecture which delivers the “biggest bang for the buck” and the most rapid increase in security readiness. An easily and rapidly (i.e., months not years) implementable framework which focuses on risk assessment, real-time monitoring, high-risk vulnerability management, threat intelligence, advanced endpoint protection and rapid response.
Tomi Engdahl says:
Patching Against the Next WannaCry Vulnerability (CVE-2017-8620)
http://www.securityweek.com/patching-against-next-wannacry-vulnerability-cve-2017-8620
This month’s Microsoft patch updates include one particular vulnerability that is raising concerns: CVE-2017-8620, which affects all versions of Windows from 7 onwards. Microsoft explained, “in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.”
In short, this is a wormable bug affecting all supported versions of Windows. The parallels with the WannaCry and NotPetya vulnerabilities are clear — indeed, Check Point described CVE-2017-8620 as ‘The Next WannaCry Vulnerability’. All that is currently missing is full disclosure of the vulnerability and a usable exploit (WannaCry and NotPetya exploited the leaked NSA exploit known as EternalBlue).
Noticeably, SANS describes this vulnerability as ‘more likely’ to be both disclosed and exploited in the future. Once this happens, the situation could precisely parallel WannaCry/NotPetya. Microsoft has done what it can (or as much as it is willing to do); it has patched the vulnerability. The earlier WannaCry vulnerability had also been patched; but WannaCry (and NotPetya) still happened (and the effects continue to be felt).
“The importance of patching systems cannot be underestimated,” says David Kennerley, director of threat research at Webroot. “There will always be zero-day vulnerabilities, but it’s worth noting that the vast majority of exploit attacks seen in the wild involve cybercriminals targeting known vulnerabilities. These vulnerabilities have already been fixed by the vendor, but the fix has not been deployed and installed by the end user. With any vulnerability that can result in remote code execution, there is always concern until users deploy and install patches. There is without doubt a window of opportunity for cybercriminals to take advantage.”
One concern for the CVE-2017-8620 vulnerability is that it could be adopted by nation-state actors.
The current concern is that since many users did not patch against WannaCry/NotPetya, they might not patch CVE-2017-8620 before it is exploited. The question becomes, why is industry apparently lax in its patch procedures? This is a complex issue with no easy answer.
“Patching will break stuff,” F-Secure security advisor Sean Sullivan explains. “And so you can’t just roll out patches into a live production environment without testing. It’s a matter of time and resources. There’s no escaping the need to test.”
Tomi Engdahl says:
FedEx: TNT NotPetya infection blew a $300m hole in our numbers
File-scrambling malware put a bomb under shipping giant’s sales growth
https://www.theregister.co.uk/2017/09/20/fedex_notpetya_damages/
FedEx has estimated this year’s NotPetya ransomware outbreak cost it $300m in lost business and cleanup costs.
Most of the victims of June’s NotPetya epidemic were based in Ukraine, but several global corporations were also infected by the software nasty – including shipping giant Maersk, ad behemoth WPP, pharmaceutical beast Merck, and FedEx’s TNT Express division.
An update on TNT’s progress in restoring systems to normal as well as estimates of the financial toll taken by the outbreak came as the biz reported reduced earnings during the three months to August 31.
FedEx execs reckon systems will only be fully restored at the end of September, three months after the file-scrambling nasty romped through networks.
“Most TNT Express services resumed during the quarter and substantially all TNT Express critical operational systems have been restored,” FedEx said in a statement yesterday. “However, TNT Express volume, revenue and profit still remain below previous levels.”
Tomi Engdahl says:
FedEx Profit Takes $300 Million Hit After Malware Attack
http://www.securityweek.com/fedex-profit-takes-300-million-hit-after-malware-attack
The malware attack that hit international delivery services company TNT Express in June had a negative impact of roughly $300 million on FedEx’s profit in the latest quarter.
TNT Express, which FedEx acquired last year for $4.8 billion, was one of several major companies whose systems were infected with NotPetya malware (also known as Nyetya, PetrWrap, exPetr, GoldenEye, and Diskcoder.C) in late June.
The company reported a few weeks after the attack that the incident had a significant impact on its operations and communications. FedEx admitted at the time that it was possible TNT would not be able to fully restore all affected systems and recover all the critical business data encrypted by NotPetya.
“The worldwide operations of TNT Express were significantly affected during the first quarter by the June 27 NotPetya cyberattack. Most TNT Express services resumed during the quarter and substantially all TNT Express critical operational systems have been restored. However, TNT Express volume, revenue and profit still remain below previous levels,” the company said on Tuesday.
“Operating results declined due to an estimated $300 million impact from the cyberattack, which was partially offset by the benefits from revenue growth, lower incentive compensation accruals and ongoing cost management initiatives,” it added.
Tomi Engdahl says:
Danny Palmer / ZDNet:
FedEx reports June’s NotPetya cyber-attack cost its TNT Express division around $300M
NotPetya cyber attack on TNT Express cost FedEx $300m
http://www.zdnet.com/article/notpetya-cyber-attack-on-tnt-express-cost-fedex-300m/
Falling victim to global ransomware attack “posed significant operational challenges”, the company says in its latest financial report.
Falling victim to the Petya cyber attack cost FedEx around $300m during the last quarter of the financial year, the company has revealed in its latest earnings report.
Operations of FedEx’s TNT Express unit in Europe were disrupted by the attack and the company previously warned that the financial cost of the incident was likely to be significant. But now, with the publication of its first quarter earnings FedEx has revealed the cost of falling victim to Petya to be an estimated $300 million in lost earnings.
“The impact of the cyberattack on TNT Express and lower-than-expected results at FedEx Ground reduced our first quarter earnings,” said Alan Graf, FedEx chief financial officer. “We are currently executing plans to mitigate the full-year impact of these issues.”
Tomi Engdahl says:
New Ransomware Linked to NotPetya Sweeps Russia and Ukraine
https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/
Just four months ago, a massive ransomware attack known as NotPetya ripped through Ukraine, Russia, and some multinational companies, infecting thousands of networks and eventually causing hundreds of millions of dollars in damages. Now, an apparent aftershock of that attack is reverberating through the region, as a new variant of that code locks up hundreds of machines and handicaps infrastructure.
On Tuesday, the security community began tracking a new outbreak of ransomware tied to NotPetya’s authors. Known as BadRabbit, the the strain has infected hundreds of computers—mostly in Russia, but with some victims in Ukraine, Turkey, Bulgaria, and Germany—according to security firms including ESET and Kaspersky. For now, the outbreak remains only a small fraction of the size of the NotPetya epidemic. But it has nonetheless hit several Russian media outlets, including the newswire Interfax, according to the Russian security firm Group-IB, and also infected Ukraine’s Odessa airport and Kiev subway system, partially paralyzing their IT systems and disabling the subway system’s credit card payments, according to one Ukrainian government official.
Tomi Engdahl says:
Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs
Ransomware breeds through Windows networks via SMB, fake Flash
https://www.theregister.co.uk/2017/10/24/badrabbit_ransomware/
Computers at Russian media outlets and Ukraine’s transport hubs were among Windows PCs infected and shut down today by another fast-spreading strain of ransomware.
Corporate systems within Interfax and two other major Russian news publishers had their files encrypted and held to ransom by malware dubbed BadRabbit. In Ukraine, Odessa airport, the Kiev metro, and the Ministry of Infrastructure were also hit by the extortionware, which demands Bitcoins to restore scrambled documents.
BadRabbit may also have spread to Turkey, Bulgaria and beyond, and is a variant of Diskcoder, according to researchers at ESET. Antivirus maker Avast detected it in Poland and South Korea, too.
Tomi Engdahl says:
BadRabbit: a closer look at the new version of Petya/NotPetya
https://blog.malwarebytes.com/threat-analysis/2017/10/badrabbit-closer-look-new-version-petyanotpetya/
Petya/NotPetya (aka EternalPetya), made headlines in June, due to it’s massive attack on Ukraine. Today, we noted an outbreak of a similar-looking malware, called BadRabbit, probably prepared by the same authors. Just like the previous edition, BadRabbit has an infector allowing for lateral movements, using SMB to propagate laterally with a hardcoded list of usernames and passwords. However, unlike NotPetya, it doesn’t use EternalBlue and is more widely spread. (Impacted countries include Ukraine, Russia, Turkey, and Bulgaria).
Tomi Engdahl says:
‘Bad Rabbit’ Attack Infrastructure Set Up Months Ago
http://www.securityweek.com/bad-rabbit-attack-infrastructure-set-months-ago
The infrastructure used by the Bad Rabbit ransomware was set up months ago and an increasing amount of evidence links the malware to the NotPetya attack launched in late June, which some experts believe was the work of a Russian threat actor.
A majority of the Bad Rabbit victims are in Russia – over 80% according to some reports – where the ransomware hit several media outlets, including Interfax. Significant infections have also been observed in Ukraine, where the malware reportedly hit major organizations such as the airport in Odessa, the Kiev subway, the State Aviation Service of Ukraine, and the Transport Ministry of Ukraine.
Infections have also been spotted in Bulgaria, Turkey, Germany, Japan, the United States, South Korea and Poland.
Tomi Engdahl says:
Profiling Tool Suggests ‘Bad Rabbit’ Not Financially Motivated
http://www.securityweek.com/profiling-tool-suggests-bad-rabbit-not-financially-motivated
Researchers at FireEye noticed that some of the websites redirecting users to the Bad Rabbit ransomware hosted a profiling framework, which could suggest that the attack was not financially motivated.
The Bad Rabbit attack, which led to the infection of hundreds of machines in Russia and Ukraine with ransomware, started with users being redirected to 1dnscontrol[.]com, a domain that served a malware dropper disguised as a Flash Player installer. Users had to manually execute the file in order to become infected.
FireEye noticed that several compromised websites redirecting to the 1dnscontrol domain had hosted a profiling tool. Tracked by the company as BACKSWING, the framework has been seen on more than 50 websites since September 2016, and four of them redirected users to Bad Rabbit ransomware this week.
BACKSWING is designed to collect information about a user’s browsing session – including User-Agent, HTTP Referrer, cookies, and the current domain – and sends it back to a command and control (C&C) server.
Tomi Engdahl says:
Patrick Howell O’Neill / Cyberscoop:
US drug giant Merck says NotPetya cyberattack cost ~$310M in Q3, affecting its global manufacturing, research, and sales operations, may cost ~$300M more in Q4 — The NotPetya cyberattack has cost the American pharmaceutical giant Merck more than $135 million in sales and $175 million …
NotPetya ransomware cost Merck more than $310 million
https://www.cyberscoop.com/notpetya-ransomware-cost-merck-310-million/
The NotPetya cyberattack has cost the American pharmaceutical giant Merck more than $135 million in sales and $175 million in additional costs since June, the company said in a call with investors Friday.
That number comes in addition to the $300 million loss FedEx said it suffered when systems were disrupted until as late as September. The shipping company Maersk lost $200 million when its systems were infected by the ransomware outbreak. The nation of Ukraine got the worst, however, with more than 1,500 people and organizations reporting being affected by the ransomware. In response, NATO pledged to increase aid to Ukraine’s cybersecurity.
The June attack impacted Merck’s global manufacturing, research and sales for nearly a week. Company email was disabled, 70,000 employees were forbidden from touching their computers, and instructions were sent via copy-and-pasted text messages. The exact cause of the infection remains publicly unclear
Tomi Engdahl says:
‘Bad Rabbit’ Ransomware Uses NSA Exploit to Spread
http://www.securityweek.com/bad-rabbit-ransomware-uses-nsa-exploit-spread
Contrary to initial reports, the Bad Rabbit ransomware that hit Russia and Ukraine this week does in fact leverage an exploit linked to the U.S. National Security Agency (NSA).
Similar to the NotPetya wiper that infected tens of thousands of systems back in late June, Bad Rabbit also uses the Server Message Block (SMB) protocol to spread within the compromised network. However, researchers initially claimed that, unlike NotPetya, the ransomware did not use either of the SMB exploits tracked as EternalBlue and EternalRomance.
Tomi Engdahl says:
Profiling Tool Suggests ‘Bad Rabbit’ Not Financially Motivated
http://www.securityweek.com/profiling-tool-suggests-bad-rabbit-not-financially-motivated
Researchers at FireEye noticed that some of the websites redirecting users to the Bad Rabbit ransomware hosted a profiling framework, which could suggest that the attack was not financially motivated.
The Bad Rabbit attack, which led to the infection of hundreds of machines in Russia and Ukraine with ransomware, started with users being redirected to 1dnscontrol[.]com, a domain that served a malware dropper disguised as a Flash Player installer. Users had to manually execute the file in order to become infected.
Tomi Engdahl says:
Files Encrypted by Bad Rabbit Recoverable Without Paying Ransom
http://www.securityweek.com/files-encrypted-bad-rabbit-recoverable-without-paying-ransom
Some users may be able to recover the files encrypted by the Bad Rabbit ransomware without paying the ransom, Kaspersky researchers discovered after analyzing the malware’s encryption functionality.
Once it infects a device, Bad Rabbit looks for certain file types and encrypts them. The disk is also encrypted and a ransom screen is displayed when the computer boots, preventing the victim from accessing the operating system. The disk encryption and bootloader functionality are provided by code derived from a legitimate utility named DiskCryptor.
Bad Rabbit has been linked to the NotPetya attack that caused significant disruptions to many companies back in late June. However, unlike NotPetya, which experts classified as a wiper due to the fact that victims could not recover their files even if they paid the ransom, files encrypted by Bad Rabbit can be recovered with the right decryption key.
While the encryption mechanisms used by the attackers, AES-128-CBC and RSA-2048, cannot be cracked, Kaspersky experts have identified some methods that may allow some victims to decrypt their disk and recover files.
https://securelist.com/bad-rabbit-ransomware/82851/
Tomi Engdahl says:
Patrick Howell O’Neill / Cyberscoop:
US drug giant Merck says NotPetya cyberattack cost ~$310M in Q3, affecting its global manufacturing, research, and sales operations, may cost ~$300M more in Q4
NotPetya ransomware cost Merck more than $310 million
https://www.cyberscoop.com/notpetya-ransomware-cost-merck-310-million/
The NotPetya cyberattack has cost the American pharmaceutical giant Merck more than $135 million in sales and $175 million in additional costs since June, the company said in a call with investors Friday.
The June attack impacted Merck’s global manufacturing, research and sales for nearly a week.
Merck took several hits this quarter and sales fell 2 percent to $10.33 billion in the last quarter.
$300 million loss FedEx
Maersk lost $200 million
Tomi Engdahl says:
Andy Greenberg / Wired:
How Mimikatz, a tool coded by a French government IT manager in his spare time, became a ubiquitous password stealer for hackers globally — FIVE YEARS AGO, Benjamin Delpy walked into his room at the President Hotel in Moscow, and found a man dressed in a dark suit with his hands on Delpy’s laptop.
He Perfected a Password-Hacking Tool—Then the Russians Came Calling
https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/
In the years since, Delpy has released that code to the public, and Mimikatz has become a ubiquitous tool in all manner of hacker penetrations, allowing intruders to quickly leapfrog from one connected machine on a network to the next as soon as they gain an initial foothold.
Most recently, it came into the spotlight as a component of two ransomware worms that have torn through Ukraine and spread across Europe, Russia, and the US: Both NotPetya and last month’s BadRabbit ransomware strains paired Mimikatz with leaked NSA hacking tools to create automated attacks whose infections rapidly saturated networks, with disastrous results. NotPetya alone led to the paralysis of thousands of computers at companies like Maersk, Merck, and FedEx, and is believed to have caused well over a billion dollars in damages.
Those internet-shaking ripples were enabled, at least in part, by a program that Delpy coded on a lark. An IT manager for a French government institution that he declines to name, Delpy says he originally built Mimikatz as a side project, to learn more about Windows security and the C programming language—and to prove to Microsoft that Windows included a serious security flaw in its handling of passwords.
Tomi Engdahl says:
North Korea Denies Role in WannaCry Ransomware Attack
http://www.securityweek.com/north-korea-denies-role-wannacry-ransomware-attack
North Korea on Thursday denied US accusations it was behind the WannaCry global ransomware cyberattack, saying Washington was demonising it.
WannaCry infected some 300,000 computers in 150 nations in May, encrypting user files and demanding hundreds of dollars from their owners for the keys to get them back.
The White House this week blamed Pyongyang for it, adding its voice to several other countries that had already done so.
A spokesman for Pyongyang’s foreign ministry said the US allegations were “absurd”, adding: “As we have clearly stated on several occasions, we have nothing to do with cyber-attacks.”
Washington had “ulterior” motives, the spokesman added according to the North’s KCNA news agency.
Tomi Engdahl says:
Charlie Osborne / ZDNet:
Maersk says NonPetya ransomware attack required an almost complete infrastructure overhaul, reinstallation of 4,000 servers, 45,000 PCs, and 2,500 applications
NonPetya ransomware forced Maersk to reinstall 4000 servers, 45000 PCs
http://www.zdnet.com/article/maersk-forced-to-reinstall-4000-servers-45000-pcs-due-to-notpetya-attack/
The shipping giant has suffered millions of dollars in damage due to the ransomware attack.
Maersk has revealed that a devastating ransomware attack which struck businesses across Europe in 2017 required close to a “complete infrastructure” overhaul and the reinstallation of thousands of machines.
The Danish transport and logistics conglomerate fell prey to a campaign which used a modified version of the Petya ransomware, NonPetya, bringing down IT systems and operational controls across the board.
Maersk, a container ship and supply vessel operator, previously warned that the ransomware attack would cause losses of up to $300 million due to “serious business interruption.”
The firm, with offices in 130 countries and a workforce of close to 90,000, was one of the most high-profile victims of the Petya campaign, which spread rapidly by utilizing the leaked US National Security Agency (NSA) exploit EternalBlue, which targets Microsoft Windows systems.
The same exploit was used to spread WannaCry, ransomware which caused horrendous disruption to healthcare systems including the UK’s National Health Service (NHS).
Tomi Engdahl says:
U.K. Officially Blames Russia for NotPetya Attack
https://www.securityweek.com/uk-officially-blames-russia-notpetya-attack
The United Kingdom on Thursday officially accused the Russian government of launching the destructive NotPetya attack, which had a significant financial impact on several major companies.
British Foreign Office Minister for Cyber Security Lord Tariq Ahmad said the June 2017 NotPetya attack was launched by the Russian military and it “showed a continued disregard for Ukrainian sovereignty.”
“The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it,” the official stated.
“The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace,” he added.
Tomi Engdahl says:
U.S., Canada, Australia Attribute NotPetya Attack to Russia
https://www.securityweek.com/us-canada-australia-attribute-notpetya-attack-russia
The United States, Canada, Australia and New Zealand have joined the United Kingdom in officially blaming Russia for the destructive NotPetya attack launched last summer. Moscow has denied the accusations.
In a statement released on Thursday, the White House attributed the June 2017 attack to the Russian military and described it as “the most destructive and costly cyber-attack in history.”
“The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas,” the White House Press Secretary stated. “It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.”
Tomi Engdahl says:
Nuance Estimates NotPetya Impact at $90 Million
https://www.securityweek.com/nuance-estimates-notpetya-impact-90-million
Nuance Communications, one of the companies to have been impacted by the destructive NotPetya attack last year, estimates the financial cost of the attack at over $90 million.
Initially believed to be a ransomware outbreak, NotPetya hit organizations worldwide on June 27, and was found within days to be a destructive wiper instead. Linked to the Russia-linked BlackEnergy/KillDisk malware, NotPetya used a compromised M.E.Doc update server as infection vector.
NotPetya affected major organizations, including Rosneft, AP Moller-Maersk, Merck, FedEx, Mondelez International, Nuance Communications, Reckitt Benckiser, and Saint-Gobain, causing millions in damages to every one of them.
Last year, Nuance estimated that NotPetya impacted its revenue for the third quarter of 2017 by around $15 million, but the total financial losses the attack incurred are of around $100 million, the company now says.
Tomi Engdahl says:
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Tomi Engdahl says:
N. Korea calls Sony, Wannacry hack charges smear campaign
https://apnews.com/80003a5e8f9440e0bb4cca664c63a132
North Korea strongly denied claims by the United States that a computer programmer working for the North Korean government was involved in the hack of Sony Pictures Entertainment and the spread of the WannaCry ransomware virus.
Tomi Engdahl says:
North Korean hacker officially charged for the WannaCry attacks
https://www.pandasecurity.com/mediacenter/news/korean-hacker-charged-wannacry/
Last month, we warned of the dangers that the FBI’s most wanted cybercriminals pose. Among these criminals are the perpetrator of the cyberattacks against HBO and the developer of the Zeus malware. And there is now a new name at the top of the list.
Park Jin Hyok, who has officially been charged by the US Department of Justice for carrying out the WannaCry attacks, among other cybercrimes.
Park allegedly belongs to the hacking group known, among other names, as Lazarus Group – a group that has carried out numerous cyberattacks against South Korea.