Petya…let us take a breath…

Hello All. So most of you know what is going on in the cyber security world…Petya. If you have no idea what I am talking about, then you may want to read a website or turn on the TV. Petya is a form of malware, more specifically ransomware. Although it has bubbled to the surface a few days a go, it has actually been around since 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts the NTFS file table, demanding a payment in Bitcoin in order to regain access to the system.

As per Wikipedia, “Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine. The new variant propagates via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. Kaspersky Lab referred to this new version as NotPetya to disambiguate it from the 2016 variants due to these differences in operation. In addition, although it purports to be ransomware, it is unable to actually revert its changes.”

Some further valuable analysis findings:

Distribution methods

The malware is distributed via phishing e-mails.
For further distribution within the network the malware uses:

  • MS17-10 vulnerability (like WannaCry).
  • Remote access to WMI (Windows Management Instrumentation)
  • Command line:
  • “process call create \”C:\\Windows\\System32\\rundll32.exe \\\”C:\\Windows\\perfc.dat\\\” #1”.
  • The malware also uses «PSEXEC» toolkit or some similar tool (we are currently investigating this as well as the source of credentials used to infect remote systems via WMI).

Encryption

  • The malware clears system logs using the following command:
    «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:» to make further analysis more difficult.
  • It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner (“schtasks” and “at” commands).
  • After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted).
  • If the computer is shut down before the reload, MBR can be reestablished with “bootrec /FixMbr” command. (in Vista+, for Windows XP “fixmbr” can be used).
  • In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds,7z,accdb,ai,asp,aspx,avhd,back,bak,c,cfg,conf,cpp,cs,ctl,dbf,disk,djvu,doc,docx,dwg,eml,fdb,gz,h,hdd,kdbx,mail,mdb,msg,nrg,ora,ost,ova,ovf,pdf,php,pmf,ppt,pptx,pst,pvi,py,pyc,rar,rtf,sln,sql,tar,vbox,vbs,vcb,vdi,vfd,vmc,vmdk,vmsd,vmx,vsdx,vsv,work,xls,xlsx,xvd,zip.

Recommendations

  • Recommendations that we have pulled together still indicate the same remediation as Wannacry, with the following:
  • Install required Windows updates (MS17-10): – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Turn off SMB1:
    https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
  • It is also advised to block the execution of «PSEXEC.EXE» software on potentially compromised machines and block remote access to WMI.

29th Annual FIRST Conference

Hello All. I would like to thank the organizers at @firstdotorg for inviting me to the 29th Annual FIRST Conference held between June 11-16, 2017 in San Juan, Puerto Rico. I had the opportunity to present twice, once on the best practices related to starting a product security team and the other on using honeypots to detect lateral movement.

Overall, it was a wonderful event. I got to catch up with colleagues from other PSIRTs, learn about the latest research into information security and listen to various industry panels and Q & As, all while in beautiful San Juan, Puerto Rico.

Be ready: Boards are now asking about cyber risks

Really great posting from my company Raytheon’s CEO, Tom Kennedy. Raytheon has made huge investments over the past few years into R&D on the cyber side. His posting really puts things into perspective.

“You know what keeps me up at night? Cyber risks. The endless stories of companies losing personal data, customer confidence, intellectual property, business continuity, market capitalization – not to mention facing hefty fines and settlements – read like a bad dream. But it’s not. Cybercrime is projected to cost businesses over $2 trillion by 2019*.”

He puts the focus on the board members who cannot bury their heads in the sand:

“Simply put, cybersecurity is now the responsibility of every board member, and savvy managers will not only have answers to board questions, but have well thought out cyber risk management programs developed in partnership with their boards. There is an opportunity here to strengthen board-management relationships. Cyber risks are a new area for most board members, and management can help the board understand the risks at their organizations, weigh investment options and establish cybersecurity goals, metrics and appropriate funding. Better alignment can also help with merger-and-acquisition cyber diligence, board policies for cyber risk, cyber crisis preparedness, and guide cyber business strategy.”

The full article is worth reading: https://www.linkedin.com/pulse/ready-boards-now-asking-cyber-risks-tom-kennedy

Do you need to be a DICK to be a successful leader?

Hello All. I wanted to share a really good docu-Youtube video produced by Max Joseph. The video called DICKS: Do you need to be one to be a successful leader?, documents Joseph’s quest to figure out whether being a successful film director requires you to be a tyrant, or as Joseph refers to it, a “Dick” to the people that work for you. Although his video is directed at the film industry, it is quite applicable to any type of leadership position. I personally enjoyed his unrelenting quest to interview director Peter Berg. I highly recommend the video. Great job @maxjoseph

First Wannacry….Leave My Samba Alone.

Hello All. Well it was only a matter of time before the 7-year old Samba remote code execution vulnerability bubbled to the surface, given the craziness with Wannacry. For those of you who do not know what Samba is, it is an open-source software package that provides file and print services to SMB/CIFS clients.

This flaw, referred to by CVE-2017-7494, can be exploited if the vulnerable hosts make port TCP/445 reachable via the Internet and have configured shared files to have write privileges, and use known or guessable server paths for those files. When those requirements are met, a remote attacker could potentially upload any code of their choosing and cause the server to execute it, possibly with root privileges, depending on the vulnerable platform.

As per Ars, “When the Windows vulnerability was first disclosed in April, many security experts assumed it would be hard to exploit because few computers would expose file- and print-sharing capabilities on the Internet. The rapid spread of WCry quickly dashed those assumptions. Dan Tentler, founder of security firm Phobos Group, told Ars that more than 477,000 Samba-enabled computers exposed port 445, although it wasn’t clear how many of them were running a vulnerable version of the utility. Tentler cited figures returned by the Shodan computer search engine.

There are also clear differences between the Windows and Samba vulnerabilities. For starters, Samba isn’t as widely used as Microsoft’s implementation of SMB. Another key difference is the absence of any equivalent to “DoublePulsar,” the advanced weaponized backdoor developed by the National Security Agency and leaked by a mysterious group calling itself the Shadow Brokers. DoublePulsar made capitalizing on the Windows flaw easy for WCry.”

Rapid7 has an exploit available for Metasploit and has also provided some good stats – https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life

Heads on a swivel everyone….heads on a swivel.