With the news that a new outbreak of malware is sweeping the globe, it turns out that many organisations are not prepared for the determined and resourced attackers that we have been warning about for some time.
“Tuesday’s attacks used a different form of ransomware similar to a virus known as Petrwrap or Petya, according to Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab.
By midafternoon, breaches had been reported at computers governing the municipal energy company and airport in Ukraine’s capital, Kiev, the state telecommunications company Ukrtelecom, the Ukrainian postal service and the State Savings Bank of Ukraine. Payment systems at grocery stores were knocked offline, as well as the turnstile system in the Kiev metro.”
It appears that Petya is also taking the opportunity to steal SMB credentials from infected systems. It contains a remote process execeution mechanism (using PsExec) to inject into other machines on the same network as its infected host.
So with Petya sweeping the globe and proving that we all need to be agile and responsive to the new unknowns, here’s tips for preventing future nasties like WannaCry and Petya which are now making use of ETERNALBLUE and related advanced exploit code.
- The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.
- Many Windows systems are configured to automatically reboot if it crashes. You can disable this feature in Windows. If you can prevent the MFT from being encrypted, you can still recover your data from your local disk.
Unlike WannaCry, Petya is a different kind of malware. Common delivery methods are via phishing emails, or scams, however it seems increasingly likely that Petya uses an infected application update from a breached software vendor as its initial infection vector.. The payload requires local administrator access. Once executed, the system’s master boot record (MBR) is overwritten by the custom boot loader, which loads a malicious kernel containing code that starts the encryption process.
Once the MBR has been altered, the malware will cause the system to crash. When the computer reboots, the malicious kernel is loaded, and a screen will appear showing a fake Check disk process. This is where the malware is encrypting the Master File Table (MFT) that is found on NTFS disk partitions, commonly found in most Windows operating systems.
It appears very likely that Petya is unable to decrypt data that has been encrypted so organisations should consider this as destructive malware, rather than ransomware
It is when the machine is rebooted to encrypt the MFT that the real damage is done.
Protecting your organisation
- Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability
- Consider disabling SMBv1 to prevent spreading of malware
- Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know
- Ensure you have the latest updates installed for your anti-virus software, vendors are releasing updates to cover this exploit as samples are being analysed
- Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
- Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs
- Operate a least privileged access model with employees. Restrict who has local administration access
Take a step back – what strategic lessons can we learn?
We must take a step back and examine not only the what now? response, but also the what next? – in other words, what does the avalanche of malware and other advanced attacks tell us?
- Our existing traditional trust models don’t work. With more and more critical assets moving to cloud, believing that the data center is safer is a false philosophy
- The idea that security practitioners can do any kind of one-time risk assessment and sign off is flawed, and opens the door for future attacks
- Trust and risk require continuous re-validation, and a one-time evaluation/accreditation is no longer fit for purpose
- Adaptive systems providing advanced monitoring & analytics are key
We need to spend more – but on what?
The BBC has reported that there are calls for a massive increase in cybersecurity spending, and its certainly true that many organisations have avoided spending money on cyber security for some years. Elsewhere, CSO online has described the impact of not having nearly enough cybersecurity professionals. So, we need more competent, trained and enthusiastic professionals, and we need better systems that can analyse, detect and highlight threats requiring intervention.
A lot of people are throwing the “cyber” word around now (and it does sound more fun that “IT Security”, or “Computer Security”). But cyber– has become a very wide term, including:
- Secure software engineers
- Security Evangelist
- Security architects (and there’s a wealth of division on what secure architecture actually is)
- Security operations engineers
- Incident Responders
- Penetration testers
- Digital Forensics specialists
- Network engineers who understand security
- Firewall engineers
- Application testers
- Wireless security engineers
- Risk management experts
- Security Awareness
and of course, project managers, programme managers, administrators and the entire caboodle of corporate governance wrapping around the people at the sharp end. We know that budgets are limited (otherwise they wouldn’t be budgets!) and so we need to decide what to spend our money on, and how to get the most out of our people.
Gartner has recently published a special report on Continuous Adaptive Risk Trust Assessment (CARTA) and Security & Risk Management Leaders can use this as a blueprint to continue to embrace new business opportunities in a world of advanced threats.
We need to make sure that we are embracing the new world of advanced threats without resorting to panicstricken attempts to “Hack them before they hack us!” or the learned helplessness of “Well it’s just our turn”. Our job as security & risk management leaders is to ensure business survivability, and so using concepts such as Gartner’s Adaptive Security Architecture are key to ensure we focus not only on protective controls, but have a full vision of our security posture.
Note: Updated 06/29/2017 as more information comes to light.