Petya, Dead but Still Dancing

There are a few interesting things to say about the current ransomware Petya. One thing is clear, there is no “kill-switch”. After some preliminary tracking of the domains which presumably deliver the payload for its RTF (Windows document exploit) delivery system and cross referencing it to passive intelligence about the domain name, we noticed the frequency of 2 million hits within an hour. The domains we tracked are not currently serving the payload and are down. Therefore further attempts to spread through original vectors will remain ineffective. This does not eliminate, however, other attack vectors should anyone release new droppers.

What is particularly interesting is an enormous amount of traffic within an hour period, 2 million for any time interval, let alone an hour is large by any standard when it comes to malware spread. This may support the evidence provided by Talos that this is sourced from MeDoc, a Ukrainian software company, but we are not confirming nor have we seen any information confirming from MeDoc this to be true, we just make the claim that the data supports such an attack could explain this velocity.

Unlike WannaCry, Petya does not scan external IP addresses for vulnerable machines. The method by which networks are compromised appears to be, so far

Once Petya does get into a local network, however, there are several concurrent mechanisms for it to spread to further local machines. The first and foremost is the ETERNALBLUE exploit. The next mechanism is to use mimikatz to dump credentials and use said credentials to run itself in local LAN computers using either PsExec or wmic.exe.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
if ( !iteration )
    {
      SetupPsExec(&ApplicationName, &CommandLine, a1); // attempt PsExec first
      v6 = 0;
    }
    if ( iteration == 1 )
    {
      if ( !lpUserName || !lpPassword )
        goto LABEL_53;
      SetupWmic(&ApplicationName, &CommandLine, a1, (int)lpUserName, (int)lpPassword);  // Move to WMIC
      v6 = 0;
    }
Pseudocode from Petya

This means, even a single Petya intrusion on a endpoint within your local network, or perhaps even worst the all too common outdated domain controller with shared administrator credentials, can be a foible in your otherwise fully patched network. In other words, if you have a single PC which is not patched against ETERNALBLUE or fall victim to a watering hole attack and it contains a system with shared domain credentials active within your Active Directory environment, it is plausible this could result in a massive compromise of the local network regardless if even if all of the rest of the PCs are up to date and patched. That makes Petya very dangerous the moment it gets your network.

ETERNALBLUE successful exploitation on Windows 7.

One thing is certain, based on our history and analysis with Vantage Breach Intelligence Feed and other very well designed distribution networks like Dridex and Necurs, it is clear the impact RTF exploit would not produce such an immediately large infection given Petya is limited to internal network, and not external (public Internet address) scans. As such, we believe to reach such a velocity, this can accomplished by attacking update systems or software packages with 0-day vulnerabilities. While its still very early and unclear all of the attack vectors Petya is utilizing, its clear this is again another prelude to what kind of attack we could see should 0-day vulnerabilities be utilized. Shadow Brokers have been rattling sabers and touting in a publicly released statement a subscription service for 0-days starting July 1st, 2017, but it appears N-days are still perfectly effective for causing havoc.

DoublePulsar implant being used to drop Petya.

To provide some estimations of the current danger level of Petya we have aggregated sinkhole data from WannaCry incident last month. Looking at the current WannaCry thwarted attacks, which shares at least one of the vulnerabilities for spreading as Petya (MS17-010), its clear there are still a significant amount of vulnerable systems worldwide potentially vulnerable to EternalBlue and any subsequent variations of these Petya attacks. Again, this reflects back to outdated or no anti-virus, limited security controls, and the fact many of the systems are not or cannot be patched due to organizational policies or lack of security awareness. However, based on what we currently see, the current droppers or initial attack vectors are all but at a standstill. This may just be an eye of the storm, and we can see this malware campaign continue easily with new droppers and attack methods.

Kryptos Logic Vantage Test Lab Results of Petya infection methods.

We should expect to see more attack vectors continue to abuse unpatched systems and this same and new vulnerabilities. What we can affirm is that our Vantage Breach Intelligence Feed has observed well over 10-15 million unique thwarted infection attempts to date, and at least those systems are currently susceptible to attack should the attackers continue to propagate with new delivery methods.

PsExec successful exploitation on Windows 2012 Domain Controller from a Windows 7 PC.

Incremental ARP Spam as a result of the exploitation on a LAN.

We would also like to point out a developing (not yet tested) point from MalwareTech, a Kryptos Logic researcher. MalwareTech has observed although it still seems like the malware was deployed widespread through other vectors, there is a perhaps dangerous and unintentional way in which it could possibly escape a network using the EternalBlue exploit, but for safety reasons we did not physically test this.

“Although it still seems like the malware was deployed widespread through another vector, I’ve found a way in which it could possibly escape a network using the EternalBlue exploit. By default a corporate machine would be behind NAT with an IP address like 10.0.0.2 and a netmask of 255.255.255.0, in this case the malware would use the IP address and net mask to figure out that the network it needs to scan is 10.0.0/24 (10.0.0.1 - 10.0.0.254). However, if the machine were to have a public IP address it might have an IP of 123.123.123.1 and a netmask of 255.255.255.252 the malware would scan 123.123.123.1 - 123.123.123.3 (in this case there’d probably be nothing in that range other than the gateway). But what if we set a netmask that is far too big? If we misconfigured our network and set the netmask to 255.0.0.0 then the malware would scan 123.0.0.0/8 (123.0.0.1 - 123.255.255.254) which is a large amount of IP space and could contain other vulnerable SMB devices. Obviously the gateway should not allow this, but in cases where proxy ARP is enabled the malware could successfully infect another public IP in the same range as the misconfigured netmask.”

The thought of this spreading being able to spread through internet facing systems is a very scary thought. You can find rolling updates on this attack MalwareTechBlog

Again, we find the industry struggling to report on the severity of this attack as there is no “Richter” scale for cyber attacks as we advocated for at a congressional hearing earlier this month. Our current assessment of this threat is as follows: its ability to scan external servers (WannaCry spread method) is minimal or nonexistent, the malware must currently be delivered through a delivery vector like spam, hijacked webpages or software, and similar tactics, Petya will then attempt to scan internal devices. The ability for this attack to spread is currently predicated on the ability for attackers to propagate droppers.

Rulers don't scale. Depiction of antiquated methods to quantify major cyber events, Image by R. McKenzie of U.S. Geological Survey National Earthquake Information Center.