(Not)Petya “X”: A Worm’s Evolution & Cyber Kill Chain
WHAT YOU NEED TO KNOW
Petya and its “X” variants such as NotPetya, Nyetya, Petrwrap and GoldenEye have become a contagion. Represented in global daily headlines, they appear to be involved in an evolutionary process, starting as a primitive, network worm and ransomware and transforming into something of far greater destructive, possibly deceptive, power. While NATO investigates a state actor behind these attacks, NotPetya has already claimed over 2000 victims and £100m in cost to companies like Reckitt Benckiser.
ORIGIN AND ATTACK VECTORS
Resulting from the original U.S. NSA leak of EternalBlue and EternalRomance, NotPetya is thought to have infiltrated and replicated through a Ukrainian tax accounting, software-update system called “M.E.Doc.”
According to Talos, early investigation revealed a suspicious web shell found on an NGINX server. The web shell allowed attackers to gain remote control of the server through its HTTP(s) ports. Once the attackers had control, they could use stolen credentials to proxy/redirect the server’s client update connections over to their malicious server instead. Then, with the clients now connecting over a trusted channel to their malicious server for an update, the attackers easily delivered their malware onto these client machines. Once infected, the clients transformed into hosts for a self-replicating and spreading network worm.
THE (NOT)PETYA “X” CYBER KILL CHAIN
Actions on Objectives – The Goal
Attackers employing ransomware are financially motivated and intend to commit monetary extortion. Their ransomware infects a victim’s system(s), and then uses encryption to hold their data as an inaccessible hostage until the ransom demand is paid.
Though its attack is classified as ransomware, NotPetya appears to have another motivation and goal. It acts as a “wiper,” using ransomware as a masquerade.
Normally, ransomware criminals use anonymized email and unique Bitcoin addresses to communicate with and extract payment from each victim. Some also use Tor or other anonymizing networks to complicate tracking. But NotPetya is in the open. And it keeps referring to the same email and Bitcoin addresses. Rather than criminal profit, its goal appears to be large-scale business disruption and financial damage with data centers as a primary target. Like ransomware, it still encrypts a target system’s disk, and presents its monetary demand upon reboot. But the victim is never supposed to be able to recover the data.
To distance themselves from NotPetya, the original developers of the Petya ransomware have released the master decryption key. But while this key works for various strains, it does not work with NotPetya.
Fortunately, Positive Technologies has found a flaw in the encryption logic that allows a brute-force decryption of the hostage disk. This will enable data recovery in case NotPetya was able to acquire administrative privileges.
The automatic spread of NotPetya from infected clients begins with a sweep scan of the network for open NETBIOS or SMB ports which are common in data center environments and needed for many business applications. Rather than always scanning the entire network for next targets and in the process, generating a suspicious amount of network noise, it can use API calls on compromised machines to find subnet information and known peers. Those new destinations can then be probed for available, open ports to continue propagation. And, because the connections appear valid and network noise is contained, the chance for detection by traditional security devices is significantly reduced.
Weaponization through C&C – Lateral Movement
For those who remember WannaCry, its deactivation was simple. The worm contained a kill-switch. It checked for a specific domain on the Internet, and if not there, it would continue spreading. But by registering this domain and making it accessible to the worm, its replication was stopped.
Unfortunately, newer Petya worms do not have that kill-switch. Instead, they introduce some novel ways to proliferate. After identifying next targets, NotPetya utilizes exploits like EternalBlue and EternalRomance to move laterally. It also spreads using known-good, Microsoft remote connectivity tools like PsExec and the Windows Management Instrumentation Command-line (WMIC).
To execute those tools, user privileges are required. NotPetya obtains them by employing several techniques, including a password recovery method similar to the “Mimikatz” utility. It can also impersonate users without stealing credentials. It duplicates existing session tokens, uses them to spin up new threads, invokes the Windows tools and then replicates further.
NotPetya continues to iterate on its kill chain process until it exhausts its replication options and the extortion message is displayed.
PREVENTING, DETECTING AND DESTROYING (NOT)PETYA
Comparing & Understanding the Worms
When comparing NotPetya to previous attacks like Mirai and WannaCry, an evolution and increasing level of sophistication is clear. Besides removal of the kill switch, the use of covert channels over HTTPS, trusted software update methods and employment of known Windows tools for replication enable NotPetya to evade detection by traditional security tools.
While NotPetya masquerades as a ransomware, it also appears to be an attack that launched before exploring or leveraging all its options and potential. There is a lot more an attacker could do with access to an army of computers spread across the globe than just turning them into bricks. Some of them contained financial data and valid user credentials. And after the initial breach of the tax software update server, it remained undetected for over 2 months. Petya/NotPetya variants could be serving as a test bed. Or even as a diversion away from another attack on the way, or already in play. It is easy to understand why NATO is investigating a source with motivations of a much broader, more destructive nature.
Whether amateur, criminal or state actor-directed, it is critical to defend against this onslaught with a combination of awareness, disaster recovery strategies, policy audits and an augmentation of your security posture. Most importantly, CISOs should review their cybersecurity strategy for a defense-in-depth model with a focus on holistic, lateral security controls. Especially in the data center, where NetBIOS, SMB protocols, lateral movement, servers and valuable data – NotPetya’s target – are most prevalent.
While these steps can present both operational and technical challenges, at ShieldX we know it is possible to detect NotPetya’s individual steps, track it along the cyber kill chain, and stop it before it achieves its final stage. It would be my pleasure to start a conversation about NotPetya and how to address the challenges surrounding these advanced, network worms. Please feel free to contact me at /contact-us.