• Expert Comments
  • Security Articles
  • News
  • Study & Research
  • How To
  • ISBuzz Expert Panel
    • InfoSec Expert Biographies
  • Security Videos
  • Security Education
  • Information Security Buzz

    Information Security Buzz

--

  • April 26, 2018
  • Follow us on Facebook
  • Follow us on Twitter
  • Follow us on YouTube
  • Follow us on Pinterest
  • Follow us on Linkedin
  • Events and Conferences
  • InfoSec Companies
  • InfoSec Training Providers
  • Cyber Insurance Providers
  • Advertise With Us
  • Free Resources
  • home
  • Hacked
  • IoT
  • Cloud Security
  • Mobile Security
  • Network Security
  • Application Security



  • Information Security Buzz
  • Expert Comments
  • Security Articles
  • News
  • Study & Research
  • How To
  • ISBuzz Expert Panel
    • InfoSec Expert Biographies
  • Security Videos
  • Security Education

Petya Ransomware Comment – How It Spreads / Why Businesses Were Affected

By Chris Wysopal
June 30, 2017

The ransomware is definitely spreading via EternalBlue exploit just like WannaCry. People have found the code in the malware and have seen the EternalBlue exploit traffic on the network.  There are additional spreading vectors that use harvested credentials from machines compromised with EternalBlue. These are used to connect to and run the malware on fully patched machines.

The easiest and best way to prevent the EternalBlue exploit from working is to run Windows Update.  Because WannaCry kill switch worked, the pain stopped, and many orgs did not complete patching their Windows. This shows the day to day fire drill that many IT teams work under and the reality that patching in many organisations is hard.  Once they heard that WannaCry was stopped they moved on to other more pressing work.

This attack seems to be hitting large industrial companies like Maersk shipping company and Rosneft oil company. These organisations typically have a challenge patching all of their machines because so many systems cannot afford to have any down time. Airports and hospitals also have this challenge.

This attack has similar characteristics of Petya, but I believe Kaspersky is right that it is not in fact Petya and is completely new. Upon initial submission of this ransomware to VirusTotal only two anti-virus vendors were able to detect it– and so it is likely that many systems are defenceless.  This shows how easy it is for malware writers to bypass endpoint security by modifying any code they are reusing.

After many organisations updated their products to detect WannaCry, many organisations may have had a false sense of security, thinking that those updates would prevent all related attacks in the future– this is obviously an assumption that businesses cannot afford to make.

There are reports that there is an additional spreading mechanism that uses the stolen credentials from compromised machines to spread to even patched machines.  If this is true it will mean that organisations with just a few unmatched machines could still have a massive ransomware issue across their whole windows infrastructure.

It is emerging that one of the initial vectors of attack was a Ukrainian software company. They posted a notice: http://www.me-doc.com.ua/vnimaniyu-polzovateley

It translates to:

It is likely the attackers compromised their infrastructure and sent the malware through them somehow.  Perhaps as a software update!

The non-EternalBlue vector is to use stored windows sessions harvested from compromised machines to connect to patched machines as a valid windows users.  This is a common technique used for lateral movement within organisations using Windows Active Directory. In a worst case scenario if a Domain Admin had logged into an infected machine previously then the Domain Admins credentials can be used to infect all machines on the network.  This uses the remote command interfaces of WMI or PsExec which are standard windows mechanisms for executing commands remotely.

The malware is spreading with worm behaviour and doesn’t require any human interaction.

About Chris Wysopal
Chris Wysopal, Co-Founder and CTO at Veracode

OUR INFORMATION SECURTIY NEWS CHANNEL

Revolution Slider Error: Failed to load Stream




RECOMMENDED CONTENTS






Recent Posts

  • Amazon-e1507718816932-165x60.jpg
    Security Issues: New Amazon Service To Deliver Directly Into Car…
    Security Experts
  • security-bg-165x60.jpg
    Security In DevOps Is Lagging Despite Advantages And Opportunities, According…
    Synopsys
  • Data-breach-2-165x60.jpg
    2018 DCMS Cyber Security Breaches Survey Release
    Security Experts
  • business-continuity-2-165x60.jpg
    Check Point Researchers Discover Next Generation Phishing Kit
    Check Point
  • risk-2-165x60.jpg
    Five Network Security Pitfalls That Could Be Putting Your Organisation…
    Andrew Lintell

InfoSec Jobs From ISbuzz Dot Jobs
Why Petya, Like WannaCry, Signals A New Era Of Cybercrime
Previous
IT Professionals Forced to Adopt Smart Devices Millions Of Consumers At Serious Risk Of Being Hacked Via IoT Devices Without Knowing It
Next

isbuzz logo

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the best in breaking news for the information security community.


Follow Us

Connecting InfoSec with News

ABOUT US

CONTACT US

CONTRIBUTING AUTHORS

Connecting You with InfoSec

ADVERTISE WITH US

BE PART OF OUR INFOSEC AUTHOR COMMUNITY

DIRECTORY LISTING (INFOSEC COMPANIES TO WATCH)

PUBLISH YOUR INFOSEC EVENT OR CONFERENCE

TRENDING THIS WEEK

  • SANS Experts Share Five Most Dangerous New Attack Techniques
    SANS 
  • Grenfell Data Breach
    Jon Fielding
  • Individual DDoS Attacks Can Cost Enterprises US$ 50,000 (£35,000)
    Corero
  • Asia And Middle East Are Hotbeds For Malicious Cyber Activity
    Chris Doman
Back to top
  • Expert Comments
  • Security Articles
  • News
  • Study & Research
  • How To
  • ISBuzz Expert Panel
  • Security Videos
  • Security Education

Copyright © 2016 ISBuzz News.