azeemnow

Wanted to share a quick response plan for the recent Petya ransomware breakout:

• Apply Microsoft security updates released in March 2017 bulletin: MS17-010
• Most Firewall and IDS/IPS vendors have released signatures for the SMB vulnerability exploit, however, if you do not have auto-updates enabled you to want to do a manual update
• Disable the support of SMBv1 protocol. A detailed write-up here: https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/
• Some variants of Petya have been reported to use WMIC & Microsoft PSExec to laterally move within the environment.
  • Petya scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on the system hosting the share.
  • Petya uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatz to extract credentials from the infected system and use them to execute itself on the targeted host.
    • https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/
  • Blocking ADMIN$ share via GPO should address lateral movement concerns
• If you cannot block, monitor ingress/egress traffic on 455/137/138/139
• If you use tax accounting software, MEDoc read this: http://www.bbc.co.uk/news/technology-40428967

Most of the recent ransomware campaigns are taking advantage of vulnerabilities disclosed by the Shadow Brokers in April 2017. In addition to MS17-010 (EternalBlue), all of the related vulnerabilities should be patched as soon as possible:

• Code Name: Solution
  • “EternalBlue” : Addressed by MS17-010
  • “EmeraldThread” : Addressed by MS10-061
  • “EternalChampion” : Addressed by CVE-2017-0146 & CVE-2017-0147
  • “ErraticGopher” : Addressed prior to the release of Windows Vista 
  • “EsikmoRoll” : Addressed by MS14-068 
  • “EternalRomance” : Addressed by MS17-010 
  • “EducatedScholar” : Addressed by MS09-050 
  • “EternalSynergy” : Addressed by MS17-010 
  • “EclipsedWing” : Addressed by MS08-067
    • (https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/)

Petya campaign is still developing and it is important to monitor the developments. One of the best ways to monitor the situation is via Twitter under the following hashtags: #Petya #NotPetya #Ransomware

References:

• https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/
• https://twitter.com/Binary_Defense/status/879763340301664256
• https://www.binarydefense.com/petya-ransomware-without-fluff/
• https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
• http://www.bbc.co.uk/news/technology-40428967
• https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/
• https://blogs.technet.microsoft.com/josebda/2015/04/21/the-deprecation-of-smb1-you-should-be-planning-to-get-rid-of-this-old-smb-dialect/
• https://nakedsecurity.sophos.com/2017/06/28/new-petya-ransomware-all-you-wanted-to-know-but-were-afraid-to-ask/