NH-ISAC White Paper – “It’s not who’s first…it’s who puts the industry first”

 

It’s Not Who’s First…

It’s Who Puts The Industry First

By:

NH-ISAC Threat Intelligence Committee

Jim Routh, CSO Aetna Global Security

NH-ISAC – “The healthcare industry has been hit with two significant and subsequent cyber challenges in recent weeks (WannaCry and Petya) both of which caused business impact for several organizations and in both cases the damage was largely mitigated across the industry. This information is widely known; what is not widely known is what the role of information sharing was between private industry and the public sector specifically between the NH-ISAC Threat Intelligence Committee members (TIC) and the HHS Healthcare Cybersecurity Communications and Integration Center (HCCIC). In times of cyber crisis it is imperative for all enterprises to understand what the indicators of compromise (IOCs) are, how the malware works and spreads, and ultimately what controls are effective. These three steps appear to be simple but can be illusive without the right access to cyber communities that share resources and analysis. The HCCIC supported the emergency response team in the HHS Secretary’s Operations Center (SOC) throughout both the WannaCry and Petya incidents. The HCCIC is how HHS carries out its cybersecurity responsibilities as directed in Presidential Policy Directive 41 and the National Cyber Incident Response Plan from the US Computer Emergency Readiness Team or US-CERT. The NH-ISAC is the primary interface from the private sector for the HCCIC to share information and respond in times of business resiliency crisis.”

white paper-sharing info in times of industry crisis

NH-ISAC Threat Intel Committee Advisory on Improved Petya (1530 EDT 28 June 2017)

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

This information is marked TLP White for widest distribution. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.

Update summarizing NH-ISAC current understanding of the event, the ransomware, it’s capabilities, and custom developed mitigations.

What is it?

Petya is a derivative of GoldenEye commodity ransomware, equipped with several self-replicating mechanisms.  The self-replicating behavior is what sets it apart from other ransomware, and it is directly responsible for widespread impact.

What is the initial infection vector?

The only confirmed infection vector is a MeDoc update. MeDoc is accounting software in widespread use in Ukraine produced by a Ukranian company. Virtually all Ukranian companies, in virtually all sectors use MeDoc. This includes American companies operating in Ukraine. The MeDoc software suite features an auto-update mechanism through which software updates can be distributed to clients.  In May 2017, an unidentified attacker compromised the MeDoc autoupdate server and caused it to distribute XData malware to MeDoc customers. Yesterday, a different (or possibly the same) attacker compromised MeDoc autoupdate servers and caused it to distribute the Petya malware. This is the only confirmed initial infection vector at this time.

Additionally, MeDocs appears to still be compromised. We found a webshell backdoor on their main website, and we were able to obtain a copy of the file. MeDoc was made aware of this discovery.

Kaspersky researchers tweeted that Petya was additionally distributed through a watering hole attack using a compromised Ukranian news site. This report is unconfirmed at this time.   

There are no known methods of initial infection other than ones listed above. To put it explicitly – there are no known instances of spread through email, driveby downloads, exploit kits or any other means traditionally associated with delivering malware.

How does it spread?

Once a machine is infected, Petya uses several mechanisms to attempt to spread to other computers, and it uses several mechanisms to decide which computers to attempt to spread to.

To determine which hosts to attempt to infect, Petya uses more than one mechanism. The first mechanism is calling WNetOpenEnum Windows API which returns all active SMB connections on the infected computer.  Each of these connections will be targeted regardless of which network they’re in.  For example, if the infected computer has a mapped drive to a file server that’s on a completely different network, that file server will be targeted by Petya.

The second mechanism is a scan of the local network, as defined by the IP address and network mask of the infected computer.  For example, if the infected machine is 10.0.0.5/255.255.0.0, Petya will target all IPs from 10.0.0.0 to 10.0.255.255.

Petya will attempt to copy itself to each identified target.  In order to copy the file to target machine, Petya will harvest credentials from the infected system. There are two types of harvests Petya appears to implement. The first is a call to CredEnumerateW which returns all currently logged on user’s credentials. The second method appears to be MimiKatz (which requires Administrative privileges).

In order to copy itself to targets, Petya will attempt to connect to the ADMIN$ share of each identified target, using the harvested credentials until it either succeeds or it runs out of credentials.  On success, Petya copies itself to C:\Windows\perfc.dat on the target machine.

As a final step, Petya will attempt to execute the new copy of itself on the target.  For this, it uses two methods as well.  First it will invoke psexec. If that approach fails, it will try to do it using WMI.

If the approaches above have failed to result in execution on the target, as a final resort, Petya will attempt to use ETERNALBLUE and ETERNALROMANCE exploits to both copy and execute itself on the target.  The vulnerabilities targeted by these exploits have been patched some months ago under MS17-010.

As with any patch/update, any modifications should be evaluated before implementation by your appropriate system security personnel. NH-ISAC Threat Intel Committee has vetted the following mitigations to the extent available.

Killswitch / Vaccine

On execution, the known Petya samples delete themselves and perform a check to verify if this deletion is successful. If the file is still present, Petya will exit. This behavior can be turned into a protection mechanism of sorts.  If you create a vaccine file:

            C:\Windows\perfc

and set the permissions of the file to deny write permissions to everyone, including system administrators, infection can’t succeed as Petya will be unable to copy itself over.

Keep in mind that some security tools operate on very simple signatures, and it’s possible you’ll get alerts. This prevents all currently known lateral spread methods.

Other mitigations:

  • If Petya is unable to reach ports 139 and 445 it can’t spread.  Local firewalls can facilitate this.
  • If Petya is unable to mount the ADMIN$ share it can’t spread (Except through exploits).  You can administratively disable ADMIN$ share through GPO
  • Apply Microsoft Patch MS17-010 to all internal systems.
  • Enable protective signatures on all security devices to prevent EternalBlue from spreading.

CONFIRMED Technical IOCs

 Targeted extensions:

.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.

ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.

mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.

py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.

vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip,.

IOCs:

71b6a493388e7d0b40c83ce903bc6b04 (main 32-bit DLL)

https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

e285b6ce047015943e685e6638bd837e (main 32-bit DLL)

https://www.virustotal.com/en/file/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1/analysis/

Drops…..

7e37ab34ecdcc3e77e24522ddfd4852d (64-bit EXE)

https://www.virustotal.com/en/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/

2813d34f6197eb4df42c886ec7f234a1 (32-bit EXE)

https://www.virustotal.com/en/file/eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998/analysis/

 Attacker Email –  (decryption key request after payment) :

wowsmith123456@posteo.net

Bitcoin Wallet:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

*** NH-ISAC Alert ***

Caution regarding spoofing activity surrounding Not Petya ransomware event

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

It is being reported that bad actors are attempting to gain credential access through phishing attempts claiming to be Government Agency entities helping to resolve vulnerabilities related to the ongoing campaign.

Organizations are reminded to verify the links and security certificates of any such email. Note that examples include [.com] vs [.gov] extensions on supposed agency websites.  Such phishing is not limited to using government agency spoofing.

NH-ISAC Alert :TLP White distribution regarding ongoing Petya attack

This information is marked TLP White: Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

Summary

This new ransomware attack was first observed on June 27, 2017. The impacted entities are mostly focused in the EU at this time but we do have reports of a US healthcare entity being impacted as well. Multiple sectors including financial, telecom, transportation, healthcare and energy have reported that their operations are impacted.

The initial infection vector is still unknown at this time.

There are public reports that Petya is using ETERNALBLUE/DOUBLEPULSAR for lateral movement, and that seems to be a part of it.  We can’t confirm this yet (still looking for code or behavior that would indicate eternalblue).

There is a lateral movement component that performs the following:

  1. Enumerate active connections using WNetOpenEnum (enumerate currently active connections)
  2. Enumerate current users credentials using CredEnumerateW
  3. Attempt to establish connection to enumerated machines using enumerated credentials using WNetAddConnection2

After the malware executes, it will establish a scheduled task to reboot the machine after 1 hour. This will allow it time to infect other victims on the network. Once the reboot occurs, a fake CHKDSK screen appears and encrypts the master file table and displays the ransom message.

Technical Indicators

Targeted extensions:

.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.

ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.

mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.

py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.

vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip,.

IOCs:

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

Drops….

02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

https://www.virustotal.com/en/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/

Attacker Email:

wowsmith123456@posteo.net

Bitcoin Wallet:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

……………………………………………………………………………

Ransomware Note:

Ooops, your important files are encrypted. If you see this text, then

your files are no longer accessible, because they have been encrypted.

Perhaps you are busy looking for a way to recover your files, but don’t

waste your time. Nobody can recover your files without our decryption

service.

We guarantee that you can recover all your files safely and easily. All

you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:

Send $300 worth of Bitcoin to following address:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Send your Bitcoin wallet ID and personal installation key to e-mail

wowsmith123456@posteo.net. Your personal installation key:

*************

If you already purchased your key, please enter it below/ Key:

…………………………………………………………………………………………………….

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

Petya Ransomware Resource Information

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry

https://thehackernews.com/2017/06/petya-ransomware-attack.html

Massive GoldenEye Ransomware Campaign Slams worldwide users

https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users/

WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

Analysts Confirm Petya Using EternalBlue Exploit to Spread

https://twitter.com/threatintel/status/879716609203613698

Chaos as National Bank, State Power Provider and Airport Hit by Hackers

https://www-independent-co-uk.cdn.ampproject.org/c/www.independent.co.uk/news/world/europe/ukraine-cyber-attack-hackers-national-bank-state-power-company-airport-rozenko-pavlo-cabinet-a7810471.html?amp&utm_content=buffer0a3d8&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

A Ransomware Outbreak Is Infecting Computers Across the World Right Now

https://motherboard.vice.com/en_us/article/qv4gx5/a-ransomware-outbreak-is-infecting-computers-across-the-world-right-now