I’ve been blogging on WannaCry recently, my last post was all about the question, “Why was this allowed to happen?”
As I stated then, Microsoft did indeed release a Bulletin MS17-010 and patch for the SMBv1 vulnerability that ultimately was exploited by the WannaCry attack in March. Presumably, every concerned system administrator patched all their servers. But there’s a new twist in the delivery system.
The new Petya ransomware uses the same vulnerability as WannaCry to infect systems, but uses a new vector – PSExec – to move from one system where they gain administrative rights to others. Example: Even if a server is patched, if the System Administrator’s laptop becomes infected with Petya ransomware, it can use those admin credentials to jump around in a network to the servers. How? Petya ransomware finds passwords by extracting passwords from memory or the local filesystem on the infected laptop, and uses them to move to other systems. Administrator rights allow the upload of the malicious files by helping them masquerade as legitimate file uploads.
A similar “alternative” attack vector was documented in use by NotPetya using the Windows Management Instrumentation (WMI) tool to spread. So there’s two possible methods for attack vector to examine as you defend your ecosystem.
The MSRT tool can help Windows users remove the software, with all the latest updates; this, of course, is dependent on the tool already being loaded and kept updated on the system. For those users who are in lock down due to full encryption, it is less useful.
It’s not enough to just patch the servers, controlled directly by the system administrators on a (hopefully) centralized patching system. The latest vectors of Petya and NotPetya are clear indicators that endpoints are going to matter just as much. If a PC or application stores a username and password in plain text anywhere in the system or logs, there exists the possibility for malware to find it. Again, as previously, I encourage everyone to test their code and applications for Abuse of Functionality vulnerabilities and sanitized inputs, so that even a trusted user (like the admin) will not be able to upload infected files behind the scenes. Additionally, make sure that all applications secure their user and password lists in encrypted files.
It’s not just your websites that are a danger – it is an issue with internal applications as well. ERP systems, payroll systems, anything with an application interface can be vulnerable to an infected administrator’s laptop and enable the spread. Patch early, and test all your applications to protect against Petya ransomware.