Last night I was contacted by one of the CSIRT‘s head of a large French company. We talked a lot about the shortcomings and mistakes which have benefited the replication of this new malware/wiper Petya.
He first told me how they were able to avoid the worst for their clients with a little common sense, reaction and a lot of intelligence. At this stage, the extra of tools and solutions did not help too much the unfortunate ones impacted. In fact, the management of IT security has become more complex with the introduction of new trend technologies.
The context
First of all, this CSIRT uses a vFeed Integrator license which allows them to receive daily updates of the correlated and enriched vulnerability database . We are by far the only ones to provide a rich, 3rd-party correlated and CVE-compliant extended vulnerability database.
The CSIRT‘s head explained to me that the information needed to prevent yet another WannaCry similar attack already existed. On the other hand, it required a little human intelligence to predict future events. Furthermore, one of the prerogatives of any threat intelligence team is to know how to read between the lines. In competitive intelligence, experts call this method: identifying signals and noises to anticipate threats and reduce uncertainty about the consequences of risks.
At this point, the Petya noises have gone beyond the fragmentary level and become strong signal . Before the Titanic sank, the crew knew about the iceberg but this information was totally ignored. It reminds me a quote from a movie I had seen long time ago. A guy was falling from a building and kept repeating to himself “So far so good, so far so good.” As long as he had not touched the ground, he was certain that everything was going to be okay.
Fact is when everything goes well, we drop the guard. The fallacy is we like to ignore signals until something wrong happens. One of the first triggers that should put all companies on constant alert was the NSA exploit leak incident. All conditions were met and a lot of infosec experts had already predicted massive cyberattacks using these exploits.
The first wave that took advantage of the 0days was not too long. The WannaCry ransomware was born and it has caused hundreds of thousands of victims to cry in the world. This is the direct consequence of the signal : 0day leakage.
Afterwards, most of the security industry vendors have taken the necessary steps to reduce and mitigate the WannaCry effect. An unequivocal chain of solidarity has even emerged in the infosec community in order to help the affected and reduce the proliferation of the malware.
A majority believed that WannaCry was just an episodic consequence of the exploits leakage. I was still convinced that similar or even sophisticated attacks would still take advantage of these exploits (I point out they are no longer 0day). While some dry their tears and others pretended to ignore. Petya / NotPetya (or called it whatever) erupts and shaves what WannaCry forgot to do. Except this time, Petya is not a ransomware but a destructive worm / wiper.
Let’s see what this CSIRT manager has exposed to me as a simple and effective way to counter WannaCry. And indirectly, it has proven to be successful as well for the Petya wiper. The CSIRT have developed a whole ingenious system around Splunk, Nessus alongside the integration of enriched and correlated CVE JSON reports daily provided by vFeed IO.
First, The CVE were identified as CVE-2017-0143 and CVE-2017-0144. Both were released 16th of March 2017. It means average 90 days ago.
./vfeedcli.py -m get_cve CVE-2017-0144
[
{
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144",
"summary": "The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka \"Windows SMB Remote Code Execution Vulnerability.\" This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.",
"id": "CVE-2017-0144",
"modified": "2017-03-17T21:59:05.563-04:00",
"published": "2017-03-16T20:59:04.010-04:00"
}
]
Checking the related Microsoft bulletins, reveals a lot of information. The Microsoft patch was published the 14th of March 2017. It is tagged as “Critical”. At this stage, the CVSS is irrelevant.
./vfeedcli.py -m get_ms CVE-2017-0144
[
{
"id": "ms17-010",
"kb": "4013389",
"title": "Security Update for Microsoft Windows SMB Server",
"url": "https://technet.microsoft.com/en-us/library/security/ms17-010"
},
{
"id": "4013198",
"kb": "4013198",
"title": "Security Update",
"url": "https://support.microsoft.com/help/4013198"
},
{
"id": "4012217",
"kb": "4012217",
"title": "Monthly Rollup",
"url": "https://support.microsoft.com/help/4012217"
},
{
"id": "4012214",
"kb": "4012214",
"title": "Security Only",
"url": "https://support.microsoft.com/help/4012214"
},
{
"id": "4012215",
"kb": "4012215",
"title": "Monthly Rollup",
"url": "https://support.microsoft.com/help/4012215"
},
{
-- SNIP ---
The vFeed information shows that the exploit of this vulnerability has been implemented in Metasploit. This makes the attack even simpler to achieve.
./vfeedcli.py -m get_msf CVE-2017-0144
[
{
"file": "metasploit-framework/modules/auxiliary/scanner/smb/smb_ms17_010.rb",
"id": "smb_ms17_010.rb",
"title": "MS17-010 SMB RCE Detection"
},
{
"file": "metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb",
"id": "ms17_010_eternalblue.rb",
"title": "MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption"
}
]
The CSIRT team was also able to list all the vulnerable systems in the environment with a targeted Nessus scan. Indeed, vFeed also provides the associated scan scripts. This step can also be used with OpenSCAP or OpenVAS.
./vfeedcli.py -m get_nessus CVE-2017-0144
[
{
"family": "Windows",
"file": "ms17-010.nasl",
"id": "97833",
"name": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)"
},
{
"family": "Windows : Microsoft Bulletins",
"file": "smb_nt_ms17-010.nasl",
"id": "97737",
"name": "MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)"
}
]
</codeIntrusion Detection sensors were quickly updated with the right security rules (Snort and Suricata) by leveraging the information provided by vFeed. Any further attempts would be detected very quickly.
./vfeedcli.py -m get_snort CVE-2017-0144
[
{
"category": "attempted-admin",
"id": "sid:41978",
"signature": "OS-WINDOWS Microsoft Windows SMB remote code execution attempt"
},
{
"category": "attempted-admin",
"id": "sid:42944",
"signature": "OS-WINDOWS Microsoft Windows SMB remote code execution attempt"
}
]
./vfeedcli.py -m get_suricata CVE-2017-0144
[
{
"classtype": "trojan-activity",
"id": "sid:2024291",
"signature": "ET TROJAN Possible WannaCry DNS Lookup 1"
},
{
"classtype": "trojan-activity",
"id": "sid:2024293",
"signature": "ET TROJAN Possible WannaCry DNS Lookup 2"
},
{
"classtype": "trojan-activity",
"id": "sid:2024294",
"signature": "ET TROJAN Possible WannaCry DNS Lookup 3"
},
{
"classtype": "trojan-activity",
"id": "sid:2024295",
"signature": "ET TROJAN Possible WannaCry DNS Lookup 4"
},
{
"classtype": "trojan-activity",
"id": "sid:2024296",
"signature": "ET TROJAN Possible WannaCry DNS Lookup 5"
},
{
"classtype": "trojan-activity",
"id": "sid:2024298",
"signature": "ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"
},
{
"classtype": "trojan-activity",
"id": "sid:2024299",
"signature": "ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2"
},
{
"classtype": "trojan-activity",
"id": "sid:2024300",
"signature": "ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"
},
{
"classtype": "trojan-activity",
"id": "sid:2024301",
"signature": "ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4"
},
{
"classtype": "trojan-activity",
"id": "sid:2024302",
"signature": "ET TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5"
}
]
The CSIRT has drafted its security advisory for their customers by integrating all the necessary information regarding the Petya threat identification and mitigation.
What did go wrong ?
Normally with the damages caused by the WannaCry malware, most IT companies must be immune against this type of attacks. You know what: That was not the case.
[idz_ui_list type=”check” class=””]
- The signals were ignored. WannaCry was barely the tip of the iceberg. And Petya the second shock wave. The worst is yet to come.
- The Patch management was a disaster. The Microsoft patch, however critical, has been ignored. From this moment on, it is the snowball effect.
- The defense in depth is not well designed. Everyone persists in believing that firewalls and AVs will save the day. The proof is once the malware injected internally, it started the lateral movement with a disconcerting ease.
- Where are all these Threat Intelligence solutions? Why they did not work as expected?They were not supposed to predict a catastrophe.
- Why did some AVs not detect this attack as they should ?
- What about the phishing? Are you not supposed to educate users to deal with this kind of cyber-security issues ?
[/idz_ui_list]
Defend your interest
IT security must be taken in the true sense of strategy and tactics. I’m not talking about business strategies and all this marketing crap that serve absolutely nothing except a waste of time. I evoke the stratagems of Sun Tzu and the principles of Machiavelli. You have a digital city to protect. Make sure you apply the right measures to defend your interests and those of your clients.
- Prepare yourself for the worst: In Chapter XIV of the Prince of Machievelli, he recommended to prepare for the worst during the moments of calm. We do not. And for good reason, we hope that things are going well. During this peaceful time, you should prepare for something bigger. Because when it hits you, it will literally destroy you. Remember that most people believed that WannaCry was finished before being swept away by another wave. And it’s not over. So get ready: audit your systems, hack them, patch them, harden them, segment your network, train your team, perform penetration tests on your premises. Clean up any bulky solutions that create noises more than anything else. If this wave has missed you, the next one will not.
- Stop buying useless solutions: Just use the means at your disposal and stop with this madness of spending crazy budgets in acquiring solutions and other marketing trends of the moment. Start at the beginning.
- Lay-off those who have failed you. Be severe with those who have not lived up to the task. A CISO must behave and act like a wartime leader. If you have not understood this yet, you must absolutely change the job.
- Patch your systems: Is it necessary to remember that patch MS17-010 was one of the strong actors of the moment. And yet, it would have been enough to just follow Microsoft recommendation and apply this patch.
- Harden your systems
- Why SMB v1 ?: There were several tricks to reduce the impact of this Petya wiper. One of them was the deactivation of SMB v1. And yet, SMB v1 is still used in large companies.
- Limiting or preventing the use of PSexec: In case you ignore it, PSExec introduces weaknesses in the systems by default. In fact, it has been designated to provide flexibility for network administrators. It is a poisoned gift because badly protected it is a double-edged sword. PSexec has been widely used in Pass the Hash attacks. Use GPOs to restrict access to PSExec or remove it completely.
- Get rid of the lateral movement: And logically it starts with the famous Pass The Hash technique. There was an abundant literature on the subject and how to mitigate this risk. The lateral movement is only the consequence of a possibility to reuse cached passwords. Microsoft has written an excellent paper called “Mitigating Pass the Hash and Other Credential Theft Version 2.0“. Browse to page 30 of this document , You will find 3 great mitigations to apply alongside some tricks such as logon restrictions with SIDs S-1-5-113 (local account) / S-1-5-114, remove the LAN manager LM hashes from LSASS and more. Just be stupid : apply them !
- Do not read your logs. Listen to them: Everything that happens on your machines is logged. Absolutely everything. Except that one must be able to interpret the events and their meaning. Fact is you have to listen to what’s happening on your machines. Let me share with you one of the greatest papers ever written about this subject. Like a divine intervention, the authors of JPCERT / CC have foreseen what will happen. The paper is called “Detecting lateral movement through tracking event logs“. There are all the ingredients to identify the signatures of a fraudulent use (or not) of certain tools like PSexec, WMIC, PowerShell, PWdump7, WCE, pass-the-hash tools, This paper must be read absolutely. The indicators provided by the JPCERT/CC must absolutely be integrated into your threat model.