Overclockers Australia Forums

OCAU News - Wiki - QuickLinks - Pix - Sponsors  

Go Back   Overclockers Australia Forums > Specific Hardware Topics > Business & Enterprise Computing

Notices

Reply
 
Thread Tools
Old 28th June 2017, 9:42 AM   #1
NSanity Thread Starter
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 16,108
Default New Petya/Not Petya/EternalBlue electric boogaloo

fat juicy tech deets - https://gist.github.com/vulnersCom/6...mware-txt-L221

news article - https://www.bleepingcomputer.com/new...oss-the-globe/

reddit /r/netsec - https://www.reddit.com/r/netsec/comm...eak_live_blog/
reddit /r/sysadmin - https://www.reddit.com/r/sysadmin/co..._name=sysadmin


tl;dr

Infects then sets a scheduled task 1 hour in the future
Encrypts yer shit on reboot - looks like chkdsk when its doing the deed.
Spreads via WMI, PSExec (uses LsaDump, then impersonates to FULLY patched machines) and Unpatched SMBv1
Massive clients hit - Maersk, DLA Piper, ATM networks, etc

faaaaark.

me

NSanity is online now   Reply With Quote
Old 28th June 2017, 9:44 AM   #2
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 23,247
Default

Quote:
Originally Posted by NSanity View Post
Encrypts yer shit on reboot
wipes MBR too i believe so you can't boot back into the OS.

looktall is offline   Reply With Quote
Old 28th June 2017, 9:45 AM   #3
NSanity Thread Starter
Member
 
NSanity's Avatar
 
Join Date: Mar 2002
Location: Canberra
Posts: 16,108
Default

Quote:
Originally Posted by looktall View Post
wipes MBR too i believe so you can't boot back into the OS.
bootrec /fixboot
bootrec /fixmbr

etc

can get you back in.

c:\windows is unaffected apparently.
NSanity is online now   Reply With Quote
Old 28th June 2017, 9:54 AM   #4
looktall
Working Class Hero
 
looktall's Avatar
 
Join Date: Sep 2001
Location: brabham.wa.au
Posts: 23,247
Default

Quote:
Posteo, the email provider where the Petya author is hosting an inbox to handle victims from today's massive ransomware outbreak, has announced that it shut down the crook's email account: <Snip>.

The German email provider's decision is catastrophic news for Petya victims, as they won't be able to email the Petya author in the case they want to pay the ransom to recover sensitive files needed for urgent matters.
https://www.bleepingcomputer.com/new...overing-files/


oh dear.
not that i would suggest anyone pay the ransom, but some people would certainly feel that they need to and now they can't.


EDIT:

seems to be an easy way to prevent infection in the first place.

Quote:
While analyzing the ransomware's inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.

The researcher's initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.

This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.
https://www.bleepingcomputer.com/new...ware-outbreak/

Last edited by looktall; 28th June 2017 at 10:04 AM.
looktall is offline   Reply With Quote
Old 28th June 2017, 10:05 AM   #5
bcann
Member
 
Join Date: Feb 2006
Location: NSW
Posts: 4,210
Default

Just out of interest, does Microsoft LAPS prevent this kind of dump or reduce its chances of success?
__________________
Quote:
Originally Posted by elvis View Post
All I do is hand folks the working gun. Up to them as to whether or not they go hunting to bring home the bacon, or shoot themselves in the foot. I am merely the lowly gunsmith, and nothing more.
bcann is offline   Reply With Quote
Old 28th June 2017, 10:06 AM   #6
scrantic
Member
 
Join Date: Apr 2002
Location: Melbourne
Posts: 1,648
Default

Anyone got a copy of PSexec 1.98 so I can block via Applocker & Software restriction policies. Sucks that you can't paste a hash into a HASH GPO.

The supplied HASH for 1.98 that I've found is

aeee996fd3484f28e5cd85fe26b6bdcd

If anyone knows how I can use just the hash without the file in a GPO let me know.
__________________
System| Intel Core i7-860 | Gigabyte GA-P55A-UD3P |
| Intel 530 180GB | 8GB Corsair DDR3 1333 |
| MSI GTX275 896MB| Antec P183 | Antec 750W PSU |
Storage Synology DS1511+ 4 x Hitachi 3TB Deskstar 5K3000
scrantic is offline   Reply With Quote
Old 28th June 2017, 10:08 AM   #7
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 11,174
Default

Quote:
Originally Posted by NSanity View Post
So fully patched systems are getting hit.

Eternalblue is just ONE of 3 vectors it spreads laterally. The fucking thing uses LsaDump to pull privileged accounts then runs amuck with psexec via RPC.
Does it use a privesc to get SYSTEM privs? You can't dump plaintext or hashed creds otherwise unless they're being cached in some userland app like IE, which means local admins are running this. Ironically this might do some good with orgs who have shit privileged access management. So, once again, free lazy pentest.

Quote:
Originally Posted by bcann View Post
Just out of interest, does Microsoft LAPS prevent this kind of dump?
Depends, it prevents reuse of local administrator password hashes to spread laterally, if this is dumping plaintext creds of users with local admin privileges and spreads with that, no. Sounds like the latter from what nsasnity said.

It's worth pointing out that although win 8.1+ and 2012r2 by default prevent caching of plaintext credentials via wdigest, things like Kerberos SSO can still trip you up. It's worth mentioning the wdigest caching can be enabled by a local admin on a system, so if you use that as a control and aren't monitoring for changes to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProv iders\WDigest\UseLogonCredential that isn't ideal either.


[looktall edit: moved here from the rant thread]
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.

Last edited by looktall; 28th June 2017 at 10:13 AM.
millsy_c is offline   Reply With Quote
Old 28th June 2017, 10:15 AM   #8
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 11,174
Default

https://twitter.com/HackingDave/stat...79361364357121

Quote:
Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import:
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.
millsy_c is offline   Reply With Quote
Old 28th June 2017, 10:24 AM   #9
bcann
Member
 
Join Date: Feb 2006
Location: NSW
Posts: 4,210
Default

Quote:
Originally Posted by millsy_c View Post
Depends, it prevents reuse of local administrator password hashes to spread laterally, if this is dumping plaintext creds of users with local admin privileges and spreads with that, no. Sounds like the latter from what nsasnity said.

It's worth pointing out that although win 8.1+ and 2012r2 by default prevent caching of plaintext credentials via wdigest, things like Kerberos SSO can still trip you up. It's worth mentioning the wdigest caching can be enabled by a local admin on a system, so if you use that as a control and aren't monitoring for changes to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProv iders\WDigest\UseLogonCredential that isn't ideal either.


[looktall edit: moved here from the rant thread]
Breaths a sigh of relief there is only one local admin user, with LAPS so stupid complex password that changes every few days and is different on every machine in the org, and a non standard admin username..... combined with decent SRP on all boxes and AV + Filtered email via 3rd party, SMB1 disabled, plus no-one runs as local admin, and patch patch patch every month.

At least I've got a few layers in my security onion for a very small org with slim budget. If anyone can suggest more i'm willing to look at more.
__________________
Quote:
Originally Posted by elvis View Post
All I do is hand folks the working gun. Up to them as to whether or not they go hunting to bring home the bacon, or shoot themselves in the foot. I am merely the lowly gunsmith, and nothing more.

Last edited by bcann; 28th June 2017 at 10:49 AM.
bcann is offline   Reply With Quote
Old 28th June 2017, 10:28 AM   #10
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,764
Default

Quote:
Originally Posted by NSanity View Post
So fully patched systems are getting hit.
Citation needed.
PabloEscobar is offline   Reply With Quote
Old 28th June 2017, 10:34 AM   #11
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 11,174
Default

Quote:
Originally Posted by PabloEscobar View Post
Citation needed.
It's dumping out creds using a cut down mimikatz, and spreading with psexec. That would work on any fully patched machine (except maybe a win10 / 2016 box with protected kernel) where a user with admin rights runs the malware. So definitely technically possible, dunno if that's the case here though I haven't had time to really read up on it.

I think it's more likely that it's using that HTA vuln, local admins run it, shit goes haywire.

If you get hit, the scary thing is that this could all simply be a smokescreen for exfiltrating golden tickets en masse. Your AD must be considered fully compromised.

Technically, this attack is a big yawn, but the impact is significant. If you get ripped apart by this ransomware, any old attacker would have been able to rip you apart with the same methods.
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.
millsy_c is offline   Reply With Quote
Old 28th June 2017, 10:41 AM   #12
PabloEscobar
Member
 
Join Date: Jan 2008
Posts: 9,764
Default

Quote:
Originally Posted by millsy_c View Post
It's dumping out creds using a cut down mimikatz, and spreading with psexec. That would work on any fully patched machine (except maybe a win10 / 2016 box with protected kernel) where a user with admin rights runs the malware.
Makes sense... I was reading "Fully patched systems are getting hit" as "Fully patched systems are vulnerable to the initial infection vector"

So yeah, Lateral movement will fuck you over big time with this one, but if all your doors are locked, it shouldn't be able to get in anyway.
PabloEscobar is offline   Reply With Quote
Old 28th June 2017, 10:43 AM   #13
power
Member
 
power's Avatar
 
Join Date: Apr 2002
Location: brisbane
Posts: 50,443
Default

Quote:
Originally Posted by PabloEscobar View Post
Citation needed.
reading the links in OP needed.
__________________
this is who we are.
power is offline   Reply With Quote
Old 28th June 2017, 10:45 AM   #14
millsy_c
Member
 
millsy_c's Avatar
 
Join Date: Mar 2007
Location: Brisbane
Posts: 11,174
Default

Quote:
Originally Posted by PabloEscobar View Post
Makes sense... I was reading "Fully patched systems are getting hit" as "Fully patched systems are vulnerable to the initial infection vector"

So yeah, Lateral movement will fuck you over big time with this one, but if all your doors are locked, it shouldn't be able to get in anyway.
This thing relies on dumb lateral movement of course, hitting paydirt with initial vectors or using MS17-010 to spread.

Disable SMBv1, no local admins, patch office from 2 months ago.

Like victim shaming is never good, but at least 1 of those things should have been done in your org post eternalbue / wannacry shenanigans, and ignoring the point that it's just a good idea anyway.
__________________
Quote:
Originally Posted by Luke212 View Post
You are talking like an expert beginner. Talk less and listen more.

Last edited by millsy_c; 28th June 2017 at 10:47 AM.
millsy_c is offline   Reply With Quote
Old 28th June 2017, 10:48 AM   #15
mr626
Member
 
mr626's Avatar
 
Join Date: Jul 2011
Posts: 2,645
Default

Group policy 'vaccine'

https://eddwatton.wordpress.com/2017...petya-vaccine/
mr626 is offline   Reply With Quote
Reply

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +10. The time now is 9:29 PM.


Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
OCAU is not responsible for the content of individual messages posted by others.
Other content copyright Overclockers Australia.
OCAU is hosted by Micron21!