New Petya/Not Petya/EternalBlue electric boogaloo

Discussion in 'Business & Enterprise Computing' started by NSanity, Jun 28, 2017.

  1. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,502
    Location:
    Canberra
    fat juicy tech deets - https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759#file-petya_ransomware-txt-L221

    news article - https://www.bleepingcomputer.com/ne...are-outbreak-wreaking-havoc-across-the-globe/

    reddit /r/netsec - https://www.reddit.com/r/netsec/comments/6jttgo/petya_ransomware_outbreak_live_blog/
    reddit /r/sysadmin - https://www.reddit.com/r/sysadmin/c...edium=hot&utm_source=reddit&utm_name=sysadmin


    tl;dr

    Infects then sets a scheduled task 1 hour in the future
    Encrypts yer shit on reboot - looks like chkdsk when its doing the deed.
    Spreads via WMI, PSExec (uses LsaDump, then impersonates to FULLY patched machines) and Unpatched SMBv1
    Massive clients hit - Maersk, DLA Piper, ATM networks, etc

    faaaaark.

    me

    [​IMG]
     
  2. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    23,802
    Location:
    brabham.wa.au
    wipes MBR too i believe so you can't boot back into the OS.

    [​IMG]
     
  3. OP
    OP
    NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    16,502
    Location:
    Canberra
    bootrec /fixboot
    bootrec /fixmbr

    etc

    can get you back in.

    c:\windows is unaffected apparently.
     
  4. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    23,802
    Location:
    brabham.wa.au
    https://www.bleepingcomputer.com/ne...box-preventing-victims-from-recovering-files/


    oh dear.
    not that i would suggest anyone pay the ransom, but some people would certainly feel that they need to and now they can't.


    EDIT:

    seems to be an easy way to prevent infection in the first place.

    https://www.bleepingcomputer.com/ne...found-for-petya-notpetya-ransomware-outbreak/
     
    Last edited: Jun 28, 2017
  5. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,464
    Location:
    NSW
    Just out of interest, does Microsoft LAPS prevent this kind of dump or reduce its chances of success?
     
  6. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,656
    Location:
    Melbourne
    Anyone got a copy of PSexec 1.98 so I can block via Applocker & Software restriction policies. Sucks that you can't paste a hash into a HASH GPO.

    The supplied HASH for 1.98 that I've found is

    aeee996fd3484f28e5cd85fe26b6bdcd

    If anyone knows how I can use just the hash without the file in a GPO let me know.
     
  7. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,662
    Location:
    Brisbane
    Does it use a privesc to get SYSTEM privs? You can't dump plaintext or hashed creds otherwise unless they're being cached in some userland app like IE, which means local admins are running this. Ironically this might do some good with orgs who have shit privileged access management. So, once again, free lazy pentest.

    Depends, it prevents reuse of local administrator password hashes to spread laterally, if this is dumping plaintext creds of users with local admin privileges and spreads with that, no. Sounds like the latter from what nsasnity said.

    It's worth pointing out that although win 8.1+ and 2012r2 by default prevent caching of plaintext credentials via wdigest, things like Kerberos SSO can still trip you up. It's worth mentioning the wdigest caching can be enabled by a local admin on a system, so if you use that as a control and aren't monitoring for changes to HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential that isn't ideal either.


    [looktall edit: moved here from the rant thread]
     
    Last edited by a moderator: Jun 28, 2017
  8. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,662
    Location:
    Brisbane
  9. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    4,464
    Location:
    NSW
    Breaths a sigh of relief there is only one local admin user, with LAPS so stupid complex password that changes every few days and is different on every machine in the org, and a non standard admin username..... combined with decent SRP on all boxes and AV + Filtered email via 3rd party, SMB1 disabled, plus no-one runs as local admin, and patch patch patch every month.

    At least I've got a few layers in my security onion for a very small org with slim budget. If anyone can suggest more i'm willing to look at more.
     
    Last edited: Jun 28, 2017
  10. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,385
    Citation needed.
     
  11. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,662
    Location:
    Brisbane
    It's dumping out creds using a cut down mimikatz, and spreading with psexec. That would work on any fully patched machine (except maybe a win10 / 2016 box with protected kernel) where a user with admin rights runs the malware. So definitely technically possible, dunno if that's the case here though I haven't had time to really read up on it.

    I think it's more likely that it's using that HTA vuln, local admins run it, shit goes haywire.

    If you get hit, the scary thing is that this could all simply be a smokescreen for exfiltrating golden tickets en masse. Your AD must be considered fully compromised.

    Technically, this attack is a big yawn, but the impact is significant. If you get ripped apart by this ransomware, any old attacker would have been able to rip you apart with the same methods.
     
  12. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,385
    Makes sense... I was reading "Fully patched systems are getting hit" as "Fully patched systems are vulnerable to the initial infection vector"

    So yeah, Lateral movement will fuck you over big time with this one, but if all your doors are locked, it shouldn't be able to get in anyway.
     
  13. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    52,027
    Location:
    brisbane
    reading the links in OP needed.
     
  14. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,662
    Location:
    Brisbane
    This thing relies on dumb lateral movement of course, hitting paydirt with initial vectors or using MS17-010 to spread.

    Disable SMBv1, no local admins, patch office from 2 months ago.

    Like victim shaming is never good, but at least 1 of those things should have been done in your org post eternalbue / wannacry shenanigans, and ignoring the point that it's just a good idea anyway.
     
    Last edited: Jun 28, 2017
  15. mr626

    mr626 Member

    Joined:
    Jul 17, 2011
    Messages:
    2,695
  16. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,385
    Which link in the OP indicates that Patient Zero can be a fully patched machine?
     
  17. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    52,027
    Location:
    brisbane
    if you read them you'd know :)
     
  18. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,656
    Location:
    Melbourne
  19. millsy_c

    millsy_c Member

    Joined:
    Mar 31, 2007
    Messages:
    11,662
    Location:
    Brisbane
    I would hope that users opening emails don't have rights to run psexec against hosts on the network...
    Privileged access management is gonna burn people on this as much as patch management. I saw an article suggesting it'll only target machines in the subnet of the infected host.

    Via that github page, this tweet is linked:
    https://twitter.com/GroupIB_GIB/status/879772068300165120

    Also the creator of mimikatz confirmed some of his code is used.
     
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    10,385
    Yeah, but how is the RCE to actually run that obtained?... that's the vulnerability part.

    Sure, running psexec C:\encryptallthethings.exe is going to do bad things... but something somewhere needs to call that.
     

Share This Page