New Petya/Not Petya/EternalBlue electric boogaloo

Discussion in 'Business & Enterprise Computing' started by NSanity, Jun 28, 2017.

  1. chip

    chip Member

    Joined:
    Dec 24, 2001
    Messages:
    3,715
    Location:
    Pooraka Maccas drivethrough
    Seeing signature based AV is apparently catching this thing, I take it that it doesn't mutate each time it infects a host?
     
  2. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    38,487
    Location:
    Brisbane
    Like it or not, this is the new world. You have to make a choice between stability and safety. That used to be "easy" - you put air gaps in, and told people "no Internet for you". Now you can't do that.

    Here and now, you have to make a business decision as to which is less expensive - outages from broken patches, or outages from malicious attacks.

    Here's a discussion from 6 years ago:
    http://forums.overclockers.com.au/showthread.php?t=983059

    Back then, I'd already reached the personal conclusion that I preferred "patch early, patch often". Today I'm even more vehemently for that, regardless of if your shitty Outlook client loses search for a week.
     
  3. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,807
    Location:
    Brisbane
    I still haven't seen anything conclusive on how this is spreading outside of the medoc compromised updater. Some rumors of a watering hole attack but nothing concrete yet.

    Bit of a nightmare scenario though, pushing malware on a privileged process directly into your systems.
     
  4. callan

    callan Member

    Joined:
    Aug 16, 2001
    Messages:
    4,827
    Location:
    melbourne
    Rather concerning article on Arstechnica.
    Seems the code is deliberately written to destroy the information needed to recover the disk after paying the ransom.
    Adding to the problem: the email address used to communicate with the malware author has been closed.

    Whilst I'm a firm believer that no-one should ever pay a ransomware author (extortionist) to recover their data - this adds an additional layer of nastiness to the whole affair: if that were even possible.

    Microsoft, and the NSA have a lot to answer for.
    Callan
     
  5. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,807
    Location:
    Brisbane
    It's looking more and more like this was a disk wiper disguised as a ransomware, rather than ransomware.

    RE the Microsoft and NSA, what do they have to answer for specifically? Original source was a compromised third party updater, as those tend to run privileged the thing got an immediate foothold with high level privileges and went to town from there. Yes we should accept some orgs can't rapidly patch sure, but even if they were fully patched this would have wreaked havoc. I believe analysis will likely show the eternalblue exploit will be far less utilised than simply harvested credentials.

    This is as much about poor segmentation and a lack of monitoring as anything else. Your more stereotypical balaclava wearing hacker is gonna use exactly the same techniques.
     
  6. callan

    callan Member

    Joined:
    Aug 16, 2001
    Messages:
    4,827
    Location:
    melbourne
    Microsoft for leaving SMB1.0 enabled by default for so long, and writing shitty code to start with.
    The NSA for discovering but hoarding the vulnerability and then being sloppy enough to let it get leaked.


    Callan
     
  7. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,634
    EternalBlue was an infinitesimally small part of this whole shebang.

    Rightly or Wrongly, NSA need offensive capabilites, which is why they have these toolkits... when they got leaked, Vendors were contacted and patches released... such is the scheme of things.

    Microsoft's advice has been "Disable SMB1.0" for a LONG TIME now, however, shitty vendors still rely upon it... why does Microsoft cop the blame for this?

    There are many MANY valid things to bash Microsoft over, but this isn't one of them.
     
  8. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,807
    Location:
    Brisbane
    Right, the code is so shitty that literally nobody else has discovered it in what, 10 years? The thing took nearly a month to reverse engineer for 2008r2 let alone all the other platforms. Sure MS shouldn't have it enabled by default (as of server 2016 rc whatever it isn't), but that's gonna break a lot of shitware too so people simply will re enable it or simply use out of date OS's.

    Just to be clear, the odds of the NSA discovering this are pretty low, they're far more likely to just buy it. Hoarding is relative, it's a tool man, a damn good one that they used for at least 3 years without getting caught. There's very little evidence to suggest that exploits are re discovered, and as soon as they felt it was burned some random anonymous source reported it to MS with all the details they needed to fix it.

    Regardless, take out the exploit and have it rely on psexec and probably impacts would be similar, if the initial foothold is an updater process in a domain environment you're probably screwed anyway as it'll likely have DA to begin with.
     
  9. sammy_b0i

    sammy_b0i Laugh it up, fuzzball!

    Joined:
    Jun 29, 2005
    Messages:
    3,643
    Location:
    ACT 2913
    We've finally disabled SMBv1, fixed up trusted macros for office, and dropped in those vaccine files via GPO.

    Already patched up from the WannaCry issue, but good to finally take a few more steps.
     
  10. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,807
    Location:
    Brisbane
    I noticed in SEP they seem to have an option you can configure to block common malicious commands in macros, e.g. running shell commands. It can be bypassed, but every bit helps :)
     
  11. Glide

    Glide Member

    Joined:
    Aug 22, 2002
    Messages:
    1,151
    Location:
    Was: Sydney Now: USA
    I work for a backup vendor... things are busy at the moment :sick:

    It seems like the encryption part only targets c:\ - so many have had some lucky escapes - but there are so many that have entire AD infrastructures down. Broken DNS and authentication for accounts that can access storage resources are the biggest hurdle ...

    One customer has over 50,000 laptops hit.
     
  12. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,807
    Location:
    Brisbane
  13. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,807
    Location:
    Brisbane
    https://blog.kaspersky.com/new-ransomware-epidemics/17314/

    Kaspersky have updated their advice, apparently it's looking like it was never going to be possible to decrypt it

     
  14. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,827
  15. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,634
  16. m0n4g3

    m0n4g3 Member

    Joined:
    Aug 5, 2009
    Messages:
    3,643
    Location:
    Perth, WA
    HAH! Apparently the staff should be commended for bringing it back up in such a short period of time...

    No you muppet they should be racked over the coals for letting it happen in the first place, once fixed they should get the fkn flick regardless of how quickly they brought it back up or not.
     
  17. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,634
    I'm gonna disagree on that one.

    The sad truth of the matter, is that for a lot of people, even a lot of "IT" people, the ease of lateral (and far to often, vertical) movement through a windows network comes as a shock to them. (http://forums.overclockers.com.au/showpost.php?p=17575801&postcount=1531)

    This is really the first widespread threat that has used these techniques for propagation, and by virtue of it being a supply chain attack, even a fully patched system would be owned, because you have some enterprise shitware that insists on running its updater with higher privileges... then when It fetches a pre-owned Update... bad stuff happens.

    Many people (me included) not had to deal with it because we've been lucky, not because the've been good.

    Because this used "standard" ways to spread once inside, it only takes 1 host on each network, and you're up to your elbows in a world of shit.

    Janice from accounting just comes back from 3 months leave, plugs in her laptop and starts going through old E-mails... Initial infection vector - Boom.

    Desktop Admin comes to her desk and runs "Anti-Malware-Bollocks.exe" using his desktop admin account... Now Mr Malware has desktop admin creds to spread laterally.

    Malware finds sysadmins desktop, and sysadmin has used his desktop to map something as his server admin account - Boom, now Mr Malware has server creds, Onwards and Upwards.

    Malware uses server creds to infect Domain Admin "Jumpbox" and now everything is fucked.

    A series of small mistakes, which, on their own, are trivial, can (and have) lead to a right royal fucking... and this is in a mostly ideal world, where People have "Desktop" admin, and "Server" admin, and "Domain" admin separation... I'd posit that its far more likely that badmins are running their regular user account as "Domain Admin", or, in a best case scenario, have a "Separate" domain admin account (but they still use it everywhere).
     
  18. millsy

    millsy Member

    Joined:
    Mar 31, 2007
    Messages:
    12,807
    Location:
    Brisbane
    I've come across users that have enterprise admin for their daily driver :)

    But you've hit the nail on the head there perfectly.
     
  19. scrantic

    scrantic Member

    Joined:
    Apr 8, 2002
    Messages:
    1,721
    Location:
    3350
  20. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    13,634
    Turning your computers off completely is also 100% mitigation.

    Disabling things like psexec and WMIC on a corporate network may end up causing more issues that it solves.

    For example, I use psexec to push flash updates to shitboxes that still need it. If It gets disabled, Flash stops getting updates, and not-updated flash is one of the ways shit like this gets in in the first instance...

    I'm not saying don't do the thing, I'm just asking that you be aware of all the ramifications of doing the thing.
     

Share This Page

Advertisement: