This blog is part three of a series on IT Security where PEI is examining modern threats and new security trends. In part one, we discussed phishing attacks. In part two, we talked about the importance of segmenting your network architecture. In this section, we’ll cover modern malware attacks.
Here’s the Scenario:
Hackers targeted a small software company called Linkos Group in Ukraine. Linkos Group’s tax software, M.E.Doc—a rough equivalent to TurboTax or Quicken—was widely used across the country, giving hackers access to thousands of users and devices.
The Russian hacker group, Sandworm, hijacked Linkos Group’s update servers, creating a hidden back door into PCs with M.E.Doc installed. Once this back door was created, Sandworm released the NotPetya virus.
NotPetya worked in four stages.
Stage One: The Software Vendor Level
This attack began at Linkos Group, where hackers compromised the software infrastructure for M.E.Doc.
Stage Two: The Device Level
As organizations updated the M.E.Doc application on their own systems, the Petya code was initiated, running on an enterprise host and propagating through organizational devices.
Want to know if your systems could survive an attack like NotPetya? Contact us today to get started on an IT Security Assessment!
Stage Three: The Network and Identity Level
At this level, NotPetya spread from directly infected devices to infiltrate entire infrastructures.
NotPetya leveraged the penetration tool EternalBlue, which was leaked by the US NSA in 2017, to take advantage of vulnerabilities in a particular Windows protocol. This gave hackers free rein to run code on unpatched machines.
NotPetya stole credentials lingering in the RAM of Windows devices and used them to hack into other devices accessible via the same credentials. This piece of the attack was only effective with accounts that were logged on at the time of the attack, where credentials would be loaded into LASS memory and could be stolen with Mimikatz.
The combination of EternalBlue (which had patches available) and Mimikatz allowed NotPetya to spread mercilessly through both unpatched and patched devices. Unpatched computers were targeted by EternalBlue, while Mimikatz pulled credentials from patched machines to infect those devices as well.
Once NotPetya spread throughout a network, the virus would reboot systems and begin the encryption process. Although claiming to be a ransomware, NotPetya included no technical provision to generate keys and register them with a central service—as is standard operating procedure for ransomware, leading experts to believe the main goal of NotPetya was to completely wipe data with no possibility for recovery.
What Made NotPetya Different?
- Supply Chain—Instead of targeting individual organizations directly through phishing or browsing, NotPetya took advantage of the IT Supply Chain to enter target environments.
- Multiple Vectors—NotPetya isn’t the first malware to spread in multiple ways or automate propagation techniques. However, NotPetya’s combination of EternalBlue and Mimikatz was especially effective in propelling its spread.
- Speed—NotPetya spread through organizations extremely efficiently, leaving little time for systems to detect and react to the virus. This means that only preventative measures—and not reactive solutions—could have been effective against it.
- Impact—NotPetya rebooted the system and encrypted the master file table of the filesystem, making it more difficult to recover individual machines. However, this did have an adverse effect on NotPetya’s ability to access storage—which is inaccessible after reboot.
NotPetya was estimated to have caused over $10 billion in damages. In comparison, the WannaCry Virus—widely thought to be one of the most successful attacks in history—was estimated to have caused between $4-8 billion.
For one affected company, Maersk—that had the M.E.Doc software installed on exactly one device—the financial impact reached over $300 million.
Lessons from NotPetya
For many organizations, this attack called attention to less-than-perfect software patching routines, outdated operating systems, and insufficient network segmentation.
How Do We Combat these Types of Attacks?
- Routine Maintenance—Your technology maintenance procedures should involve regular security patching and vulnerability assessments.
- Realtime Monitoring—Your toolset should Identify in real time when files in your network receive unauthorized modifications.
- Endpoint Security—Make sure your devices are protected with intelligent software capable of detecting early infections and raising security alarms when malicious code runs on your network.
- Backups—Back up your data to multiple locations, ensuring proper segmentation. Additionally, test your backups regularly!
- Education—Educate your team on your security policies and enforce best practices for all of your users.
Need help getting started on designing and implementing security policies that follow best practices? Contact PEI for an IT Security Assessment at firstname.lastname@example.org or 303-786-7474.
Martin Feehan, PEI