Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Intelligence Advisory – New Petya Ransomware Outbreak
Intelligence Advisory – New Petya Ransomware Outbreak
On June 27, 2017, Optiv’s Global Threat Intelligence Center (gTIC) received reports from several sources concerning a recent modification to the Petya ransomware strain. This new strain is being referenced as ‘GoldenEye’. The modification has been identified as the SMB exploitation leveraged by WannaCry, the so-called EternalBlue exploit. This appears to be a previously unseen ransomware, sharing capabilities of the Petya ransomware. This ransomware continues to evolve its’ tactics, techniques, and procedures (TTPs) to maintain its’ dominance as a paid effective ransomware solution.
Countries that are currently reporting Petya infections include, but are not limited to, Russia, Ukraine, Spain, France, United Kingdom, the United States, and India. Extortion for Petya infections are set at $300 in bitcoin per infected device. Reported affected industries include, but are not limited to: financial services; retail, hospitality and travel; and energy and utilities.
The Global Threat Intelligence Center assesses with HIGH confidence that malicious campaigns will continue to be modified to exploit the SMB vulnerability leveraged by WannaCry, EternalBlue and now Petya. Even though Microsoft released MS17-010 in April of 2017 rendering the SMB vulnerability inert, organizations around the globe continue to report successful exploit by malicious actors. Associated patches should be applied immediately, ensuring all backups are up-to-date, and taking any other precautions, including disabling SMBv1 except where necessary, continuously updating A/V signatures and applying all known indicators of compromise. These precautions include perimeter hardening, Microsoft Word hardening, and user education to protect against commonly used infection vectors. gTIC mitigation recommendations included in the recommendations section.
The Petya Ransomware infection vector includes a malicious Microsoft document that downloads an executable payload. Additionally, Petya has two distinct stages. Although last updated January of 2017, Malwarebytes provides the following breakdown for Petya’s two stages:
During the first stage, the Windows executable file is dropped and executed. This overwrites the beginning of the disk, including the Master Boot Record, and makes an encrypted (XOR) backup of all original data. Stage one ends when the infected device is rebooted. Saving data from an infected device prior to reboot is relatively easy. This is because only the beginning of the disk becomes modified.
The second stage initiates after the device reboots, and results in the entire drive being encrypted.
Early analysis indicates that if the user does not have admin rights, infection will not spread beyond the infected device. The infection will be isolate only to the local system, enabling encryption only after reboot. If MS17-010 is not patched, the malware will spread via Microsoft Server Message Block. If MS17-010 is patched and the malware has admin rights, it will spread laterally via WMIC.
Remediation in all cases is to prevent reboot after bluescreen, thereby preventing stage 2 encryption. Take a disk image to retain information, then wipe and reboot. The following Microsoft software are exposed to SMB vulnerability attacks, as well as other variants and tools that employ the same vulnerability:
MS17-010 is the Microsoft security bulletin number the SMB Server patches that need to be applied. They include:
Petya leverages CVE-2017-0199 and the following needs to be applied.
If patching is not possible at this time, tighten SMB security and close port 445.
Thwart malware by hardening settings for what tools can be run on a machine, as well as which file paths can be made executable. For instance, executables should not be run out of the system’s temporary directory. Because all binaries have permissions to write to the temp dir it is often used by malware for initial execution after exploitation.
Implement Endpoint Controls to Protect the Windows AppData Folder. Many malware variants (including CryptoLocker) use the AppData folder to store and call executable files and DLLs. Preventing DLL and executable access from being copied to or accessed from this folder contains many common ransomware variants.
Monitor for Unauthorized Use of Windows Administration Tools. Modern APTs are using native Windows administration tools such as PSExec, Cygwin, PowerShell, Windows Credential Editor (WCE) and alternative consoles. Native tools are often allowed by endpoint security tools and will not trigger alerts. Organizations who are not actively using these tools should add them to a blacklist or enable the potentially unwanted programs (PUP) group containing these tools.
User education should involve frequently advising users of how attackers are trying to gain a foothold in the environment – an aware user is more likely to identify and rebuff an attack attempt. User education around this campaign should include:
Furthermore, ensure that users are trained on how to report phishing emails to the internal information security department.
April 19, 2018
Learn how Optiv’s Cyber Threat Intelligence as-a-Service solution provides you with an advanced "beyond the perimeter" capability as a part of your...
July 29, 2016
Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.
June 28, 2017
Here we go again. Not long ago I updated a blog post containing actionable recommendations to protect your environment from ransomware threats....
Let us know what you need, and we will have an Optiv professional contact you shortly.