Soc in a Box

Well not really, but I’m going to write a series of posts that will all tie together, which can be a very useful tool for anyone interested in having a security home lab, or even in a new or established security operations centre.

I am going to be using open source software, and showing how they can be used together and create a pretty awesome environment, that in my opinion rivals or if not better than many of the paid and expensive tools in the security industry.

Over the next few weeks and months, I will create guides for the following.

Cuckoo

The Hive

MISP

Security Onion

Elastic Stack

Google Rapid Response

I’m not necessary going to create guides in the order listed above, however I will be starting with cuckoo.

Cuckoo is a fun place to start as you can get a pretty awesome malware sandbox analysis tool up and running in a fairly short amount of time, and see real results and benefits from it.  There are so many ways you can customise it and get it working for how you want it in your own environment.  Why pay a 3rd party for your malware analysis when you can have a free and powerful version of your own.

Anyhow, enough jibber jabbing.  Time for the first update!

Boozallen Report on Petya

I came across this write up by boozallen yesterday, and found it had some very interesting thoughts and insight to how and what happened.

 

https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/telebots-group-and-petya.pdf

 

1. Four VirusTotal users uploaded the compiled VBS backdoors along with other malicious files, including the
TeleBots telegram-based backdoor, PowerShell post-exploitation scripts, Mimikatz, and other tools. For each
user, these uploads occurred within the same one- to two-day time period.
2. In most cases, these files were uploaded several months prior to the 27 June Petya incident.
3. Booz Allen Cyber4Sight also determined that in several cases, these submitters also uploaded files
associated with the MEDoc update utility to VirusTotal. This shows that these submitters were also likely
users of the MEDoc software, and the inclusion of these files with the files identified in number 1 (above)
demonstrates that MEDoc-related processes may have facilitated the installation vector for this software.

 

These past few months have been quite interesting.  The scale and ease of WannaCry and the more recent  Petya/Non Petya attacks, have created a greater awareness for individuals outside of the security world.  Major news outlets are interested in these events as they transpire and this can only be a good thing.  I still believe we are many years away from individuals and business truly changing their mindsets and realise that just reacting to these events is not enough, and more time and effort is spent on how these applications are designed and how we approach security.  We need to try harder to make applications and hardware secure by design and not rely on 3rd party products afterwards to make the product “secure”.

We are going to have several more large scale events like this until the mindset changes, humans are stubborn and we do not like to change – however this is something we must do.

 

 

Talos Update on M.E.Doc

http://blog.talosintelligence.com/2017/07/the-medoc-connection.html?m=1

Summary

The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.
This is another good article and write up by Talos.
Gives a lot more useful insight as to how this happened, another good read, will be interesting to see how this continues to develop over the next few days and weeks.

Backdoor in M.E.Doc Application

I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week.  This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.

This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.

I suggest you read this very good article!

 

https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/

Analysis of TeleBots’ cunning backdoor

On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.

 

Another good write up by bleeping computer that contains more information.

 

https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-servers-from-where-notpetya-outbreak-first-spread/

Conspiracy theories

Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).

An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”

 

View of someone who was impacted by Petya

http://colsec.blogspot.de/2017/06/petya-outbreak-june-27th.html

 

My machine –

Domain joined Windows 10 Enterprise 64bit running McAfee AV + Encrypted HDD. Fully patched with June’s updates and manually disabled/removed SMBv1.

Hit at 12:40 UK time with a BSoD. Reboot “Please install operating system – no boot device”.

 

And the follow up

http://colsec.blogspot.de/2017/06/petyaa-infection-summary-of-events.html

 

I’ll just put this up here to summarise what happened and how.

We assume 1 PC was infected, that machine provided the virus with some credentials. Could have been a workstation admin’s account, giving the virus admin rights to all PCs in the local area. Over time, it must have picked up Domain Admin rights as it spread, then hitting Domain Controllers and all other Windows servers with it’s PSEXEC/WMIC code. The rest is history. We lost PCs that were encrypted with McAfee Disk Encryption due to corrupted MBR, PCs that were not encrypted with McAfee showed the ransom message.

 

This is a good demonstration of making sure everything is 100% patched and not nearly patched.  It is difficult to keep older machines patched and updated in an enterprise environment, however when these systems are designed and implemented, we should be thinking and taking into consideration how we are going to update them and keep them secure, otherwise we will have to deal with the events described above, again and again.

Do not pay to Petra Ransomware Email

During the afternoon it emerged that the “PetrWrap/Petya” malware is currently spreading quickly in many places, including Ukraine.

Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either.

https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomware-email-account-in-question-already-blocked-since-midday

It’s never a good idea to pay the ransom, even if they had the intention to give you your decryption code, they are not even going to be receiving  your email.

Patch and Backup.

Petya Ransomware Information

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners.
We are grateful for the help of all those who sent us the data, links and information.
Together we can make this world a better place!

Gist updates

Recent news, blog posts and mentions

Recent news from THN/Threatpost/Blogs

Research list

Helpful vaccine (not killswitch!)

Looks like if you block C:\Windows\perfc.dat from writing/executing - stops #Petya. Is used for rundll32 import.
https://twitter.com/HackingDave/status/879779361364357121
Local kill switch - create file "C:\Windows\perfc"
It kills WMI vector. Still need to patch MS17-010 for full protection.

Credits:

Group Policy Preferences to deploy the NotPetya vaccine

https://eddwatton.wordpress.com/2017/06/27/use-group-policy-preferences-to-deploy-the-notpetya-vaccine/

SCCM vaccine

https://sccm-zone.com/securing-against-goldeneye-petya-notpetya-petwrap-with-sccm-7e4516da8a81

Ransom

Infected with #Petya? DON’T PAY RANSOM, You wouldn’t get your files back. Email used by criminals has been Suspended.

https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

Bitcoin wallet monitoring

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Samples:

Archive password: virus

Thanks to the https://twitter.com/OxFemale for the initial malware body.

Source code:

  • Archive password: virus

Thanks to the @Sn0wFX_:

Initial vector:

Ransomware includes:

  • Modified EternalBlue exploit
  • A vulnerability in a third-party Ukrainian software product
  • A second SMB network exploit

Origin (NO PROOF):

Petya was known to be RaaS (Ransomware-as-a-Service), selling on Tor hidden services. Looks like WannaCry copycat. Attribution will be hard.
https://twitter.com/x0rz/status/879733138792099842

AvP Bypass

Confirmed AvP bypasing trick is being used by Petya ransomware to evade 6 popular anti-virus signatures (script)
https://twitter.com/hackerfantastic/status/880012620698451968

https://github.com/HackerFantastic/Public/blob/master/tools/bypassavp.sh

Vulnerabilities/Vectors/Actions:

MS17-010

PSEXEC: %PROGRAMDATA%\dllhost.dat is dropped and is legit PSEXEC bin

Remote WMI, “process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1”

Log clean, «wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:»

Creates a scheduled task that reboots 1 hour after infection. If task removed before the hour, does not reschedule and can buy time

Petya also attempts to kill Exchange & MySQL if they are running.  If you host either of these services and notice them die, this is including in it's infection process (svchost.exe) // by Mike "Bones" Flowers:

Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im Microsoft.Exchange.*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im MSExchange*
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlserver.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im sqlwriter.exe
Exec: C:\\windows\\system32\\cmd.exe
Params: /c taskkill.exe /f /im mysqld.exe
The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by WannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin)

Machines that are patched against these exploits (with security update MS17-010 https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) or have disabled SMBv1 (https://support.microsoft.com/kb/2696547) are not affected by this particular spreading mechanism

Test local account behavior [NOT TESTED]:

Don’t know if you have also noticed, but it only encrypted the MFT records for my test user account profile folders, the default Windows accounts Administrator, default user etc were all untouched, my test account was local so I don’t know what behaviour would be expected for domain account profile folders.

100% on the sample used by me and on a standalone computer, user files were encrypted prior to reboot and the malware was not able to escalate privileges to deploy the MFT encryption payload, no instructions were deposited about recovering these files

http://imgur.com/a/FhaZx

Possible IP addresses:

185.165.29.78
84.200.16.242
111.90.139.247
95.141.115.108

Email:

wowsmith123456@posteo.net
iva76y3pr@outlook.com         // by WhiteWolfCyber
carmellar4hegp@outlook.com    // by WhiteWolfCyber
amanda44i8sq@outlook.com      // by WhiteWolfCyber
gabrielai59bjg@outlook.com
christagcimrl@outlook.com
amparoy982wa@outlook.com
rachael052bx@outlook.com
sybilm0gdwc@outlook.com
christian.malcharzik@gmail.com

Email forms and attachment:

The subject in this case are formed like that (for targed "targed.emailName@targedDomain.com"):
targed.emailName

The body:
Hello targed.emailName,

You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is 6089

With appreciation!
Prince

Attached file name:
Scan_targed.emailName.doc

Analysis:

Targeted extensions by @GasGeverij

.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.

IOCs

securelist.com

0df7179693755b810403a972f4466afb
42b2ff216d14c2c8387c8eabfb1ab7d0
71b6a493388e7d0b40c83ce903bc6b04
e285b6ce047015943e685e6638bd837e
e595c02185d8e12be347915865270cca

blogs.technet.microsoft.com

34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
9717cfdc2d023812dbc84a941674eb23a2a8ef06
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
56c03d8e43f50568741704aee482704a4f5005ad

talosintelligence.com

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998

Droppers sent via email by WhiteWolfCyber:

9B853B8FE232B8DED38355513CFD4F30
CBB9927813FA027AC12D7388720D4771
22053C34DCD54A5E3C2C9344AB47349A702B8CFDB5796F876AEE1B075A670926
1FE78C7159DBCB3F59FF8D410BD9191868DEA1B01EE3ECCD82BCC34A416895B5
EEF090314FBEC77B20E2470A8318FC288B2DE19A23D069FE049F0D519D901B95

Codexgigas team:

a809a63bc5e31670ff117d838522dec433f74bee
bec678164cedea578a7aff4589018fa41551c27f
d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
aba7aa41057c8a6b184ba5776c20f7e8fc97c657
0ff07caedad54c9b65e5873ac2d81b3126754aac
51eafbb626103765d3aedfd098b94d0e77de1196
078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
7ca37b86f4acc702f108449c391dd2485b5ca18c
2bc182f04b935c7e358ed9c9e6df09ae6af47168
1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
82920a2ad0138a2a8efc744ae5849c6dde6b435d

msuice

41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8dc3bae763d18ccf

SNORT rules for the detection by Positive Technologies (ptsecurity.com):

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Unimplemented Trans2 Sub-Command code. Possible ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; byte_test: 2, >, 0x0008, 52, relative, little; pcre: "/\xFFSMB2\x00\x00\x00\x00.{52}(?:\x04|\x09|\x0A|\x0B|\x0C|\x0E|\x11)\x00/"; flowbits: set, SMB.Trans2.SubCommand.Unimplemented; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001254; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] ETERNALBLUE (WannaCry, Petya) SMB MS Windows RCE"; flow: to_server, established; content: "|FF|SMB3|00 00 00 00|"; depth: 9; offset: 4; flowbits: isset, SMB.Trans2.SubCommand.Unimplemented.Code0E; threshold: type limit, track by_src, seconds 60, count 1; reference: cve, 2017-0144; classtype: attempted-admin; sid: 10001255; rev: 3;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Trans2 Sub-Command 0x0E. Likely ETERNALBLUE (WannaCry, Petya) tool"; flow: to_server, established; content: "|FF|SMB2|00 00 00 00|"; depth: 9; offset: 4; content: "|0E 00|"; distance: 52; within: 2; flowbits: set, SMB.Trans2.SubCommand.Unimplemented.Code0E; reference: url, msdn.microsoft.com/en-us/library/ee441654.aspx; classtype: attempted-admin; sid: 10001256; rev: 2;)

alert tcp any any -> $HOME_NET 445 (msg: "[PT Open] Petya ransomware perfc.dat component"; flow: to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content: "|70 00 65 00 72 00 66 00 63 00 2e 00 64 00 61 00 74 00|"; distance:0; classtype:suspicious-filename-detect; sid: 10001443; rev: 1;)

alert tcp any any -> $HOME_NET 445 (msg:"[PT Open] SMB2 Create PSEXESVC.EXE"; flow:to_server, established, no_stream; content: "|fe 53 4d 42|"; offset: 4; depth: 4; content: "|05 00|"; offset: 16; depth: 2; byte_jump: 2, 112, little, from_beginning, post_offset 4; content:"|50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45|"; distance:0; classtype:suspicious-filename-detect; sid: 10001444; rev:1;)

Sagan log analysis rules for the detection by Quadrant Information Security (quadrantsec.com) – Note: These are NOT Snort/Suricata rules! See http://sagan.io for more details:

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA256 hash detected - Open source"; meta_content: "%sagan%",64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,fe2e5d0543b4c8769e401ec216d78a5a3547dfd426fd47e097df04a5f7d6d206,ee29b9c01318a1e23836b949942db14d4811246fdae2f41df9f0dcd922c63bc6,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,17dacedb6f0379a65160d73c0ae3aa1f03465ae75cb6ae754c7dcb3017af1fbd,e5c643f1d8ecc0fd739d0bbe4a1c6c7de2601d86ab0fff74fd89c40908654be5; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003121; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery SHA1 hash detected - Open source"; meta_content: "%sagan%",34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d,027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745,101cc1cb56c407d5b9149f2c3b8523350d23ba84,a809a63bc5e31670ff117d838522dec433f74bee,d5bf3f100e7dbcc434d7c58ebf64052329a60fc2,aba7aa41057c8a6b184ba5776c20f7e8fc97c657,bec678164cedea578a7aff4589018fa41551c27f,078de2dc59ce59f503c63bd61f1ef8353dc7cf5f,0ff07caedad54c9b65e5873ac2d81b3126754aac,51eafbb626103765d3aedfd098b94d0e77de1196,82920a2ad0138a2a8efc744ae5849c6dde6b435d,1b83c00143a1bb2bf16b46c01f36d53fb66f82b5,7ca37b86f4acc702f108449c391dd2485b5ca18c,2bc182f04b935c7e358ed9c9e6df09ae6af47168,9288fb8e96d419586fc8c595dd95353d48e8a060,736752744122a0b5e
e4b95ddad634dd225dc0f73,9288fb8e96d419586fc8c595dd95353d48e8a060,dd52fcc042a44a2af9e43c15a8e520b54128
cdc8; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003122; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya payload delivery MD5 hash detected - Open source"; meta_content: "%sagan%",71b6a493388e7d0b40c83ce903bc6b04,415fe69bf32634ca98fa07633f4118e1,0487382a4daf8eb9660f1c67e30f8b25,a1d5895f85751dfe67d19cccb51b051a; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003123; rev:1;)

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[WINDOWS-MALWARE] Petya detected by filename - Open source"; meta_content: "%sagan%",myguy.xls,myguy.exe,BCA9D6.EXE,Order-20062017.doc,myguy.xls.hta; meta_nocase; classtype: trojan-activity; reference: url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference: url,isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/; sid:5003124; rev:1;)

Links

Fix suggest by @MrAdz350

If you can boot to a Windows ISO prior to Frist reboot you can use bootrec tool to prevent MBR overwriting as per https://neosmart.net/wiki/fix-mbr

Information about MBRFilter

view raw
Petya_ransomware.md
hosted with ❤ by GitHub

Just correlating all the useful information I can find with regards to the latest Petya Ransomware attack.

https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100

Behaviour

<Ignored Process>
 rundll32.exe C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1" (PID: 2880)
 cmd.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2724) 
 schtasks.exe " /TR "%WINDIR%\system32\shutdown.exe /r /f" /ST 07:45" (PID: 2720) 
 FE04.tmp %TEMP%\FE04.tmp" \\.\pipe\{E532AB34-D5C5-4AA8-9511-A05572AE75BC}" (PID: 1968) 
 dllhost.dat %WINDIR%\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll",#1 10 "%OSUSER%-PC\%OSUSER%:123456"" (PID: 2512) 1/59 Seen in another context
 cmd.exe /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C: (PID: 2072) 
 wevtutil.exe wevtutil cl Setup (PID: 2204) 
 wevtutil.exe wevtutil cl System (PID: 2128) 
 wevtutil.exe wevtutil cl Security (PID: 4016) 
 wevtutil.exe wevtutil cl Application (PID: 3988) 
 fsutil.exe fsutil usn deletejournal /D C: (PID: 1368) 
 shutdown.exe %WINDIR%\system32\shutdown.exe" /r /f" (PID: 2796)

 

Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

https://www.symantec.com/connect/blogs/petya-ransomware-outbreak-here-s-what-you-need-know

Another good analysis from Kaspersky

How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.
  • The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

Schroedinger’s Pet(ya)

 

Cloaking Itself in Legitimate Code

Petya uses memory injection as an evasive technique to bypass existing defenses. Attackers often use this method to hide in legitimate processes on the endpoint by injecting malicious code into the memory of non-malicious applications. Sometimes referred to as fileless malware, these threats avoid being detected by file-based detection tools, as the malicious code manipulates the memory stack to achieve malicious actions without actually placing the malicious program on the file system.

In the case of Petya, the executable creates another instance of itself and injects decrypted code into it.

 

https://minerva-labs.com/post/new-petya-ransomware-attack-prevented-by-minerva

 

 

Google Capture the Flag 2017

Google has announced its capture the flag for 2017.  Offering rewards for the winners and also participation if you are creative with your write up for the challenges you complete, so this should give many more individuals a chance of getting something for their effort, other than the enjoyment of course.

Qualification starts on the 17th of June, whereas if you can score enough points you can be invited to the final which will be held at google where you are then competing in another exercise in order to be declared the winner.

 

Why do we host these competitions?

There are three main reasons why we host these competitions.

First, as we’ve seen with our Vulnerability Reward Program, the security community’s efforts help us better protect Google users, and the web as a whole. We’d like to give the people who solve a single challenge or two in a very clever way a chance to teach us and the security community, even if they don’t qualify for the finals. We also think that these challenges allows us to share with the world the types of problems our security team works on every day.

 

https://security.googleblog.com/2017/06/announcing-google-capture-flag-2017.html

 

I do like these type of events as you get to see how creative people can be with problem solving, and usually many things we can learn from others as a result.

 

Patriotic Hackers

In what is somewhat of a mildly amusing statement, and I am sure not all of the conversation.  Suggests that its down to patriotic  individuals acting on behalf of themselves when they feel there are negative comments made about Russia.

It’s an interesting take on the subject.

https://www.rferl.org/a/russia-putin-patriotic-hackers-target-critics-not-state/28522639.html

 

Responding to a question about concerns in Germany that Russian hackers could meddle in that country’s upcoming federal elections, Putin said it was “theoretically possible” that “patriotic” hackers could attack those who “speak negatively about Russia.”

“At a government level, we are never engaged in this. That’s the most important thing,” Putin said at the televised meeting, which was held during Russia’s annual St. Petersburg International Economic Forum. He added that hackers could come “from any country in the world.”

 

Shadow Brokers Response Team – Retracted

As per my previous update, the idea behind what they wanted to do was a good one, but legally not so much.  Seems as humans we just cannot get around doing the right thing and being proactive.  We only understand how to react to when things go wrong.