Just recently, we wrote about how in the aftermath of the WannaCry attack, companies should keep their guard up and be prepared for similar ransomware attacks: Enter the Petya attack.
The Petya family of malware is a ransomware variant that encrypts both the files and the partition of the hard drive, displaying a bootup message to the user. In other words, it’s the revenge of WannaCry- a bigger, badder attack with global reach.
But what really makes this attack interesting is: 1) yet again, hackers are leveraging the NSA’s exploit kits, and 2) machines running Windows 10 can also be infected this time around.
The SecurityScorecard research team performed an analysis of our proprietary data last week and found that there was SMB/Port 445 scanning activity that gives us insights on the Petya attack.
The spike of this scanning activity over the weekend may indicate that infections were attempting to automatically propagate across the internet. Additionally, this also may show a renewed interest by researchers who, like our team at SecurityScorecard, were working on identifying exploitable conditions before the malware strikes. The quick downturn after June 24th shows us that security practitioners may be quickly cleaning up their machines.
Immediate Lessons Learned:
- Close Port 445. If it’s open to the public, close it. This attack is proof that ransomware is going to continue to be the dominant malware family and that the equation group toolkit is going to continue to be leveraged.
- Windows 10 is no longer immune. As we alluded to earlier, the eternal blue exploit has been modified to successfully work against Windows 10, and that wasn’t the case when WannaCry was circulating.
- Improve Patching Cadence. There is no silver bullet, but maintaining healthy patching cadence will help ensure that your company is not the lowest hanging fruit.
- Train Employees on Phishing. The Petya malware originally arrived in the form of a phishing email. In other words, someone gets a suspicious email, opens the attachment, gets infected, and then the infected computer will start scanning the local network looking for vulnerable SMB services to exploit and infect. Ultimately there’s several preventative measures you can take, but if an employee clicks on a malicious attachment, your internal network is at risk.
- Continuously Monitor Indicative Factors. Again, the preventative measure that sets the framework for all the rest is having a robust and continuous risk management program that includes monitoring factors that may indicate potential risks for being the victim of such an attack. For example, poor patching cadence may be indicative of an exploit being possible versus benign and a low level of network security can indicate an environment that would allow for quicker propagation of malware.
The SecurityScorecard research team is currently running another global internet scan as well to identify exploitable conditions. Stay tuned for another update within the next 72 hours.
Our SecurityScorecard team did a follow up look at this attack and found the following:
- There has been a significant decrease in port scanning activity observed on port 445 of incoming honeypots, as well as a decrease in observed IPv4 addresses that are actively infected with the DOUBLEPULSAR backdoor or vulnerable to the EternalBlue (Windows) and EternalRed (Samba) SMB attacks.
- The decrease in incoming port 445 probes indicates that the autopropagating features of any SMB worms have slowed down from the standpoint of automated attacks, and indicates a decrease in interest from the research community in mapping global SMB exposures on Port 445. The decrease vulnerable SMB services indicates that the majority of users have implemented available patches.
- However, there are still a significant number of exposed SMB services to the public internet. Despite the widespread attention received by these latest campaigns, there are roughly the same amount of exposed SMB services (exact number can be obtained from R&D/datasci/a.hubbard) during July 2017 as there were throughout the rest of the year. This shows that the average internet user is still comfortable exposing this legacy protocol to the public internet, as long as the latest patches have been implemented. Additional attack campaigns that target SMB are likely to take place in the future, and the attacks will most likely leverage undisclosed 0day attacks and largely go unnoticed until the disclosure of a new vulnerability causes the next wave of attacks.