The Law of Unintended Outbreak – Who Is at Risk from Petya?

Cyber crime can impact individual users and businesses anywhere in the world.

Hot on the heels of the global WannaCry outbreak in May, yesterday saw a wave of what looked like copycat malware sweeping the globe again. However, on closer inspection there may more to this than meets the eye, more than a simple new variant of an already established ransomware borrowing propagation techniques from WannaCry.

The attack itself certainly seems to have been originally planned as a targeted attack, originating with a compromise of Ukrainian accounting software MEDoc’s update infrastructure (seemingly admitted on their website but categorically denied by MEDoc on facebook). This island-hopping attack starting with a smaller software vendor, whose product is mandated for companies paying taxes in Ukraine, may well have been targeted specifically at that country. However, as with every notionally targeted attack there has been collateral damage.

The fact that the malware was set to wait five days before triggering on the 27th June, a day before a Ukrainian public holiday celebrating the ratification of its new constitution in 1996, also lends circumstantial weight to the proposition that the attack was targeted primarily at victims in Ukraine.

Disruption?

Some of the names of prominent global victims, WPP, Maersk and Saint-Gobain for example all have offices and operations in Ukraine and are likely users of MEDoc, some have even posted job ads for accounting specialists with MEDoc skills. Also Rosneft, Russia’s state-owned oil company, although not necessarily corporate users of MEDoc, still have a presence in Ukraine and thus may be exposed to MEDoc within their network.

It seems that this cyber-attack is following the law of unintended consequences, with the victim population very rapidly spreading outside of Ukraine and encompassing organisations and partners of organisations who have a presence in Ukraine.

Money?

The creators of this particular malware, borrowing code from Petya, reusing exploits abused by WannaCry, adding password hash harvesting and two further network propagation techniques, using code obfuscation and fake Microsoft certificates are clearly skilled and experienced. The possibility of this latest outbreak being traditional financially-motivated online crime, at least at surface level, seem obvious but for one thing; the ransom payment mechanism.

Why does the payment mechanism rely on a single hard-coded Bitcoin wallet, and the transmission of an email containing the victim’s bitcoin wallet ID and “personal installation key” (a handy 69 characters that can’t be copy/pasted) to an email address that was always going to be rapidly shut down by the entirely reputable hosting company Posteo based in Berlin?  It’s almost as if the creators never intended to reap the financial rewards…

Am I vulnerable?

So far, all the highly-effective propagation mechanisms are finely-tuned for internal network-based spread at a rapid pace. There does not appear to have been a major external facing campaign to deliver this payload beyond the user base of MEDoc software.

If your organisation has a presence in Ukraine, or has immediate partners who do business in Ukraine, then you should consider yourselves directly at risk. Outside of this immediate group, while your risk level from this particular attack drops significantly, there’s no such thing as a cast iron guarantee and it only takes on device on your network to start a devastating outbreak. The six degrees of Kevin Bacon after all demonstrates how few links apart we all are (my own Bacon number is 3).

For technical details about this outbreak and advice on how best to mitigate please see our constantly updated Petya (2017) Ransomware Attack Information and our FAQ. For a technical analysis of the malware in question, have a look at our Security Intelligence blog.

For general advice on ransomware and access to free industrywide decryption tools, please visit nomoreransom.org.



from Trend Micro Simply Security http://ift.tt/2t1o7Cs

Comments

Post a Comment

Popular posts from this blog

AR18-312A: JexBoss – JBoss Verify and EXploitation Tool

Image
Original release date: November 08, 2018 Summary JBoss Verify and EXploitation tool (JexBoss) is an open-source tool used by cybersecurity hunt teams (sometimes referred to as “red teams”) and auditors to conduct authorized security assessments. Threat actors use this tool maliciously to test and exploit vulnerabilities in JBoss Application Server (JBoss AS)—now WildFly—and a variety of Java applications and platforms. JexBoss automates all the phases of a cyberattack, making it a powerful and easy-to-use weapon in a threat actor’s cyber arsenal. This report provides a detailed analysis of JexBoss’ functionality, along with detection, response, prevention, and mitigation recommendations. Description JexBoss JexBoss is a tool used to test and exploit vulnerabilities in Java applications and platforms, including the JBoss AS/WildFly web server framework. JexBoss is written in the Python programming language using standard Python libraries. JexBoss is run from the command-line inter
Keep reading

SB18-141: Vulnerability Summary for the Week of May 14, 2018

Original release date: May 21, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severity
Keep reading

SB18-029: Vulnerability Summary for the Week of January 22, 2018

Original release date: January 29, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium sever
Keep reading

Learn Python Programming – 7 Courses Video Training Bundle

Image
It's no secret that learning how to code is one of the most important things you can do when it comes to the beginning or furthering practically any career in programming and technology. The only problem a beginner often faces is that there are seemingly countless programming languages to choose from, which makes it exceedingly difficult for aspiring or even seasoned programmers to know which from The Hacker News http://bit.ly/2Ug9eJ8
Keep reading

SB18-043: Vulnerability Summary for the Week of February 5, 2018

Original release date: February 12, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium seve
Keep reading

SB18-057: Vulnerability Summary for the Week of February 19, 2018

Original release date: February 26, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium seve
Keep reading

SB18-008: Vulnerability Summary for the Week of January 1, 2018

Original release date: January 08, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium sever
Keep reading

Vulnerability Summary for the Week of October 19, 2020

Original release date: October 26, 2020 The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD . In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.   High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info acronis -- cyber_backup Acronis Cyber Backup 12.5 and Cyber Protect 15 include an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory within C:\jenkins_agent\. Acronis Cyber Backup and Cyber Protect contain a privileged service that uses this OpenSSL component. Because unprivileged Windows users can create subdirectories off of the system root, a user can create the appropriate path to a specially-crafted openssl.cnf file to achieve arbitrary code execution with SYSTEM privileges. 2020-10-21 7.2 CVE-2020-10138 MIS
Keep reading

Vulnerability Summary for the Week of March 2, 2020

Original release date: March 9, 2020 The CISA Weekly Vulnerability Summary Bulletin is created using information from the NIST NVD . In some cases, the vulnerabilities in the Bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.   High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info apple -- multiple_products   A denial of service issue was addressed with improved input validation. 2020-02-28 7.8 CVE-2019-8741 MISC MISC MISC MISC MISC MISC MISC centreon -- centreon   An issue was discovered in Centreon before 2.8.30, 18.10.8, 19.04.5, and 19.10.2. SQL Injection exists via the include/monitoring/status/Hosts/xml/hostXML.php instance parameter. 2020-03-05 7.5 CVE-2019-17647 CONFIRM CONFIRM CONFIRM MISC CONFIRM CONFIRM centreon -- centreon   Centreon 19.10 allows remote authenticated users to ex
Keep reading

SB18-071: Vulnerability Summary for the Week of March 5, 2018

Original release date: March 12, 2018 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD , which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0 Medium - Vulnerabilities will be labeled Medium severit
Keep reading