Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem. The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out …
Here we go again. So many systems getting well and truly screwed all around the world!
Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?
Viz: "These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates."
Viz: "These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates."
I too had hard time understanding this sentence. I read it as:
- if you patched MS recently, NotPetya will propagate by finding credentials in the RAM
- if you did not patch, it will used the unpatched vulnerabilities.
At some point in the article it said the Ram Raid ( hehe ) dosent work on w10 so the sentence would mean:
It tries the vulns patches issued earlier (smb) , which may work if still not yet applied , and tries the Ram raid , which is usually more successfull as not yet patched on W7 , but wont work on w10.
MS have been criticised for their ASLR.
https://en.wikipedia.org/wiki/Address_space_layout_randomization#Microsoft_Windows
Seems to me like some old software has become a conduit. Perhaps those companies need to upgrade and invest in more up to date systems.
Besides, like Wannacry, this is an exercise to raise awareness of bitcoins & crypto currencies to a lessor extent.
Wannacry targeted national institutions, and this one is just targetting more high profile entities but still raising the profile of bitcoins.
Satoshi must be worth getting on for $2billion now, not bad for a few years work, an idea and then letting the public run with it with Govt & media backing.
I still think this is a side show though and believe there are many many more systems already pwn'ed waiting to be activated, if you want to know more, that will cost you £10k per day! :-)
In the mean time, can MS come up with some major fixes to prevent an exodus from Windows?
Its a bummer when all the original talent who built windows have long since gone.
This post has been deleted by its author
"Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?"
Pretty sure the answer is no.
If machines are patched against the NSA backdoors and SMBv1 is disabled, other propagation routes if the user has local admin access to the PC. i.e. lsadump for any cached credentials on the PC and then psexec/WMIC using those credentials in an attempt to access other machines via C$/Admin$ shares. Your MBR is also re-written and after 20-40 minutes your PC is restarted and a "chkdsk" run that encrypts your hard disk. Prior to the reboot, a boot from CD and re-writting the MBR allows to you to recover from this.
Also considering blocking SMB access between workstations via Windows firewall for end user devices if there isn't a compelling reason not too (i.e. in offices where a local PC is the "server" or some dumb app) or at least reducing access to just the hosts or subnets that need access to reduce your exposure.
If you don't have local admin access to allow the hash dump AND you are patched against the NSA issues across your network, files matching a list of extensions are encrypted.
If you haven't been infected yet, you best protection is ensuring AV and patching is up-to-date and reviewing your usage of privileged accounts (both at domain level and local PC level) to ensure you understand the potential for propagation across your network. Changing passwords for privileged to prevent cached hashs from being usable is also a good step.
"Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?"
Exactly the inverse.
The main SMB1 vulnerabilities used for propagation were patched back in April (which kept a lot of us safe from Wannacry, too), so as long as you're actually running a decent patching schedule you were immune. The admin credential harvesting from local RAM would also be fairly ineffective if basic security hygiene was followed (in other words, MS's own best practice, as outlined in pretty much every level of MS training).
Oh, and Win 10 was effectively immune - it doesn't have the SMB flaw, and doesn't allow the creds to be harvested. Which must be very frustrating for everyone who was hoping to use this as another excuse to attack Win 10.
Well, I was in IT in a bank several years ago (in the U.S.). One of the major companies for bank software needed to have users logged in as administrators for their software to work properly. Coworkers and I spent many hours after each new version of software was released to find out what permissions needed to be changed in program files and registry entries so users could be logged in as a standard user instead of an admin. Very frustrating, but too often the tech support answer from software providers was to "just have users login as administrators". I'm retired now, so I don't know if things are better. It was very frustrating at the time.
While I would not go as far as false flag, the primary malware production facilities in the ex-USSR are presently in Ukraine and the war zones bordering it - Donetsk and TransDnestr. It used to be all over Russia. Not any more - they started getting in the way of legitimate business so the police got pressured by banks and businesses to start paying attention.
So it was probably written in Ukraine. Now, who paid for the kids to write it - that is a different story. We are least likely to know that any time soon. Investigating the organized criminal industry in Ukraine (or the politicians related to it) always finishes with a bomb under your bonnet, a bullet in the back of your head or your head cut off and sent to your wife. I am not going to quote the actual examples - they are in the news going as far back as Kuchma's government.
"It could be the Ukrainians themselves who set this loose to try and blame their enemies."
More to the point, has MeDOc let anyone go recently and failed to delete their accounts and change any passwords they may have known? Because this is getting t sound like a bigger and better version of https://www.theregister.co.uk/2017/06/26/engineer_imprisoned_for_hacking_exemployer/ (for some values of better).
Okay, so I get everyone wants to blame Russia or North Korea etc.
But the way I see it, the true people to blame is in fact the Americans, more specifically, the NSA.
Why? Simple these attacks are using exploits NSA have known about for years which is ironic when you think about the fact they claim to keep them in the name of "National Security" - Had they just found the exploits, and reported them to Microsoft (or whatever application developer has the bug) this would of been prevented years ago.
But instead the NSA chose to harbour these security bugs, refusing to fix them and instead have them for their own malicious intents. The fact remains had these bugs been fixed instead of used then none of these attacks such as WannaCry would of been as effective as they are now.
Personally, I think the NSA should stand up and admit it did wrong by harbouring the bugs and apologise to the effected businesses.
That's not to say the creators of the malware are not responsible, which of course, they are. But to me the NSA still had a hand it in it all.
Speaking of NSA, let's remind ourselves about the first great Internet/Arpanet worm.
From Cliff Stoll - The Cuckoo's Egg
I knew Bob Morris was on his computer at 6:30 A.M. Thursday morning. I could see him logged into NSA's Dockmaster computer. After posting a message to that machine, I called him on the phone.
"Hi, Bob. We've got troubles. A virus is spreading over the Arpanet, and it's infesting Unix computers."
"When did it start?"
"Around midnight, I'd guess. Maybe earlier-I just don't know. I've been up all night trying to understand it."
"How's it spread?"
"Through a hole in the Unix mail program."
"You must mean Sendmail. Hell, I've known about that for years." Bob Morris might have known, but he had never told me.
Fully correct. Global Security is harmed mainly by Security Services (every major intelligence org is doing it) in multiple ways.
1) They create incentive to find security problems AND keep them secret by buying them on the black market.
2) They then hoard these problems to transform them into attack weapons against state-actors, terrorists and criminals alike.
3) Defenders (OEMs and Anti-Virus companies) are intentionally kept in the dark in order to not de-value the attack waepons.
This system is fully conentrated on each actor's ability to attack, not to defend.
So there is a global incentive for the Security Services to keep potential targets on each side vulnerable.
So when ( not if ) the weapon cache is breached, as soon as the thieves learn to control the weapons, they are able to do harm on a global scale.
I understand the thinkiung behind collecting attack vectors - but in effect the Security Services do NOT raise the global security level, they lower it to dangerous levels.
Time to change this system.
Otherwise NSA, GCHQ, BND, FSB et al will become responsible for a major hit against the global infrastructure. It's just a matter of time.
I understand the thinkiung behind collecting attack vectors - but in effect the Security Services do NOT raise the global security level, they lower it to dangerous levels.
The old addage, if you can find a backdoor so can someone else (paraphrased obviously). I believe I first heard it in military terms, physical access to a bunker etc.
Would be nice if the NSA were made to pay for the damage, out of the personal bank accounts of those who made the decision to keep this stuff secret. Same for equivalents in other nations. They've brought some real pain into people's lives by their decisions, they should be made to pay.
Same as child porn.
People who pay for child porn create the incintives for kids to be exploited.
So the intelligence services provide exactly the same incentives as child porn buyers.
All of this damages the population, and creates thousands of millions in damages. That economic damage translates into lack of money for hospitals, improving roads, etc. That means people die because of this.
It's worse than that. The boundaries between government, private and rogue in the security services are extremely fluid and always have been. Anyone having knowledge of these technologies can and probably will put them at the disposal of anyone if the price is right.
But the way I see it, the true people to blame is in fact the Americans, more specifically, the NSA.
The problem I have with this blame attribution, is it isn't quite true, all it would have done is meant us having this discussion X years ago as companies failed to apply the patches and malware skiddies reverse engineered them enough to exploit the vulnerabilities.
Worryingly (because I am strongly against harbouring vulnerabilities), it could be argued that the NSA protected the business world by keeping it a secret. This chaos never happened as a result of a parallel discovery, it was only after Shadowbrokers popped the NSA and released the files. If they had kept them secret properly, this wouldn't have happened.
"it could be argued that the NSA protected the business world by keeping it a secret."
This is an argument for security through obscurity. The main problem with this is that you have to maintain the obscurity for ever. By far the best approach is for the vulnerabilities to be notified back as soon as discovered, fixed and the fixes incorporated in future products and in updates to existing ones.
"This is an argument for security through obscurity."
Exactly this. And security through obscurity is almost certainly not actually secure.
There's a basic rule in sigint which should always be followed:
Always assume the other guy is smarter than you.
This is the basic foundation of modern security infrastructure, and has been since World War 2. Basically, the Nazis assumed that they were smarter than their opponents, and so that the Enigma code was invulnerable. But it turned out the Allies were working on stuff that the Germans hadn't even begun to imagine, and so they were able to break the code in ways that the Axis assumed would be impossible. The Allies knew where the Axis were going to attack within hours of the order being issued, but the Germans remained convinced that Enigma was unbreakable.
This is why, since the end of the war, whenever we come up with a new encryption method we publish it and invite people to have a go at cracking it. Because the assumption is that someone out there is smarter than you and will figure it out even if you think it's unbreakable. It's effectively the same many-eyes principle which works in Open Source; if everyone is working on the problem and still can't crack it, then it's probably securer than if you're the only person working on it and hoping that some combination of obscurity and your own genius makes it uncrackable. This is one of the problems many infosec researchers have with Apple's walled garden; it's a bad philosophical approach to security even if you do a very good job of implementing it, and when someone smarter does decide to target it the result will be devastating.
The assumption should always be that the Bad Guy - whomever they happen to be at a given moment - knows your movements, has access to all your information, has slightly better resources than you do, and can do a bit more than you can at any given time. That makes hording exploits directly equivalent to arming your enemies.
If the replies on this thread are given by people working in the IT industry, and who are responsible for working IT systems, then it shows a) why these things happen and b) It won't go away any time soon.
Conclusion: It is anybodies fault, but not Microsofts or the people responsible for the architecture of resilient IT infrastructure in companies.
So better stop whining about NSA and others, since they are just guys doing their job and laughing their *ss off from all this lemming like behave in corporate IT that makes their lives so easy.
And besides that, if the boss asks some questions, tell him it was the ant virus tool not recognizing the virus attack :).
This is an argument for security through obscurity. The main problem with this is that you have to maintain the obscurity for ever. By far the best approach is for the vulnerabilities to be notified back as soon as discovered, fixed and the fixes incorporated in future products and in updates to existing ones.
I agree and it was never my argument.
The best approach is the best but it isnt followed. MS issued patches in March and in June organisations were still being owned because they hadnt implemented them. As soon as a patch is released people will be reverse engineering it to create badness.
My point is, it is just as valid saying NSA is to blame for evil people using these vulns as it is saying NSA should have kept them secret for ever. Neither are correct. The more we try to find someone other than the criminal who launches the attack to blame, the more confused things get and the stranger the arguments promoted.
The more we try to find someone other than the criminal who launches the attack to blame, the more confused things get and the stranger the arguments promoted.
Sometimes there can be several parties to blame in an incident. There are a number of reasons people don't patch things, eg my Win 7 no longer gets updates because I have little control over what is there (it also no longer gets internet, and any unknown USB's get checked via another box first); they range from paranoia to incompetence to stuck with old tech that is mission critical and can't be fixed.
The sooner a flaw is announced, the sooner a patch is released. The sooner a patch is released, the sooner "baddies" can start taking it apart to see what is fixed, but it also means the sooner the vendor knows of the problem and fixes it. A new program is written today that in a year's time will be used by almost every person in the world, and in 5 years time it is deeply embedded in all sorts of critical systems. Now, do you want the vendor told very early on that there is a flaw in that program that will let anyone control the devices it is used on, or do you think it better for those who learn of the flaw to sit on it for years1, especially when they're an organisation charged with protecting the security of their nation?
1 As previously stated, I have no idea how long the NSA knew.
> The problem I have with this blame attribution, is it isn't quite true ...
Correct and a little perspective is useful here - at least four months since Microsoft patched anything from the NSA that has been used in this attack. Plenty of references to the timelines (toolkit compromised last year, MS patches in Feb, toolkit dumped public April/May, first 'public' exploit mid-May).
Do the spooks have form in using any weakness to attack perceived enemies of their respective state with little concern for moral/legal scruples? Yes. Are they responsible for the failure of commercial organisations to implement basic, proper IT maintenance when the necessary defenses have been in the public domain for months? No.
Whether the motivation behind NotPetya turns out to be criminal or political will be far more interesting than ideological blame games (although a definitive answer on motive seems like it will be challenging to confirm).
Security through obscurity is never a proper solution.
The primary problem with security agencies keeping them private is that when their toolkit is leaked it's not just one exploit to be fixed, it's multiple which makes it enough that it can be used together to take complete control of a system before a fix is created.
Where as if they played nice and reported those bugs to developers when they found them then it would (should) be fixed before the public was made aware of it.
You see, a single bug release, complete with patches is far better and safer than a huge pack of exploits leaked leaving systems insecure and vendors scrambling to fix the bugs.
Then you have the second issue, what about when you've found a bug, decided to keep it for your own use, and someone else with ill intent finds it and uses it also? You could of stopped that from happening but you chose not to.
Whichever way you spin it, harbouring bugs is bad.
Security through obscurity is never a proper solution.
I agree and I never meant to suggest this, despite all the downvotes who appear to have misread my earlier comment. However the comments here do show lots of confusion between people trying to find a way to blame the NSA or Microsoft.
There are some issues with the recent attacks:
1) WannaCry used exploits which were fully patched on all support OSes at the time it ran. It was effective because companies dont patch their software properly. (as mentioned elsewhere MS08-067 is STILL an effective exploit across the globe). This is not the NSA's fault and their public guidance says patch faster. MS17-010 was rated as a CRITICAL patch. Failing to have applied it six weeks later points the blame in only one direction.
2) Companies whining that MS didnt immediately support XP / 2003 etc. This is simply a sign that they cant be arsed keeping up with technology. Why is this MS or NSA's fault.
3) Everything in the ShadowBrokers dump was patched before the public was made aware of it - unfortunately this means lots of companies accuse MS (etc) of hyping up the threat of a patch and downgrade it.
4) The NotPetya attacks did not rely on the SB dump of NSA tools. Powershell and WMIC are fundamental to MS and Mimikatz is such a well known tool it is embarrassing that controls werent already in place (why do admin accounts have SeDebugPrograms set?)
Basically, for all the whining, the only people to blame for this are the bad people who launched the attacks. Everyone else is on a sliding scale of making bad judgement calls.
>> The problem I have with this blame attribution, is it isn't quite true ...
> Correct and a little perspective is useful here - at least four months since Microsoft
> patched anything from the NSA that has been used in this attack.
Well, as I understand it that is not precisely correct...
It seems that actually M$ have published patches for the exploits that have been SEEN IN THE WILD and notified through the usual bug report channels. Nowhere have I seen/heard any suggestion that NSA have told M$ and other software vendors what was stolen so that PROACTIVE patching was possible - it's all still reactive as the exploits surface.
And that is why infrastructure managers are buying coffee, sitting uncomfortably and not sleeping well at present.
There was no overt notification of the exploits existence, but many of the exploits in the Shadow Brokers NSA leak were patched one month prior to Shadow Brokers releasing the code.
MS patched many of them in March and the Shadow Brokers leak was in April. No one knows who tipped MS off on what was being leaked.
"This chaos never happened as a result of a parallel discovery, it was only after Shadowbrokers popped the NSA and released the files."
I think I'd rather each vuln was discovered and patched ASAP rather than the situation we have now with multiple serious vulns all being dropped at the same time.
"... all it would have done is meant us having this discussion X years ago ..."
In fact the discussion WAS being held years ago. As early as the early '90s at least. Many pointed out the hazards of monocultures, systems where a single "organism" is the primary foundation for a complex overstory. Attack that foundation and and the entire system can be brought down. Mathematically the internet and an ecosystem are very similar. The opposition offered the lame argument that computers and operating systems are not biological. There were Engineers at the helm; Great Geniuses were protecting us all; immense multinational corporations "knew" what they were doing. Besides, open source or some means of auditing critical code bases would risk trade secrets and patents. Besides, all us peons were just consumers (cash cows).
"Had they just found the exploits, and reported them to Microsoft (or whatever application developer has the bug) this would of been prevented years ago."
While I agree with the sentiment that hoarding vulnerabilities in the name of national security is rather stupid, the above isn't really true in this case since MS have patched the vulnerabilities in question. If this had happened last year when the NSA new about the bugs but MS didn't it might have been a good point, but when malware is exploiting bugs that were patched months ago it hardly makes sense to complain that they weren't patched even earlier - at this point if you don't have the patches it's neither the NSA's nor Microsoft's fault, it's yours.
"MS have patched the vulnerabilities in question."
Only very belatedly. They were embarrassed into having to patch XP after its EoL. If the problem was known during XP's lifetime, shouldn't it have been patched then? If it was known during 7's development should it ever have been in 7?
There are reasons other than indolence why stuff doesn't get patched or at least patched promptly and doesn't get replaced (see TFA and also the frequent posts about the effects of enforced updating of 10).
NSA have no excuses whatsoever for sitting on this stuff and letting it become a global problem. Countries which have experienced serious infrastructural problems should have been calling US ambassadors into their foreign affairs ministries for a good talking to.
Microsoft released patches for currently supported operating systems two months before the WannaCry exploit. Unless things have changed dramatically since the middle of 2012, outward facing US DoD systems were patched well before a month after patch release - the requirement then was to patch Category I vulnerabilities within 15 days of patch availability. EternalBlue unquestionably was a Category I vulnerability. So was use of an unsupported software product like Windows XP, although there is no remediation for that, not even application of a patch for the vulnerability; Windows XP would have been disallowed within the DoD as of April 30, 2014.
Use of SMB version 1 might or might not have been as severe a vulnerability, but it would have been one beginning when Microsoft deprecated it, and at worst ought to have been discontinued within 180 days, which would have been before the end of 2014.
The DoD is a far from perfect organization in IT as in other things. But the outlines of their information assurance standards are not that hard to understand or, in principle, to implement. Their implementation is tedious, annoying, expensive in terms of staffing, and all too often disruptive to the operations the IT staff support.
Many organizations, including the DoD agency that employed me, do not consider IT part of their core mission. For some, not including my agency, that result in treating it as a cost center to be starved of staff and funds to the maximum possible extent, taking heedless of the potential cost and damage that inattention to security patching and configuration can bring.
Blaming the NSA may have some merit, but their behavior in retaining some vulnerability knowledge was approved at the highest level in the executive branch and certainly is not meaningfully different from that of similar agencies in other countries. At least as much blame is due the management of organizations victim to these recent attacks.
Only very belatedly.
But before malware was publicly identified exploiting it with WannaCry (as an example).
NSA have no excuses whatsoever for sitting on this stuff and letting it become a global problem.
They have lots of excuses but that is largely irrelevant. The issue is organisations have NO EXCUSES whatsoever for failing to deploy patches that are issued. Unless of course we say the criminals who deployed the malware are really to blame here.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
