Search
Appgate SDP
SDP Overview
Learn how Appgate SDP reduces risk and complexity, and why it's the industry's most comprehensive Zero Trust network access solution.
How Appgate SDP Works
Find out about the inner-workings of the most flexible and adaptable Zero Trust Network Access solution available today.
SDP Integrations
Explore security, IT and business-system integrations that can enhance and help you adapt Appgate SDP to your existing workflows
SDP for Developers
Access developer tools and resources to maximize the value of your Appgate SDP deployment.
Zero Trust Network Access for:
Risk-Based Authentication
Overview
Learn how Risk-Based Authentication provides a frictionless, intelligent and data-informed approach to user authentication.
Strong Authentication
Find out how you can provide secure, frictionless access with the right multi-factor authentication method.
Transaction Monitoring
Explore the tools you can use to intelligently identify and prevent online fraud.
Behavioral Biometrics Service
Learn how behavioral analysis and machine learning stop fraudulent online web activity in real-time.
Secure Consumer Access for:
Digital Threat Protection
Overview
Discover how you can gain unparalleled threat visibility and the risk management tools that enable early identification and elimination of potential attacks.
Key Features
Take a deep dive into the features and tools contained within our industry-leading Digital Threat Protection (DTP) solution.
Word Wall Black Red
CYBER RESEARCH

Immunity TeamJune 28, 2017

10 Things to Know About NotPetya

Note: Don’t Pay the Ransom

Share


Europe woke up Tuesday to massive attacks on both governments and some of the world’s largest brands.

While the story is sure to develop, here’s what we’ve learned so far, and what enterprises need to take into account whether they have been affected or are trying to protect their organizations from becoming the next victim.

1. Currently, most victim companies are in Russia and Ukraine with some much smaller volumes observed in Western Europe. Unless the malware has some form of geo fencing, this will likely change throughout the day as the rest of world wakes up and logs on to their systems.

2. This malware only has passing resemblance to the historic Petya malwareand thus should NOT be considered the same. This is much more sophisticated than both Petya and the recent Wannacry.

3. The campaign is using multiple propagation vectors:

1. Email (multiple PDF and Word attachment samples have been collected)
2. The EternalBlue exploit used by Wannacry
3. Harvesting of credentials via a custom capability against the lsass process and subsequent use of WMIC to move laterally
4. An attack against the update process of a third-party Ukrainian software product called MEDoc


4. Even a machine patched against the EternalBlue exploit is still vulnerable
if a user clicks on the email vector. This malware is nastier than WannaCry because it can continue to propagate even in fully patched environments.

5. The worst case for an organization is if a user with domain admin credentials is compromised as the entire network becomes at risk via WMIC and remote process execution (psexec).

6. For non-admin victims, the files on the machine are encrypted using a standard AES routine (thus, it is unlikely there will be an implementation bug found to allow for non-keyed decryption).

7. For admin (local or domain) victims, the Master Boot Record (MBR) is encrypted (but not the files on disk). Thus, the machine seems bricked but is actually relatively easy to recover. This seems to imply that this may be more of a disruption attack than a financially motivated crime.

8. There was a single bitcoin account setup for ransom payments but it has already been taken down. Thus, there is currently no way for victims to get decryption keys even if they want to pay the ransom. Again, this hints at motive in the sense there was possibly never any real intention of collecting significant ransom or of providing a decryption pathway.

9. Because of the attempt to move laterally, environments that have adopted Software-Defined Perimeter architectures to limit lateral movement are likely to see far reduced impact compared to traditional open enterprise networks

10. A number of next-gen anti-virus systems are now detecting and stopping this.


Receive News and Updates From Appgate