About the Author
Aruba Corporate Marketing blogs help you keep up with the latest network trends and news. Blogs are written by current and past Arubans employees. If you have any questions about these blogs, feel free...
Full bioJust one month afterWannaCry Ransomwarecompromised more than 200,000 machines in over 100 countries, Petya (or called Netya, Petrwrap) has covered all headline news again since its initial outbreak in Ukraine. Although Petya hasn't infected as many machines as WannaCry, it's still considered as a more severe and sophisticated attack because it's more targeted, destructive, and enterprise infrastructure focused. Only one system was required for Pedtya to take hold and multiply within an organization.
Security teams can help prevent future ransomware attacks like Petya by detecting and analyzing how the worm-like infection moves laterally within their IT infrastructure. Below is our analysis of Petya's movements and advice about how your security team can better prepare for and deal with these types of attacks.
Image: Google
With the complete reverse engineereddetails of Petya attack, we confirm again that detecting lateral movement is very critical and effective when combating modern complex enterprise attacks.
- Compromise is inevitable
Software vulnerability has existed since its creation. With today's increased variety and complexity of enterprise software, it's unfortunate that zero-day vulnerabilities such as EternalBlue (Petya's starting point) will be discovered even more often in the future. Although the security industry has advanced in preventing and detecting malware, compromised users or devices are still not a matter of if, but when
- Start small, move laterally
The ultimate goal of all advanced or targeted attacks is "data" – the high-value business sensitive data. In most enterprises, this kind of high-value data is stored only on a small set of highly-protected servers, which are typically not the first compromised victims. Therefore, attackers need to figure out some way to move laterally from the first victim to its ultimate target within the enterprise.
- SMB vulnerabilities may be different, but kill chains are similar
Although Petya uses two new exploits for the Server Message Block (SMB) vulnerabilityEternalBlue(CVE-2017-0144) andEternalRomance(CVE-2017-0145), we noticed its subsequent kill chain steps are actually very similar to previous enterprise attacks likeTarget data breachand索尼违反back in 2013 and 2014.
Below is a table describing the common lateral movement steps observed from those prior attacks with using Petya as the example mechanism. In addition, we also briefly explain the behavior anomaly signals we should detect from each step. By understanding these, your organization should be better prepared for future attacks.
| Lateral Movement Steps | Petya Behavior | Behavior Anomalies | Data Source |
| 内部侦察 | RunDhcpEnumSubnets()andDhcpEnumSubnetClients()to enumerate DHCP subnets and hosts | Use ofenumeratingcommands of (admin) accounts, servers, services, and network fromnewhosts | Server Security Log |
| Host Scan | Scan the above hosts for vulnerable tcp/139 and tcp/445 services | Connection to thesameport number(s) over alargenumber of internal hosts withinshortperiod of time | Network Packets |
| Credential Theft | UseCredEnumerateW()andMimikatzlike tool to steal all other user credentials stored in the memory of compromised server | Use ofsuspiciouscredential stealing commands or tools | Server Security Log |
| Pass-the-Hash | Remotely execute malware using WMIC/PSEXEC tool with credential NTLM hash (or Kerberos ticket) copied from compromised server | User authenticates tonewhost(s)first timeusinghash logonrather than interactive logon, followed by execution ofsuspiciouscommands | Server Security Log, Domain Controller Security Log |
Each of the above anomaly signals may not individually indicate an attack, but aggregating all the signal and correlating them with the same entity (user) is much more definitive. When we observe some (or all) above anomalies from the same user or host over time – especially in some expected temporal sequence order, we can detect the lateral movement of this kind of real attack with high confidence.
This is the approach thatAruba IntroSpect(formerly Niara) uses to detect attacks such as Petya, based on behavioral changes of compromised users and systems. Once IntroSpect raises an alert, security teams can shut down the attack via policy-based actions inAruba ClearPassbefore the damage is done.
Petya is a great example for understanding the lateral movement of ransomware. This, coupled with using behavioral analytics software will enable your organization to be better protected from future attacks.
