On June 27th 2017 a cyber-attack called ‘NotPetya’ was launched against a large number of firms. The attack was notable for three reasons;
- it used a third-party software update mechanism to spread,
- it was a geopolitically motivated destructive attack that caused extensive damage to uninvolved bystanders
- it used automated techniques that previously were only associated with sophisticated manual attackers that reduced the time the attack took to spread across networks from days to minutes.
This has crystallised a potential cyber risk that has been a concern for some time such that untargeted and destructive attacks would become as sophisticated as manual attacks by highly capable threat actors.
I don’t often write about specific events but I feel compelled to as a result of the NotPetya event as I believe it has had as major impact on the cyber risk landscape as the recognition of ‘advanced persistent threat’ actors.
Traditional security relied on being in the middle of the pack as regards security capability following the metaphor that we didn’t need to outrun a bear, we just needed to outrun another potential victim. This was overturned around 2008 with the emergence of industrialised and automated untargeted unsophisticated attacks which enabled threat actors to attack many victims at little marginal cost which extended the metaphor to suggest we all had to outrun our own bears but that as long as we bought a bicycle we would be okay. NotPetya has demonstrated the appearance of untargeted automated sophisticated attacks which now implies all our bears now have motorcycles.
At first inspection NotPetya appeared to be a new campaign of a ransomware known as Petya but enhanced with features borrowed from the Wannacry ransomware attack that started on the 12th May 2017.
On further inspection the similarities were more superficial and the more recent attack therefore became known as ‘NotPetya’ or ‘Petna’.
NotPetya was confirmed to exploit the same vulnerability used by Wannacry; the ETERNALBLUE exploit. ETERNALBLUE was likely stolen from the US National Security Agency and was leaked by the ShadowBrokers group who have commonly been linked to Russian intelligence. However, subsequent investigation discovered that while NotPetya exploited the same vulnerability the software code itself was an entirely implementation to the NSA code suggesting another sophisticated cyber-attack group had developed this attack in parallel to the NSA.
As the NotPetya attack progressed it became obvious that the ransomware supporting capabilities (such as payment tracking and decryption) were poorly designed in sharp contrast to the sophistication of the exploit code. This has led many to surmise that NotPetya was actually intended as a destructive attack under the disguise of a ransomware attack.
It also became clear that it was not infecting victims via traditional methods such as email attachments or direct attacks on web-facing services. Instead the M.E.Doc software; mandated by the Ukrainian tax authorities; was found to have been the vector of infection via it’s automatic update mechanism for applying patches. It is estimated that 1 million computers had the M.E.Doc software installed. Subsequent evidence emerged that M.E.Doc had been compromised since the 14th April 2017 and had been used to install backdoors in all the firms using this software prior to the destructive attack.
The M.E.Doc software compromise was initially used to infect victims with a remote command and control infrastructure that used a covert communications channel to receive commands. This was then updated with the NotPetya malware.
Following the Wannacry ransomware attack in May many firms had ruched to deploy the Microsoft patches to prevent the exploitation by the ETERNALBLUE code included in Wannacry. For this reason NotPetya included a second mechanism for spreading itself around victim networks. This second mechanism automated tools known as LSADump and a variant of Mimikatz to retrieve administrator credentials from the memory of running systems. Having retrieved administrator credentials NotPetya then used these to escalate to higher levels of access locally and to move laterally to other systems on the local network.
A number of high profile firms have reported significant problems so far as a result of infection by NotPetya including; Merck, Maersk, WPP, Modelez, BNP Paribas, Reckitt Benckiser, TNT, Saint-Gobain, Nuance and FedEx. Those firms that have reported estimations of damages have fallen in the range of $100M-$250M per firm at the time of writing.
One affected firm has shared that they lost of 100% of their windows servers and 80% of their laptops within 20 minutes of the first infection despite having been patched against ETERNALBLUE exploit. The losses included their entire Active Directory and Backup servers, they discovered a dependency between these that significantly slowed their recovery. Their DR plans were based on secondary sites being available, the extent of the attack destroyed primary and secondary sites. This firm is still struggling to recover and had notified the market that their annual results will be below expectations this year.
June 28th, the day following the start of the NotPetya attack is Constitution Day in the Ukraine marking the signing of the constitution in 1996. Given the conflict with Russia over the Crimea, the targeting of firms using the Ukrainian mandated M.E.Doc software and the sophistication of the code similar to but different from ETERNALBLUE it is not a great leap of faith to surmise that the NotPetya attack was sponsored or carried out by Russian Intelligence in order to cause disruption and chaos during the national holiday.
I am aware of the dangers of cyber attribution and this is a working hypothesis that is not proven, see Samuel Liles excellent blog on levels of attribution.
The challenges to the assumptions of both Traditional IT Security and Cyber Security from NotPetya include:
Assumption 1: Software should be updated as quickly as possible
Assumption: Acquiring and quickly applying patches to allow software developers to respond to changing attacks on their software.
Challenge: Patches themselves are now a vector for attack and there is a new balance to be struck between fast deployment and assurance of the patches themselves.
Assumption 2: Networks should be segmented in zones
Assumption: Limiting traffic between ones ensures that untargeted malware worms are unlikely to spread and damage will be limited.
Challenge: The use of automated privilege escalation and lateral movement exploits the weakness of pragmatic zone segmentation which is commonly administrative exceptions for inter-zone communication.
Assumption 3: Speed of incident response
Assumption: Sophisticated targeted attacks take days to complete and reducing response times from days and weeks to days will allow us to reduce harm from serious attacks.
Challenge: An automated sophisticated untargeted attack now takes minutes.
Assumption 4: We have what we need to recover
Assumption: While production systems may be affected by an attack the underlying infrastructure, the backups, the backup servers and the administrative workstations and the active directories will be available during recovery.
Challenge: 100% of servers are destroyed in the attack, 80% of laptops. The infrastructure from which to recover no longer operates.
It’s not yet clear what the appropriate answers to manage these challenges are. I have spoken with a number of CISOs at firms that were affected by NotPetya and they shared the solutions they are pursuing as a result:
- Risk score 3rd parties with access and software from tier 2 and below vendors
- Increased segmentation around higher risk vendors and products including a multi-tier DMZ
- Zero-Trust Network Security Architecture as described first by Google BeyondCorp Initiative
- Increasing operating system diversity amongst key systems
- Microsoft POPSLAM training approach for securing against lateral movement.
- Accelerated Windows 10 Deployment including enabling both Device Guard & Credential Guard
- Geographical segregation at WAN MPLS entry point using active intrusion prevention systems
- Automated response tools such as Phantom or Hexadite
- DevOps/DevSecOps including infrastructure as code for rapid recovery
- Adoption of virtual desktop infrastructure or cloud-based workstations both for segregation and for rapid recovery
- Network analytics for detecting covert command and control channels
- Testing a full recovery of Active Directory from scratch
- Use of cloud backup providers
- Ensuring backup servers are on different operating system platforms from the systems being backed up
- The ‘Citadel’ concept of a disconnected enclave containing the core digital DNA of the business, enough to establish a minimum viable recovery in the face of a complete loss.
These solutions are useful to consider but given the scale and diversity of enterprise technology environments other solutions may be more appropriate. Not considering solutions to the challenges to previous assumptions is a recipe for not learning the painful lessons learned by the NotPetya victims.
I strongly recommend that CISOs run a local table-top review of a NotPetya-like attack entering their network and using automated privilege escalation and lateral movement techniques spreading rapidly before destroying the affected devices. Existing and planned (funded) controls should be considered in this review highlighting both effective and ineffective controls in this scenario. I also recommend that this review is subject to expert independent challenge especially focused on control effectiveness assumptions as there are some ‘ugly baby’ moments that existing teams will be resistant to.