[SingCERT] Technical Advisory on Petya/Petna Ransomware

  • in Cyber Security Agency News
  • by
  • 29 6 月, 2017
  • 在〈[SingCERT] Technical Advisory on Petya/Petna Ransomware〉中留言功能已關閉

Published on Wednesday, 28 June 2017 22:07

Background
On 27th June 2017, SingCERT was alerted to the occurrence of a Petya variant also known as Petna, which has impacted organisations in Ukraine and other parts of Europe. Petya/Petna works by modifying Window’s Master Boot Record (MBR), causing the system to crash. It uses the EXTERNALBLUE exploit tool to accomplish this, which is a similar exploit to that of the WannaCrypt/WannaCry ransomware.

Details
Delivery/Exploitations
According to Palo Alto Networks, there was speculation that a Ukrainian Tax software package was compromised and delivered the Petya/Petna DLL via an update on June 27th 2017.

Installation
Petya/Petna is spread as a DLL file, requiring the execution by another process to compromise the system.

After execution, it modifies the Window’s system’s Master Boot Record (MBR), causing the system to crash.

Upon reboot, the modified MBR prevents Windows from loading and a ransom note will be displayed, requiring the user to send US$300 in Bitcoins to a specific Bitcoin address in order for their files to be decrypted. However, the email account that is associated to disseminate the decryption key had been shut down and users will not be able to get their files decrypted after payment.

Lateral Movement
Petya/Petna uses the Management Instrumentation Command-line(WMIC) tool, establishing connections to hosts on the local subnet and attempts to execute itself remotely on these hosts.

Petya/Petna uses EXTERNALBLUE exploit tool on the local subnet to spread to additional hosts. The vulnerability exists because of the SMB version 1 server in various versions of Microsoft Windows accepting specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

Petya/Petna scans the local network to discover enumerate ADMIN$ shares on other systems. It then copies itself and executes the malware using PSEXEC given that the infected system has sufficient rights to write and execute files.

Affected Systems
The following Microsoft operating systems are currently suspected to be vulnerable

  • Windows 10
  • Windows RT 8.1
  • Windows 8.1
  • Windows 7
  • Windows XP
  • Windows Vista
  • Windows Server 2016
  • Windows Server 2012 and Windows Server 2012 R2
  • Windows Server 2008 and Windows Server 2008 R2

Recommendations
SingCERT recommends taking the following steps to secure your system

  • Ensure that your Windows-based systems are fully patched. In particular, security update (MS17-010) should be applied.
  • Ensure that your anti-virus software is updated with the latest malware definitions
  • Perform file backups and store them offline so that it can be used to restore your systems if an attack occurs
  • Block inbound connections on TCP Port 445
  • Disable all unrequired services
  • Monitor your systems for privilege escalation

References
https://twitter.com/HackingDave
https://www.bleepingcomputer.com/news/security/email-provider-shuts-down-petya-inbox-preventing-victims-from-recovering-files/
https://www.reddit.com/r/pcmasterrace/comments/6ju1mp/psa_new_ransomware_campaign_petyagoldeneye_being/
https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/

Comments are closed.