Petya Ransomware

Petya’s been in the news lately so I thought I’d take a lookielou at it.  I found an interesting GitHub post about the topic here.  Here are my notes on the matter.

* Our Whackers For Hackers IPBL blocked the distribution points for the most part (our firewalls would have saved you in a self hosted scenario).

* We implement layered security measures that block the country delivering the payload.

* If we don’t block the country delivering the payload the actual payload execution from the temporary Internet folder is blocked.

* If the payload isn’t blocked from the temporary Internet folder (which it is) we also block execution of the payload from other vulnerable temp folders in Windows.

* Assuming it executes (and it wouldn’t) the end user doesn’t run as a local administrator so the threat even in an unpatched system or set of unpatched systems wouldn’t spread as proven by a commenter on the GitHub post regardless of SMBv1 (the vulnerable service) being installed or not.  They weren’t knowledgeable enough to know what happened and why certain servers didn’t get infected while others did (noobs, LULZ).  They executed the malware in their lab with a local administrator and that local administrator account, both username and password were the same on other machines (that got infected) while others that didn’t have the same local administrator username and password on them did not get infected.  As a side note; this speaks to a long held question I couldn’t get answers on even from SANS whom I tweeted at.  Their answer was:  “The MS17-010 exploit allows for unauthenticated remote code exec as admin” but I’m not buying it…yet.  I have yet to see this thing spread from non-admin users or unathenticated users!  It’s not a “brute force” barge your way in the door program…it’s just not!

* Note that thanks to Microsoft and “outlook[.]com” the phishing scheme went on and on for days…it still might be spreading I’m not sure!  The phishing emails came from US based outlook[.]com servers so “country blocking” wouldn’t have worked unless you block the US (and maybe you should!).  Microsoft often lands on our BL’s but people get mad because suddenly Office 365 or outlook[.]com emails stop working.  That’s because Microsoft has “gravity” (lots of users, lots of companies).  Now there’s a big threat to security because more often than not Microsoft, Outlook.com, etc are white listed but shouldn’t be until a threat from Microsoft and Outlook.com is over.  The same goes for Amazon, Google and the lot!  It’s hard letting a client know this but they’re usually OK with it or we can carve out exceptions for their particular use case that will poke their need through our layers of security.

* Intrusion Detection mechanisms in place at the firewall level catch the digital fingerprint (signature) of this exploit and block it…these have been out for at least two months before any widespread attacks of these latest variants.

* It’s possible although I’m not certain at the time; if the user received the payload that antivirus alone would have prevented / cleaned their PC.  I don’t have an actual sample and wouldn’t have one unless I went out of my way to get it.  Again, the user would have been prevented from downloading the malware payload exe file among many other system side blocking processes and they’d of never seen the exe payload.  Neither would the antivirus software!

We had one client receive the actual payload but the end user didn’t open the piece of mail with the payload.  Also note that had the user executed the payload it wouldn’t have run.  Why?  We apply layers of security for our clients and this payload downloads an exe file that was hosted in France.  Moreover, users don’t run as administrators (local or other) and they certainly aren’t allowed to run exe’s from temporary folders or the folders these baddies like to run from.  Some of what we do is exclusive to our process and I can’t go into too much detail but wannacry, petya and any other crypto in their current forms can’t and won’t run on infrastructures we manage.

A special note that our Whackers For Hackers (W4H) IPBL blocked this threat but at the time of this writing, that particular client receiving the payload didn’t use our firewall nor did they use our W4H IPBL (they will transition to it in time).  The distribution points (websites / IPs) made it onto our list for various reasons because we operate honey pots that detect global threats then add them to our list.  These networks, and we block networks which means at one point hosts on those networks have tried brute forcing their way into servers were listed and have been listed for a long time.

Notes:

#petya #petrWrap #notPetya

Distribution IP addresses:

185.165.29.78
Offender: almashosting[.]com
Category: Cheap VPS hosting company
Country: Portugal
185.165.30.0/24 <– listed by W4H

184.200.16.242
Offender: Accelerated IT Services GmbH – accelerated[.]de
Category: IT Services / Dedicated Servers
Country: Germany
84.0.0.0/8 <– listed by W4H

Offender: shinjiru.com[.]my
Category: Cheap VPS hosting company
Country: Malaysia
111.90.139.247
111.0.0.0/8 <– listed by W4H

** Special note about Shinjiru:
** It says on their website they’re “proud to be trusted by:”
** “Abbot, Coca-Cola, Honda”…among big companies
** Run for the hills!

Offender: unimedia[.]fr
Category: Regional ISP
Country: France
95.141.115.108
95.0.0.0/8 <– listed by W4H

** Special note about Unimedia:
** They tout their “security” being the best
** and blab about wannacry…only, they’re hosting
** petya variants (#ISPfail) (LULZ).

** They also hosted a download URL from: http://french-cooking[.]com
** resolving a unimedia.fr IP noted above!
** The DNS record now points to: 127.0.0.1 <– localhost

As mentioned we had a client receive one of these emails.  Here are details from the sender:

Email Header Sample:

Sending user: katelynnofdxi@outlook.com
Received: from PU1APC01FT057.eop-APC01.prod.protection.outlook.com <– Microsoft spreading filth flarn & filth!
Received: from HK2PR04MB1236.apcprd04.prod.outlook.com
Subject: FWD (the user they sent it to all lower case)

We should also note that “protection” from Microsoft isn’t a lock…the piece of mail was sent from “protection.outlook.com”.  Proving once again how arbitrary the word “protection” is in cyberspace.  Protection takes diligence, like maintaining your fitness and Microsoft is fat as are other ISPs in the world.

 

If you need any assistance in securing your infrastructure from threats like Petya give us a shout.  We can help companies of all sizes including fortune 100’s.  We can augment your existing IT staff in any number of ways with out of the box thinking…which; as I think about it isn’t as different or impactful as I thought it might be.  Perhaps, radical crazy religiously militant far right far left higher than high thinking that’s out of this world jumping jack creative IT systems innovation problem solving…thinking!

800-864-9497

Comments or questions are welcome.

* indicates required field

Leave a Reply

Your email address will not be published. Required fields are marked *