Petya, NotPetya, Goldeneye, Nyetya 6/27/2017

Post Reply
User avatar
Royal
Posts: 10561
Joined: Mon Apr 11, 2011 5:55 pm

Petya, NotPetya, Goldeneye, Nyetya 6/27/2017

Post by Royal » Thu Jun 29, 2017 1:32 am

“There’s no fucking way this was criminals.”- The Grucq, some InfoSec person


Tuesday's attack, 6/26/2017, infected over 80 large companies, 64 countries, and over 12,000 computers. Many different names for the event popped up- names include Petya, WannaCry2, NotPetya (named by Kaspersky), PetyaWrap, PetrWrap, ExPetr, Goldeneye, and Nyetya (named by Talos).

Infected Organizations:
Ukrainian institutions: Infrastructure Ministry, central bank, state postal service and largest telephone company
Kiev's Borispol Airport
Energy firms: Kyivenergo and Ukrenergo.
Danish shipping firm A.P. MOLLER-MAERSK (The world's largest container-shipping company)
Russian oil company Rosneft
American pharmaceutical giant Merck.
(Greenberg, 2017)

Law firm DLA Piper
UK advertising firm WPP
Snack food maker Mondelez International
(Goodin, 2017b)

Radiation monitoring station for Chernobyl
French construction materials company Saint-Gobain
German railway company Deutsche Bahn .
Australian factory for the chocolate giant Cadbury
Russian steel and mining company Evraz.
FedEx subsidiary TNT Express


Same Shit Different Day
Ukraine and security researchers have concluded this is part of an on-going attack in the country for the past few years.

"...And the blackouts weren’t just isolated attacks. They were part of a digital blitzkrieg that has pummeled Ukraine for the past three years—a sustained cyber­ assault unlike any the world has ever seen. A hacker army has systematically undermined practically every sector of Ukraine: media, finance, transportation, military, politics, energy. Wave after wave of intrusions have deleted data, destroyed computers, and in some cases paralyzed organizations’ most basic functions. “You can’t really find a space in Ukraine where there hasn’t been an attack,” says Kenneth Geers, a NATO ambassador who focuses on cyber security" (Greenberg, 2017b).

The digital weaponry being used on the country as a testing ground:

"But many global cybersecurity analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyber war testing ground—a laboratory for perfecting new forms of global online combat. And the digital explosives that Russia has repeatedly set off in Ukraine are ones it has planted at least once before in the civil infrastructure of the United States"(Greenberg, 2017b).

Ukrain is being pummeled with attacks:

"there had been 6,500 cyber attacks on 36 Ukrainian targets in just the previous two months"(Greenberg, 2017b).

Not your typical attacks being used, but highly sophisticated attacks that can be put in the same category as Stuxnet. When discussing the previous attacks on UKrain's network, a Ukranian cyber security researcher was already identifying high level attacks. This is how he described an attack that occurred before NotPetya:

"Yasinsky managed to pull a copy of the destructive program from StarLight’s network. Back at home, he pored over its code. He was struck by the layers of cunning obfuscation—the malware had evaded all antivirus scans and even impersonated an antivirus scanner itself, Microsoft’s Windows Defender. After his family had gone to sleep, Yasinsky printed the code and laid the papers across his kitchen table and floor, crossing out lines of camouflaging characters and highlighting commands to see its true form. Yasinsky had been working in information security for 20 years; he’d managed massive networks and fought off crews of sophisticated hackers before. But he’d never analyzed such a refined digital weapon"(Greenberg, 2017b).

Intention of Malware was not to Initiate Ransom

Within 24hrs, researchers around the world have determined that the ransomware code is being used to obfuscate its disk wiping purpose.

"its true objective was to permanently wipe as many hard drives as possible on infected networks, in much the way the Shamoon disk wiper left a wake of destruction in Saudi Arabia. Some researchers have said Shamoon is likely the work of developers sponsored by an as-yet unidentified country. Researchers analyzing Tuesday's malware—alternatively dubbed PetyaWrap, NotPetya, and ExPetr—are speculating the ransom note left behind in Tuesday's attack was, in fact, a hoax intended to capitalize on media interest sparked by last month's massive WCry outbreak" (Goodin, 2017).

Additionally, researchers are making the determination that the ransomware code controls the media narrative. When there is only purpose of destruction, it helps removes the speculation of a state actor, and provides reason for a criminal organization.

"We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon" (Goodin, 2017).

Why it's NOT Petya

The code is determined to overwrite the master boot record than encrypt it, therefore nobody can get their data back by paying the ransom.

"...contrasting Tuesday's payload with a Petya version from last year. Both pieces of code take aim at two small files—the master boot record and master file table—that are so crucial that a disk won't function if they are missing or corrupted. But while the earlier Petya encrypts the master boot record and saves the value for later decryption, Tuesday's payload, by contrast, was rewritten to overwrite the master boot record. This means that, even if victims obtain the decryption key, restoring their infected disks is impossible." (Goodin, 2017).
Last edited by Royal on Thu Jun 29, 2017 2:31 am, edited 5 times in total.

User avatar
Royal
Posts: 10561
Joined: Mon Apr 11, 2011 5:55 pm

Re: Petya, NotPetya, Goldeneye, Nyetya 6/27/2017

Post by Royal » Thu Jun 29, 2017 1:33 am

Infection Vector

An update from an Ukrainian Accounting software called "MeDoc" was used. There are unconfirmed reports of spear phishing campaigns.

"Petya infected victims by hijacking the update mechanism of a piece of Ukrainian accounting software called MeDoc. Companies filing taxes or engaged in financial dealings with Ukraine widely use MeDoc, says Cisco's Talos research team lead Craig Williams, which could in part explain the ransomware's reach beyond Ukraine's borders....That tactic also signals that Petya "has a very clear idea who it wants to affect, and it’s businesses associated with the Ukrainian government," Williams says. "It’s very obvious this is a political statement" (Chiu, 2017).

Hopefully TurboTax is not vulnerable.

Who's Responsible

Is timing everything?

"Boyarchuk points to the the timing of the attack, coming just before Ukraine's Constitution Day, which celebrates the country’s post-Soviet independence"..."The theories are consistent with this post from Wired, which reports that Ukrainian government officials are saying Tuesday's attack was sponsored by a national government" (Goodin, 2017).

They are claiming the attacks had the same signature but these can easily be forged by cyber security firms.

"the attackers' techniques match the "handwriting" of previous attacks in 2015 and 2016 that Ukrainian president Petro Poroshenko has called acts of "cyberwar," waged by Russia's intelligence and military services" (Greenberg, 2017).

How the Malware Spreads

Mechanisms that are used to propagate once a device is infected:
EternalBlue - the same exploit used by WannaCry.
EternalRomance - an SMBv1 exploit leaked by "ShadowBrokers"
PsExec - a legitimate Windows administration tool.
WMI - Windows Management Instrumentation, a legitimate Windows component

"These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally...For systems that have not had MS17-010 applied, the EternalBlue and EternalRomance exploits are leveraged to compromise systems. The exploit launched against the victim system depends on the operating system of the intended target"

EternalBlue
Windows Server 2008 R2
Windows Server 2008
Windows 7
EternalRomance
Windows XP
Windows Server 2003
Windows Vista

PsExec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's windows token (from the "Recovery of User Credentials" section above) to install the malware on the networked device.

C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1


WMI is used to execute the following command which performs the same function as above, but using the current user's username and password (as username and password), retrieved from the "Recovery of User Credentials" section above.

Wbem\wmic.exe /node:"w.x.y.z" /user:"username" /password:"password" "process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1"


Once a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA encryption. Additionally, the malware cleans event logs on the compromised device using the following command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

(Chiu, 2017)

References

Chiu, A. (2017, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. [Blog Post]. Talos Intelligence. Retrieved from http://blog.talosintelligence.com/2017/ ... riant.html

Goodin, D. (2017, June 28). Tuesday’s massive ransomware outbreak was, in fact, something much worse. Ars Technica. Retrieved from https://arstechnica.com/security/2017/0 ... ansomware/

Goodin, D. (2017b, June 27). A new ransomware outbreak similar to WCry is shutting down computers worldwide.Ars Technica. Retrieved from https://arstechnica.com/security/2017/0 ... worldwide/

Greenberg, A. (2017, June 28).Ukranians Say Petya Ransomware Hides State-Sponsored Attacks. Wired.com. Retrieved from https://www.wired.com/story/petya-ransomware-ukraine

Greenberg, A. (2017b, June 20). How an Entire Nation Became Russia's Test Lab for Cyber War. Wired.com. Retrieved from https://www.wired.com/story/russian-hac ... k-ukraine/

User avatar
Royal
Posts: 10561
Joined: Mon Apr 11, 2011 5:55 pm

Re: Petya, NotPetya, Goldeneye, Nyetya 6/27/2017

Post by Royal » Thu Jun 29, 2017 6:49 am

His ‘Petya’ Code Was Used in a Global Cyber Attack, Now He Wants to Help
KEVIN POULSEN 06.29.17 1:00 AM ET

Late Wednesday afternoon, with the global Petya virus at a halt but its damage lingering, the original creator of the now notorious malware appeared on Twitter for the first time in six months. “We’re back having a look in ‘NotPetya,’” he tweeted. “Maybe it’s crackable with our privkey.”

Janus, a name he lifted from a James Bond villain, began selling Petya to other hackers in March 2016. Like all ransomware, Petya was designed to hold a victim’s files hostage, then return them when a ransom is paid. After Janus’ debut, he experimented with different business models and briefly got attention as a kind of Robin Hood when he hacked a competitor and freed its victims. Then, in December, he went silent.

It’s not clear why he disappeared, but it’s obvious why he’s returned now. On Tuesday, a modified version of Petya caused major disruptions in Ukraine, bricking computers at a power company, multiple banks, and the Kyiv Boryspil International Airport. It ultimately spread to corporate networks in 64 other countries, according to Microsoft. Surgeries were canceled at two Pittsburgh-area hospitals hit with the virus. Computers at the pharmaceutical company Merck and the law firm DLA Piper were hit, along with a Cadbury chocolate factory in Tasmania. An infection at the Dutch shipping firm A.P. Moller-Maersk forced the closure of some container terminals in seaports from Los Angeles to Mumbai.

Janus, who was never shy about his authorship of Petya, would make an obvious suspect. He is the only one known to have the source code—the electronic blueprints—to Petya, according to a security expert who’s studied Janus’ work. “The source never leaked,” said the researcher, known professionally as Hasherezade. “It could have been sold, but I don’t think so.”

Janus’ Wednesday tweet, announcing that he’s examining the new code, is an implicit claim from an admitted cyber criminal that he didn’t commit this particular crime. Surprisingly, a number of computer security experts have reached roughly the same conclusion. Despite surface appearances, this week’s cyber attack almost certainly wasn’t the work of a profit-oriented hacker like Janus. Instead it was an electronic Molotov cocktail lobbed into Ukraine by an attacker who underestimated how far it would splash.

“It’s someone who wants to shut down Ukraine and make it look like ransomware,” said Matthieu Suiche, founder of of cyber-security provider Comae Technologies. “And like what happened back in December with the power grid, it’s a political motive.”

Ukraine has faced a plague of cyberattacks since entering into hostilities with Russia three years ago, and many have led unequivocally to Moscow. Tuesday’s attack so far has been traced only to a Ukrainian company called M.E.Doc, which makes accounting software called MEDoc that’s used widely in Ukraine.
“The attackers hacked into the patch server of the company, so every time that a client in the field reached out for a software update, they ended up getting this malware in their network instead,” said Vikram Thakur, technical director at Symantec.

Once inside a corporate network, the malware used three methods to spread to other systems, including the same NSA attack used in the earlier WannaCry worm. Unlike WannaCry, though, Tuesday’s attack never hit the public Internet. Instead, it just hopped from one corporate network to another. Wherever a business connected its network to a corporate partner or contractor, the malware was able to travel.

In this way it eventually reached all around the world, even hitting computers in Russia. “We’ve seen infections in one side of Europe that initially didn’t seem to have any connection to business in Ukraine, but it turns out they had a subsidiary that was using the MEDoc software to keep their books,” Thakur said.

It’s possible, then, that an attack intended to harm Ukrainian businesses spread much further than even the attackers intended. What’s nearly certain is that it was never really a ransomware attack. The ransom demand was likely a smokescreen to hide the attacker’s purely destructive motives.

The evidence of that began piling up as soon as the first Ukrainian targets fell Tuesday morning. Security experts noticed that the malicious code was based on Petya but had been extensively modified—so much so that the antivirus firm Kaspersky has started calling the new version NotPetya.

Most of the modifications show the marks of a sophisticated engineering effort, except for the mechanism that lets victims pay the $300 ransom and get their files back. That part has been weakened. For starters, it relies entirely on a single inbox with a German webmail provider who, predictably, blacklisted the email address within hours of the attack’s inception. The real Petya handled the whole transaction over the DarkWeb.

Further proof came on Wednesday from researchers at Kaspersky. Petya and NotPetya both issue victims a unique alphanumeric code, a kind of electronic claim check they can use to recover their files after paying the ransom. In the original Petya, the code is mathematically tied to the encryption key holding the files hostage. In the new NotPetya, it’s just a bunch of random numbers. Whoever was behind the attack doesn’t have the ability to release anyone’s files, and they never did.
“Why would you modify a working version of that with something that was broken?” said Comae Technologies’ Suiche. “It doesn’t make sense.”


continued...

Last edited by Royal on Thu Jun 29, 2017 6:55 am, edited 1 time in total.

User avatar
Royal
Posts: 10561
Joined: Mon Apr 11, 2011 5:55 pm

Re: Petya, NotPetya, Goldeneye, Nyetya 6/27/2017

Post by Royal » Thu Jun 29, 2017 6:50 am

Petya was always about making money, and it was always well made. When it debuted for sale to hackers in 2016, it had one advantage in a field with dozens of new entrants every year. Instead of just encrypting files one by one, the malware encrypts the “master file table,” a tiny directory at the root of the hard drive that holds the whole file system together. Most ransomware locks your files in a vault; Petya locks the vault in another vault.

In Poland, the security researcher known as Hasherezade took an early interest in Petya and began dissecting the code, eventually drawing the attention of the malware’s mastermind. Though they were on opposite sides, she and Janus began a friendly banter on Twitter, where the hacker referred to her as “sweetheart” or “lovely analyst” but evinced respect for her work.

When Hasherezade posted slides from a detailed technical talk she’d given on Petya’s internals, in which she laid out methods to defeat the encryption in early versions of the malware, he complimented her. “Very objective and smart, cute whitehat,” Janus responded.

When he returned Wednesday after his prolonged disappearance, the hacker addressed Hasherezade again, telling her she was “sadly missed.”
“So, my favorite (threat) actor is back,” she responded. “I was waiting.”

http://www.thedailybeast.com/his-petya- ... ts-to-help


User avatar
Royal
Posts: 10561
Joined: Mon Apr 11, 2011 5:55 pm

Re: Petya, NotPetya, Goldeneye, Nyetya 6/27/2017

Post by Royal » Thu Jul 06, 2017 7:32 pm

Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak
Dan Goodin - 7/5/2017, 2:48 PM


The third-party software updater used to seed last week's NotPetya worm that shut down computers around the world was compromised more than a month before the outbreak. This is yet another sign the attack was carefully planned and executed.

Researchers from antivirus provider Eset, in a blog post published Tuesday, said the malware was spread through a legitimate update module of M.E.Doc, a tax-accounting application that's widely used in Ukraine. The report echoed findings reported earlier by Microsoft, Kaspersky Lab, Cisco Systems, and Bitdefender. Eset said a "stealthy and cunning backdoor" used to spread the worm probably required access the M.E.Doc source code. What's more, Eset said the underlying backdoored ZvitPublishedObjects.dll file was first pushed to M.E.Doc users on May 15, six weeks before the NotPetya outbreak.

"As our analysis shows, this is a thoroughly well-planned and well-executed operation," Anton Cherepanov, senior malware researcher for Eset, wrote. "We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors."

Researchers from Cisco Systems' Talos group, in their own blog post published Wednesday, reported a backdoored version of M.E.Doc was distributed in mid April, a month earlier than the one found by Eset. At the request of M.E.Doc developers, Talos employees traveled to Kiev, Ukraine to forensically analyze computers used the Intellect Service, the company that develops and markets the software. Among the things they found: a webshell that gave anyone with the underlying password access to the site. Talos also confirmed the backdoor built into the ZvitPublishedObjects update module.

Ukrainian police on Tuesday seized computers and software used by Intellect Service. A video published by the department's official YouTube account shows officers, at times armed with automatic weapons, entering company offices and asking unidentified employees questions. Ukrainian police also published this statement that warned that the backdoor may still be active. It advised all M.E.Doc users to immediately stop using the software and to turn off computers that have the application installed.


Colonel Serhiy Demydiuk, the head of Ukraine’s national Cyberpolice unit, told the Associated Press that M.E.Doc developers will "face criminal responsibility" because they disregarded earlier warnings their IT infrastructure was insecure. Since last week's outbreak, the developers have issued a series of conflicting statements. At first, M.E.Doc said it initially suffered a server compromise, then the company said it wasn't involved in the outbreak, and it later said it was cooperating with the investigation.

In a separate article published Wednesday, the AP reported that Ukrainian officials said they thwarted a follow-on attack that was scheduled to take place on July 4, also using the M.E.Doc software as a starting point. "We prevented the initiation of the second wave of viruses," police spokesman Yaroslav Trakalo said in the video released Wednesday, the AP reported. Trakalo said investigators have already found "evidence of Russian presence on these servers," although he didn't elaborate.

...

Goodin, D. (2017, July 5). Backdoor built in to widely used tax app seeded last week’s NotPetya outbreak. ArsTechnica.com. Retrieved from https://arstechnica.com/security/2017/0 ... -outbreak/


Post Reply