Cygilant Blog

Never Say Never Again: Petya, GoldenEye and WannaCry Redux

Posted by John Linkous on Jun 29, 2017

Ransomware10.jpg22 years ago, Irish actor Pierce Brosnan took his first turn as MI-6’s perennial agent James Bond. In that particularly great outing, everyone’s favorite international spy took out a satellite network known as GoldenEye, spearheaded by two satellites named Mischa and Petya. While the fictional GoldenEye satellites delivered an electro-magnetic field (EMF) of radiation that took out all electronics within a 30-mile radius, this week the world was hit with a real Petya: the “GoldenEye” strain of the ransomware that was at the root of last month’s massive WannaCry outbreak.

The current GoldenEye malware incursion will likely eclipse WannaCry both in terms of its breadth of spread as well as the depth of infrastructure that it penetrates. So far, we know that it appears to have originated in Kiev, Ukraine, and spread rapidly to critical infrastructure in that country including government offices, the electrical grid and its airports. From there, the attack spread to other nations and a range of commercial enterprises: Russia’s Rosneft oil production company, Denmark’s Maersk shipping company and Merck, the U.S.-based international pharmaceutical firm.

Perhaps the most frustrating aspect of malware like Petya and WannaCry is that they’re not relying on some obscure, zero-day vulnerability. They both rely on exploiting the exact same vulnerability in Microsoft’s Server Message Block (SMB) 1.0 protocol, for which Microsoft released a patch almost two months before WannaCry hit. Moreover, the vulnerability was disclosed as part of the hacking group Shadow Brokers’ acknowledgement that it had acquired a trove of NSA attacks of which this was one. This means that organizations are either neglecting to install patches in a timely manner, or – even worse – they’re simply not installing them at all.

So, revisiting our recommendations from a few months ago, how can your organization ensure that you’re not affected by GoldenEye? The good news is that the solutions are pretty simple:

  • Please (please!) patch your systems to prevent the attack vector used by Petya (and WannaCry). The specific exploit that’s used by both malware payloads relies on a vulnerability found in the SMBv1 protocol known as “Eternal Blue”. This is fixed by installing a patch that has been available since March 14 (long before the WannaCry outbreak, by the way…) The patch should be installed on all Microsoft OS’s from Windows Vista forward: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Microsoft has even taken the extraordinary measure of releasing a patch for Windows XP, which has been at end-of-life status since April, 2014, which can be found here: https://www.microsoft.com/en-us/download/details.aspx?id=55245
  • If you don’t need SMB 1.0 in your environment, disable it. SMB 1.0 (a.k.a. SMBv1) is the original version of the SMB protocol. It has not been used as the primary SMB protocol since Windows XP and Windows Server 2003, and has been replaced by the more secure SMBv2 and SMBv3 protocols that have been introduced in all later versions of Windows. If you still absolutely require SMBv1 (for example, for Windows file sharing to Windows XP clients), then this may not be an option – but honestly, if you’re still running Windows XP, you have bigger problems. Disabling SMBv1 is easy to do, and can be accomplished via the Control Panel (through Add/Remove Programs), via GPOs and through a PowerShell command. Detailed instructions can be found on Microsoft’s site here: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
  • Ensure that your users are implementing strong passwords. According to security researcher Brian Krebs, Russian security firm Group-IB has indicated that Petya may also include an “LSAdump” capability that can capture usernames and hashed passwords from both workstations and Windows servers. With a few days of cracking time, a few GPU-enabled cloud server instances and a tool like “hashcat”, these credentials can be decrypted. To minimize that risk, ensure that you’re requiring strong passwords, especially for Windows authentication. If you don’t already have multi-factor authentication in place, you should consider weighing the costs and benefits as it can significantly reduce risks associated with compromised credentials.
  • Implement a patch management solution to detect and remediate out-of-date systems. Patch management is one of the most critical security controls that an organization can implement. Attackers and malware almost always rely on the path of least resistance: it’s much, much easier to try and exploit a known vulnerability, than it is to decrypt credentials or exploit other “heavy lifting” attack vectors.

It’s clear from attacks such as WannaCry and GoldenEye that we are now in a new era of increased ransomware attacks; it’s probably safe to assume that they are more likely the first major salvos in a new era of malware, rather than the last. As the great Sean Connery said when he took one last turn as James Bond: “Never say never again.”

Questions? Let's Talk

Tags: Security Best Practices, Ransomware, Patch Management

Most Recent Posts

Subscribe to Email Updates