The latest craziness called Petya (had some other nicknames like Petna, NotPetya, Nyetya) started this week on June 27, allegedly coming from Ukraine.

 


 

What has already been told about Petya/NotPetya/Petna Malware:

– It has automatic built-in lateral movement capabilities – Credential theft from LSASS and using native apps like Psexec and WMIC.
– It’s not Ransomware but a wiper; it destroys the MBR, and even if you pay the $300 ransom, you won’t get your files back.
– Current Bitcoin wallet received 45 transactions – 3.99 BTC
– Initial infection started allegedly from a Ukrainian software supply-chain M.E.Doc updates.
– Most of the victims still remain in Ukraine (more than 12,000 Windows machines).
– It creates scheduled tasks to reboot after 1 hour and then wipe your MBR; by then, it will try to find more victims in the network.
 

Lateral movement:

After launching the malware, it will destroy the local machine, but then it will try to find more machines on the network.
This specific malware is doing ARP scan to find more Windows end-points, which makes it limited to the local subnet (can use much better techniques).

 

 
After finding more targets, it will try to gather credentials from the LSASS to have more users in the “back pocket”. If it doesn’t have local admin rights, it will use the current user context.
Using the credentials it has, the next step would be lateral movement to different machines using WMIC or Psexec. If that fails, it will try to launch the EternalBlue as a fallback plan.

 

 

We would see many more malware variants doing lateral movement simply because the ROI is higher, and in most cases, it’s very easy.
EternalBlue is maybe patchable, but harvesting credentials from the lsass is not.

Disabling Psexec and WMI is not the solution as admins need to manage their network. It doesn’t make sense to disable any of their software. Lack of segmentation and credentials reuse is the main problem.

 

Javelin Vs. Petya:

Watch how Javelin would protect you against Petya and any other malicious lateral movement attempts..

 

feel free to reach out – almog@javelin-networks.com

 

[gs_lp_like_post] 0