Details continue to emerge on the recent Petya attack and theories abound. To catch up, check out our post from day one of the attack.

Infection

M.E.Doc’s, a Ukrainian tax accounting system, software update also seems to be responsible, at least partially, for initial infections. Reports have also emerged around exploits of the CVE-2017-0199 Microsoft Office vulnerability as well as phishing emails. There doesn’t appear to have been a mass–scale phishing attack, which begs the question of how the attack spread so far so quickly. Other infection methods are still under investigation.

Propagation

The malware has two propagation mechanisms:

  • EternalBlue exploit: This is the same NSA-developed/Shadow Brokers-leaked exploit used in the WannaCry attack. Microsoft fixed the associated vulnerabilities in MS17-010 (via SMBv1, port 139 and 445). But Petya hasn’t just used the published EternalBlue exploit — they’ve modified it
  • Stolen credentials using WMI/PsExec: First, credentials are stolen using a variant or Mimikatz or LokiBot. Then the malicious file is distributed across the network using the legitimate WMI or PsExec tools.

WannaCry only used the first propagation mechanism. In Petya’s case, a single infected system with administrative credentials can spread to all the other computers through WMI or PSEXEC via legitimate users.

In other words, the infection is done with admin credentials making it much more difficult to block — not impossible, but it requires advanced behavior analysis tools.

What’s Up With the Name?

Petya is a nickname for Peter in Russian. Also, the Ukrainian president is named Petro Poroshenko.

Some sources say that the ransomware was hidden undetected for five days before being triggered. It was released a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.

Craig Williams, head of Cisco’s Talos threat intelligence unit had this to say in a Wired article on the suspicions that Petya was a state–sponsored attack against Ukraine masquerading as ransomware:

“[Petya] has a very clear idea who it wants to affect, and it’s businesses associated with the Ukrainian government. It’s very obvious this is a political statement.”

It’s too early for an attribution, but many fingers are pointing at the Russian “Bears” — the name usually given to the Russian governmental APT groups.

Anybody Heard from The Shadow Brokers Lately?

When The Shadow Brokers leaked the EternalBlue exploit back in March, they did so for free (after an unsatisfactory auction).

However, they’ve recently started charging money for a monthly subscription to the NSA–built hacking tools and zero–day exploits. Today, the price was doubled from 100 ZEC (Zcash) to 200 ZEC — around US$64,400.

Is the price hike a strange attempt at stemming the tide of these massive attacks? It’s pure speculation. After all, in the infamous words of Butch Cassidy, “Who are those guys?”

 

Resources

Register for the webinar on June 29 on how Petya and attacks like it are changing the game in cybersecurity and how you can pivot your approach to overcome its challenge.

Protecting Against the Next WannaCry (surprise — it’s Petya!): WannaCry was a wake–up call to the new era of distributed cybercrime attacks. See how Skybox can help you prepare for the next attack.

Take the threat–centric approach to vulnerability management. Download the whitepaper to start protecting your network with real–time threat intelligence and complete network context.