Jimmy Graham, Director of Product Management, Qualys, dissects the latest cyber extortion campaign and lists out the steps to stay safe.
On Tuesday, a variant of the ransomware “Petya” began propagating in several countries across Europe. This new variant leverages the EternalBlue exploit used in WannaCry, and also takes advantage of misconfigured permissions to spread throughout the network.
EternalBlue is a leaked exploit developed by the NSA that leverages the vulnerability patched in MS17-010. All unpatched versions of Windows are vulnerable to EternalBlue, excluding recent versions of Windows 10. Microsoft has also chosen to release patches for some end-of-support versions of Windows.
Qualys Vulnerability Management can detect the vulnerability being leveraged by Petya. The QIDs used for the EternalBlue exploit are still applicable and can be used to determine if you are vulnerable to this attack vector:
QID 91345 can detect this vulnerability with or without authentication, as well as with the Qualys Cloud Agent
QID 91360 is an auth-only check that requires authentication or the Qualys Cloud Agent
The existing WannaCry and Shadow Brokers Dashboard built into Qualys AssetView can also be used to track vulnerable assets. Steps for importing this dashboard from a template are available in the Qualys Community.
Preventing propagation via administrative access
The second attack vector uses WMI and psexec to spread using the infected user’s permissions. If the user has administrative rights over other systems, those systems can also become infected. It is highly recommended that administrative permissions be restricted for workstation users.
A common misconfiguration is to add “Domain Users” or “Authenticated Users” to the “Administrators” group to quickly grant all workstation users administrative access to their workstation. This allows the users to access other workstations with full administrative permissions. In this type of situation, the malware can spread without the need for a software vulnerability. Group Policy can be used to remove these groups and ensure that they are not added.
There have also been reports that a variant of Petya also attempts to obtain the local administrative password. In this case, that password could potentially be used to further spread to other systems with the same local admin password. It is recommended that all systems have different local admin passwords, through the use of a tool such as Microsoft’s LAPS.
Patching and proper permissions management is the best way to prevent infection. However, some of the workarounds for WannaCry are applicable to stop the EternalBlue attack vector. Disabling SMBv1 will prevent this attack from working.
Disabling the admin$ share through group policy can prevent the second attack vector, though this may break other systems management software.
Another option is to completely block inbound connections to the SMB port (445) to prevent either attack vector; however, this should be thoroughly tested, as it may have unintended consequences.