{"id":3090,"date":"2017-07-03T13:41:56","date_gmt":"2017-07-03T20:41:56","guid":{"rendered":"https:\/\/zed.inguardians.com\/?p=3090"},"modified":"2019-08-19T13:41:49","modified_gmt":"2019-08-19T20:41:49","slug":"wiperware-disguised-as-ransomware-strikes-globally","status":"publish","type":"post","link":"https:\/\/zed.inguardians.com\/brief\/wiperware-disguised-as-ransomware-strikes-globally\/","title":{"rendered":"\u00a0Wiperware Disguised As Ransomware Strikes Globally"},"content":{"rendered":"<h5 class=\"et_pb_toggle_title\">\u00a0Wiperware disguised as ransomware strikes globally, taking advantage of unpatched systems and flat networks.<\/h5>\n<div class=\"et_pb_toggle_content clearfix\">\n<p><strong>Issue<\/strong><br \/>\nThe recent wave of supposed ransomware attacks, NotPetya, spread rapidly due to non-segmented (\u201cflat\u201d) networks after its initial infection. It is reported to have first hit Ukraine and subsequently spread internationally. Many of the targets that reported infection are industrial, financial, health or other components of critical infrastructure.<\/p>\n<p>Whereas the Petya ransomware that first emerged last year was actual ransomware, the variant that wormed its way through non-segmented (\u201cflat\u201d) networks in June 2017 (NotPetya) does not allow for decryption of the data. \u00a0As such, InGuardians classifies this as wiperware.<\/p>\n<p>NotPetya uses many different vectors to infect and perform subsequent infections. \u00a0Even though it does use the NSA exploits EternalBlue and EternalRomance that were addressed by Microsoft security update MS17-010, NotPetya also leverages many other vectors of attack. \u00a0It includes mimikatz, with that tool\u2019s LSADump module. \u00a0This is used for recovering passwords with the aim of gaining administrative access locally and eventually at the domain level. NotPetya also uses PSExec as a means of subsequent infection, as well as WMI calls.<\/p>\n<p>Many people responsible for network security claim that they thought they were patched against the NSA exploits. It\u2019s key to note that NotPetya has multiple initial infection vectors, including phishing. Even if one of the NSA exploits became the vector of initial infection on an unpatched machine, the other vectors of subsequent infection allow it to spread unhindered through flat networks, full of otherwise patched systems.<\/p>\n<p><strong>Impact<\/strong><br \/>\nInfections of NotPetya spread rapidly across non-segmented, or \u201cflat,\u201d networks, stealing credentials and leveraging privileges and trust. \u00a0The technical result is mangled data on infected systems. \u00a0This data is unrecoverable. \u00a0The business impact has been a shutdown of operations in many of the impacted targets.<\/p>\n<p><strong>Recommendations<\/strong><br \/>\nThe one common issue that allows the spread of NotPetya is networks that are not segmented with access control. \u00a0Logically segmented networks are still considered flat networks, as they lack access controls. \u00a0When access controls restrict traffic from traversing network segments, hosts are well isolated and this stymies infections of this type, containing them to a single host or portion of the network.<\/p>\n<p>InGuardians recommends implementing restrictive access controls at the network level and isolating hosts using host-based firewalls or Private VLANs. InGuardians also recommends using Group Policies within Microsoft Active Directory to lock down endpoints and implement the Principle of Least Privilege, preventing the lateral spread from affected, internal systems. \u00a0These tactics are highly recommended to defend against modern malware attacks like NotPetya.<\/p>\n<p><strong>Additional Resources<\/strong><br \/>\nSetting up Private VLANs<br \/>\n<a href=\"http:\/\/packetlife.net\/blog\/2010\/aug\/30\/basic-private-vlan-configuration\/\">http:\/\/packetlife.net\/blog\/2010\/aug\/30\/basic-private-vlan-configuration\/<\/a><\/p>\n<p><a href=\"http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/switches\/lan\/catalyst3560\/software\/release\/12-2_44_se\/configuration\/guide\/scg\/swpvlan.html\">http:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/switches\/lan\/catalyst3560\/software\/release\/12-2_44_se\/configuration\/guide\/scg\/swpvlan.html<\/a><\/p>\n<p>Implementing the Principle of Least Privilege within Various Versions of Windows<\/p>\n<p><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/implementing-least-privilege-administrative-models\">https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/ad-ds\/plan\/security-best-practices\/implementing-least-privilege-administrative-models<\/a><\/p>\n<p><a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/bb456992.aspx\">https:\/\/technet.microsoft.com\/en-us\/library\/bb456992.aspx<\/a><\/p>\n<p><a href=\"https:\/\/www.sans.org\/reading-room\/whitepapers\/win2k\/enforcing-least-privilege-principle-active-directory-ous-gpos-group-214\">https:\/\/www.sans.org\/reading-room\/whitepapers\/win2k\/enforcing-least-privilege-principle-active-directory-ous-gpos-group-214<\/a><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\u00a0Wiperware disguised as ransomware strikes globally, taking advantage of unpatched systems and flat networks. Issue The recent wave of supposed ransomware attacks, NotPetya, spread rapidly due to non-segmented (\u201cflat\u201d) networks after its initial infection. It is reported to have first hit Ukraine and subsequently spread internationally. Many of the targets that reported infection are industrial, [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[169],"tags":[117,134,135,120,121,128,28,84,147],"_links":{"self":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3090"}],"collection":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/comments?post=3090"}],"version-history":[{"count":1,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3090\/revisions"}],"predecessor-version":[{"id":3091,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/posts\/3090\/revisions\/3091"}],"wp:attachment":[{"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/media?parent=3090"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/categories?post=3090"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zed.inguardians.com\/wp-json\/wp\/v2\/tags?post=3090"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}