I cannot recall a previous widespread incident that created confusion and misdirection the way NotPetya did. I want to use this post to examine a bit of what happened and what we can learn.
On the morning of June 27, Twitter was abuzz with discussions about a new variant of the Petya ransomware spreading everywhere. Early reports indicated that the Petya was being introduced into networks via infected email attachments
I strongly suspect that at least some of the organizations affected by the outbreak were making a connection that likely turned out to be coincidental, rather than causal. If I see a evidence someone received a suspicious email attachment – something that happens all day every day in a large company, and then suddenly that computer reboots and begins locking itself up, I suspect most of us would draw that same conclusion, and because it fits so neatly in our daily experience in defending the network, convincing us otherwise can be difficult. I do not know what, if any, net effect this misdirection may have had on the overall NotPetya story, but it seems likely that there were at least some security teams spending time locking down email to prevent becoming a victim.
As it turns out, NotPetya was introduced to victim networks via the update process to the ME Doc tax software in widespread use in the Ukraine and leverage the compromised infrastructure of Intellect Service, who makes ME Doc. There are, however, some outliers, such as the three hospitals in the US who were infected. There is no word on how hospitals in the US came to be infected with seemingly no tie to the ME Doc software. My best guess is that malware propagated via connections to other entities that did use ME Doc. Merck, for example, was one of the companies infected. I can envision a number of possible scenarios where an infection at a vendor propagates to a hospital in the US. For example, a Merck sales person may have been visiting a hospital and VPN’d back to the mothership when her computer was infected and began spreading locally within the hospital network. Or maybe a VPN or other remote access connection that Merck uses to monitor equipment or inventory, or something else. I want to emphasize, by the way, that I use Merck here for the sake of argument – I have no idea if they were in any way involved in spreading to these hospitals, and even if they were, they were also a victim.
Discussions throughout the day on June 27 focused on the new Petya variant’s use of the ETERNALBLUE vulnerability/exploit to propagate within an organization. That turned out to be true, but the focus on this aspect of the malware likely detracted from the bigger picture. Many organizations, no doubt including those that were, or would soon be affected, were likely scrambling to track down systems missing the MS17-010 patch, and grilling sysadmins on why they neglected to patch. Reports by that afternoon, however, indicated that fully patched systems were being infected. We now know that ETERNALBLUE was just one of the mechanisms used to propagate, and that NotPetya included code from mimikatz to pull credentials from memory on infected systems, and a copy of psexec to run commands on other systems on the local network using the gathered credentials. At the time, however, security advice being thrown around was essentially that which helped prevent WannaCry. We were fighting the last war, not the current one. Rather than address the crux of the problem, which included password reuse across systems, excessive privileges, and so on, we saw, and continue to see, advice that includes blocking ports 139 and 445 at the firewall, among other unhelpful nuggets. Those recommendations are not wrong generally, but were not helpful for this case. I tried to round up the things that do help here.
Days later, security companies started proclaiming the the Petya outbreak was definitely not really Petya, only loosely based on Petya, and not intended as a ransomware attack at all, but rather a nation-state attack against the Ukraine.
We focused heavily on the ransomware/system wiping aspect of this outbreak. Many organizations rebuilt and restored many systems wiped by NotPetya. Some victims, including one of the hospitals mentioned, decided to start over and buy all new systems. Finally, and possibly most significantly, the latest news is that the adversary behind the NotPetya outbreak had compromised the update server of Intellect Service and likely had the ability to remotely control and collect information from the systems of many thousands of ME Doc users.
This episode highlights, to me at least, the need to keep a clear head during an incident and to be open to revising our understanding of what is happening and what our response should be.