Technology Blog

Change the Battlefield: Detecting Lateral Movement of Petya

Aruba Employee

Just one month after WannaCry Ransomware compromised more than 200,000 machines in over 100 countries, Petya (or called Netya, Petrwrap) has covered all headline news again since its initial outbreak in Ukraine. Although Petya hasn’t infected as many machines as WannaCry, it’s still considered as a more severe and sophisticated attack because it’s more targeted, destructive, and enterprise infrastructure focused. Only one system was required for Pedtya to take hold and multiply within an organization.

 

Security teams can help prevent future ransomware attacks like Petya by detecting and analyzing how the worm-like infection moves laterally within their IT infrastructure. Below is our analysis of Petya’s movements and advice about how your security team can better prepare for and deal with these types of attacks.

petyablog.png

 Image: Google

 

With the complete reverse engineered details of Petya attack, we confirm again that detecting lateral movement is very critical and effective when combating modern complex enterprise attacks.

 

  1. Compromise is inevitable

Software vulnerability has existed since its creation. With today’s increased variety and complexity of enterprise software, it’s unfortunate that zero-day vulnerabilities such as EternalBlue (Petya’s starting point) will be discovered even more often in the future. Although the security industry has advanced in preventing and detecting malware, compromised users or devices are still not a matter of if, but when

 

  1. Start small, move laterally

The ultimate goal of all advanced or targeted attacks is “data” – the high-value business sensitive data. In most enterprises, this kind of high-value data is stored only on a small set of highly-protected servers, which are typically not the first compromised victims. Therefore,  attackers need to figure out some way to move laterally from the first victim to its ultimate target within the enterprise.

 

  1. SMB vulnerabilities may be different, but kill chains are similar

Although Petya uses two new exploits for the Server Message Block (SMB) vulnerability EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145), we noticed its subsequent kill chain steps are actually very similar to previous enterprise attacks like Target data breach and Sony breach back in 2013 and 2014. 

 

Below is a table describing the common lateral movement steps observed from those prior attacks with using Petya as the example mechanism. In addition, we also briefly explain the behavior anomaly signals we should detect from each step. By understanding these, your organization should be better prepared for future attacks.

Lateral Movement Steps

Petya Behavior

Behavior Anomalies

Data Source

Internal Reconnaissance

Run DhcpEnumSubnets() and DhcpEnumSubnetClients() to enumerate DHCP subnets and hosts

Use of enumerating commands of (admin) accounts, servers, services, and network from new hosts

Server Security Log

Host Scan

Scan the above hosts for vulnerable tcp/139 and tcp/445 services

Connection to the same port number(s) over a large number of internal hosts within short period of time

Network Packets

Credential Theft

Use CredEnumerateW() and Mimikatz like tool to steal all other user credentials stored in the memory of compromised server

Use of suspicious credential stealing commands or tools

Server Security Log

Pass-the-Hash

Remotely execute malware using WMIC/PSEXEC tool with credential NTLM hash (or Kerberos ticket) copied from compromised server

User authenticates to new host(s) first time using hash logon rather than interactive logon, followed by execution of suspicious commands

Server Security Log,

Domain Controller Security Log

 

Each of the above anomaly signals may not individually indicate an attack, but aggregating all the signal and correlating them with the same entity (user) is much more definitive. When we observe some (or all) above anomalies from the same user or host over time – especially in some expected temporal sequence order, we can detect the lateral movement of this kind of real attack with high confidence.

 

This is the approach that Aruba IntroSpect (formerly Niara) uses to detect attacks such as Petya, based on behavioral changes of compromised users and systems.  Once IntroSpect raises an alert, security teams can shut down the attack via policy-based actions in Aruba ClearPass before the damage is done.

 

Petya is a great example for understanding the lateral movement of ransomware. This, coupled with using behavioral analytics software will enable your organization to be better protected from future attacks.

  • ClearPass
  • Introspect
  • NAC
  • Security
  • UEBA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Read all about it! If it’s happening now, it’s in the community.

Check out the latest blogs from your community team, the community experts and other industry sources.
Labels