CyberWire Daily - Petya/PetrWrap/Goldeneye updates.
Episode Date: June 28, 2017Today we speak at length with Tanium's Chief Security Architect on tracking the Petya ransomware pandemic. Learn more about your ad choices. Visit megaphone.fm/adchoices...
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
The Petya ransomware pandemic
has spread essentially everywhere.
It's worse than WannaCry
and shows how little many enterprises
did to protect themselves
even after WannaCry's shot across their bow.
Tanium's Ryan Kazantzian joins us with the latest from their investigation.
I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 28, 2017.
Today's news is dominated by what we'll call for convenience sake the Petya pandemic.
It's going by different names, Petya Wrap, Not Petya, and Goldeneye to take three alternatives,
but it's the same disturbing product.
The ransomware infestation began in Ukraine and has still hit that country most severely,
but it's spread rapidly around the world, worming its way through Windows systems that haven't patched for the EternalBlue exploit
used last month by WannaCry.
Joining us is Ryan Kazantzian, chief security architect at Tanium.
So yesterday morning, June 27th, around 8 or 9 a.m. Eastern time, just as I was getting up, there was some initial chatter of this ransomware strain
infecting a number of organizations, primarily in the Eastern Europe region.
There were a couple of reported infections around Ukraine,
and then we started to see some spread with organizations really throughout the world,
even a handful in the United States, reporting that they had been impacted by this. And it was
initially thought to be a variant of the Petya ransomware, which is now our family that had been
seen earlier this year. It has since been thought to be a different or at least slightly related,
but not necessarily just a minor update to the original Petia malware. So a few people have
taken to calling it Kenyettia and other little puns and variants on that name.
So as we're recording, it's Wednesday morning on the 28th. Where do we stand right now?
Today, we have a much clearer understanding of how this
ransomware operates, how people initially got infected, and how it propagates than yesterday.
There was a bit of a fog of war yesterday as this first emerged. You have to imagine that
organizations that were targeted by it were busy putting out fires. And in the meantime,
a lot of security vendors and security researchers were trying to
piece together information from publicly available sources to understand how this thing worked. And
so there was initially some incorrect assumptions made. A few folks started looking at samples and
virus total, found some that were definitely this new malware, found some that were not actually
related. And so there were some indicators found some that were not actually related,
and so there were some indicators of compromise that didn't actually end up applying.
What we now know today is that the malware initially was transferred to impacted organizations
through a software update that was laden with the malware,
and that software update was for a Ukrainian tax accounting software
package from a company called NEDOC. And as part of that update, the organization was apparently
hacked and the updated software included the malware delivery mechanism. And that is, in fact,
how the initial set of victims got the ransomware. The initial thought had been that this malware was transferred
to victim organizations by means of a malicious word document attached to emails. That actually
turned out to be incorrect. A few researchers have mistakenly correlated an unrelated malware
family sample to this campaign. But when you look at the initial method of entry, you can get a sense
of how victim organizations have been targeted and chosen by the attacker. If you see something
that's like a blast email campaign targeting thousands or tens of thousands of accounts,
then you can kind of get a sense of what the targeting is. In this case, when you pinpoint
a very specific vendor like ME Doc that has a very specific customer base from a regionality and industry perspective,
that certainly changes the scope of the attack and might provide some clues as to the attacker's intent.
At this point, what do we know about propagation?
So once an organization is compromised, once there's a patient zero, the malware uses a few different methods to propagate within that organization's network.
The first thing that it actually does is rather unique compared to WannaCry,
in that this strain of malware actually recovers credentials from your infected system,
specifically the Windows accounts that are either
local to the box or are recently logged in and still have credentials cached in memory.
And then it uses those credentials to attempt to authenticate to other Windows systems in the same
network using Windows protocols that are just native to the operating system. And so it has a built-in renamed PS Exec
utility that it uses with those credentials that it recovers to try to connect to shares on remote
hosts. And once it's connected to those and uses a combination of WMI, which is a native Windows
tool, to basically execute the payload that drops the malware onto that host.
And so what you ended up seeing is even if you were patched against the most recent vulnerabilities
in Windows, if your Windows environment was set up such that you had common credentials
that could be used to mount administrative shares from host to host, or if a highly privileged user was unfortunately patient
zero, then that allowed the malware to propagate to a lot more shares. And so it really became
a automated version of the types of lateral movement that targeted attackers will often
apply when moving from host to host. And so that was the first method. The second method
was similar to WannaCry in that it used the EternalBlue SMPP1 exploit.
And the only distinction between WannaCry and this attack campaign is that this did not focus on spreading outside of the corporate network by means of the SMPP P1 attack. It was more of a sort of fallback mechanism for propagation to complement
the method that used the credentials on the box. And so is there any sense for how wide this may
spread? It's still difficult to tell if we're at the long tail of propagation or if there's going
to be a point of, you know, the sort of pocket stick growth that you sometimes see with some of these campaigns.
The fortunate thing is that because the initial entry vector is fairly targeted in that coming from that Ukrainian tax software,
it is unlikely that a very large number of organizations had a patient zeros.
And so the damage that was done will likely be largely contained to those
initial victims. That being said, there's nothing stopping the attacker from repackaging the same
malware to be carried over different attack vectors, like the, for example, an office macro
attack, as was initially speculated to be one of the means of transmittal.
And so it would not surprise me to see follow-up campaigns
or copycat campaigns that iterate on the same concept.
The fact remains that between organizations that fail to patch in a timely manner
and that have not locked down their Windows network
to prevent these sorts of host-to-host lateral movement.
Lots of other attackers can learn lessons from what worked and what didn't work in previous campaigns
and adapt their future campaigns accordingly.
And so how about prevention? How can people protect themselves against this?
It's interesting. I think everyone says that WannaCry caught the entire industry with our pants down
insofar as almost no one was being as aggressive as they should have with patching.
You had a three-month-old patch for a 30-month-old protocol, SMBV1,
that Microsoft has been telling people to disable for upwards of three or four years now,
and yet still want to cry
rolls around, and months and months later, no one's patched.
There's a lot of reasons behind that.
I don't mean to say that for victim-shaming purposes.
You know, patching in many organizations is tedious and complex, and a lot of the patch
management and systems management solutions that companies use are using ancient technology.
And so systems management and the discipline and focus around that ends up are using ancient technology.
And so systems management and the discipline and focus around that ends up being really
critical here.
And the same is true for this most recent strain of malware, where yes, it's true that
even if you were patched, it could still propagate.
But the principles around locking down lateral movement, protecting credentials on endpoints,
restricting the types of post-host traffic that this malware
took advantage of, have again been talked about for upwards of five years as principles to restrict
any form of lateral loop, not just wormable attacks. And so these are, again, I look at
these as failures of systems management, more so than simply matters of failing to detect a new
strain of malware. The reality is there to detect a new strain of malware.
The reality is there will always be new strains of malware that our prevention tools fail to detect.
There will always be new attack vectors that a lot of security prevention tools have failed to consider.
Our thanks to Ryan Kazantzian from Tanium for taking the time out to join us this morning.
As you might imagine, they've been busy.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents,
winning with purpose,
and showing the world what
AI was meant to be. Let's create the agent-first future together. Head to salesforce.com slash
careers to learn more. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta
when you go to vanta.com slash cyber.
That's vanta.com slash cyber
for $1,000 off.
In a darkly comedic look at motherhood and society's expectations,
Academy Award-nominated Amy Adams stars as a passionate artist
who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn
as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their
families at home. Black Cloak's award-winning digital executive protection platform secures
their personal devices, home networks, and connected lives. Because when executives are
compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been breached. Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And I'm pleased to be joined once again by Ben Yellen.
He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security.
Ben, welcome back.
You know, you and I often talk about these cases that are making their way through,
and we say to ourselves, this one may make its way to the Supreme Court.
Well, today we're talking about one that did make its way to the Supreme Court,
actually got a unanimous decision.
Take us through what we've got here today. It's rare to see unanimous decisions on things that we would think of as controversial,
but that's exactly what we saw in this case called Packingham v. North Carolina.
The state of North Carolina passed a statute that made it a felony for registered sex offenders to
access social media websites like Facebook and Twitter if they might encounter
minors on those websites. And the Supreme Court, in an 8-0 decision, the newest justice,
Justice Gorsuch, did not take part in it, held that this law is unconstitutional. And that's
not surprising. Justice Anthony Kennedy, who wrote the opinion, wrote, and I quote,
a fundamental principle of the First Amendment is that all persons have access to places where they can speak and listen, and then after
reflection, speak and listen once more. Ever since the Supreme Court really started to explore
First Amendment jurisprudence, particularly in the last 80 years or so, they've been extremely
hesitant to allow what we call prior restraint, And that's restriction on a method of speech before the speaker has even uttered those words.
It's one thing for law enforcement to punish somebody for the words that have been spoken,
and there are a number of exceptions in First Amendment jurisprudence that allow punishment for
somebody's words. Well, we always think of, you know, shouting fire in a crowded movie theater.
That's what everyone always says. You can't do that, right? Yeah. So if your speech will create
what we call imminent lawless action, and that's the legal standard, then that's not constitutionally
protected speech. And those are the kind of restrictions that the Supreme Court has generally
allowed over the years, where they've been extremely hesitant to restrict anybody, even the most objectionable people in society, people who have been
convicted as sex offenders. They've been incredibly reluctant to limit any venues for speech. And
it makes sense to us. This is the equivalent in the 1800s of preventing somebody from going into
a public square and making a political
statement. You can't prevent somebody from using a venue to speak their mind entirely. And I think
it's completely unsurprising that the Supreme Court reached this decision unanimously. Whatever
you think about the plaintiffs in this case, I think they're upholding a fundamental tenet of our
First Amendment. And interesting for us specifically, because this is one of the first cases that have made it to the Supreme Court
that have to do with social media and these modern methods of communication.
Yeah, I mean, in effect, what this decision is saying is that people have a constitutional right to use social media.
Again, social media has just become a venue to be used.
It's the equivalent to any physical place or any other type of place.
It's a place where people can speak political ideas, where there can be a marketplace of ideas, even for the most objectionable views.
The Supreme Court is acknowledging that even though these are private entities, you can't ban a person from using this critical venue.
This is just the way we get our ideas out of the 21st
century. I think the Supreme Court is recognizing that principle. And from now on, there is a
precedent that a person has a constitutional right to use social media to express themselves. I think
that's going to be a very important precedent going forward. All right, Ben Yellen, thanks for joining us.
All right, Ben Yellen, thanks for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, Thank you. can keep your company safe and compliant. And that's The Cyber Wire.
We are proudly produced in Maryland
by our talented team of editors and producers.
I'm Dave Bittner.
Thanks for listening. Thank you. ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.