Many firms hit by global cyber-attacks

Peter- Next weekend. I'm still in the process of producing it (actually just deciding on the song).

 

"Security Firms Find Thin Lines Connecting NotPetya to Ukraine Power Grid Attacks...

Current evidence is not enough

Nonetheless, the evidence presented is not enough to make such bold remarks. Evidence shows thin lines to past "alleged" Russian operations, and nothing more...

The group and the NotPetya campaign may have ties to past Russian state hacking campaigns, but that doesn't mean they're currently operating under orders from Russian officials.

Furthermore, this Twitter thread contains other wild theories showing various potentially valid scenarios for NotPetya attack attribution.

ESET and Kaspersky might have found some footsteps on the ground, but more solid evidence is needed before putting a smoking gun in Russia's hands for the whole NotPetya outbreak."

https://www.bleepingcomputer.com/ne...cting-notpetya-to-ukraine-power-grid-attacks/

 

True. But does it really matter? It is rather obvious that Russia has been interfering with Ukrainian affairs for some time. Russia did annex the Crimea.

 

https://www.scmagazine.com/kaspersk...f-notpetyas-corporate-victims/article/672533/

 

How abbot another Johnny Cash song? Ring of Fire?

 

I want to return to the Carbon Black article previously posted to highlight a couple of points.

First is that the ransomware payload was identical to that employed by Wannacry; a .dll.

Of note is the use of "ordinal #1" as shown above indicates that the malware is checking for any sandboxing in place. Which means the ransomware probably would not execute if the targeted device employed a security solution with like feature. Also of note, the AV software checking being done by the malware as given in the Carbon Black article and the malware "customizing" its internal attacks based on security software installed.

What makes this attack unique however is the way the .dll was run on the network devices to encrypt their files:

The use of PsExec by malware is nothing new, so no reason to elaborate on that. What is novel about this about this attack is the exploiting of a known vulnerability in the wsPrintF function to arbitrarily run executable code from memory via buffer overflow . In this case, the ransomware .dll on the network devices via rundll32.exe.

Microsoft ref. for wsPrintF function: https://msdn.microsoft.com/en-us/library/windows/desktop/ms647550(v=vs.85).aspx with the following warning:

One more instance of Microsoft not de-activating a dangerous OS feature.

 

The default applications don't do harm to the system. Its when an outside attacker abuses them is when it occurs.

 

Perhaps you missed this "tidbit" from the Microsoft article:

 

Found this nifty utility used for debugging .dlls that shows how wsPrintF can be use to load a .dll: http://www.ollydbg.de/Loaddll.htm . BTW - the MessageBox function can also be used.

 

Finally, PsExec and WMIC were not the only OS utilities and processes abused in this attack as noted in the Carbon Black article:

 

"NATO Considering 'Petya' Malware a Potential Act of War..."

http://gizmodo.com/nato-considering-petya-malware-potential-act-of-war-1796590694

"'NotPetya' malware attacks could warrant retaliation, says Nato researcher

If malware outbreak was state sponsored it could count as violation of sovereignty and open possibility of countermeasures, says Tomáš Minárik..."

https://www.theguardian.com/technol...ant-retaliation-nato-researcher-tomas-minarik

 

"KIEV, Ukraine (AP) -- Official: firm at center of cyberattack knew of problems

The small Ukrainian tax software company that is accused of being the patient zero of a damaging global cyberepidemic is under investigation and will face charges, the head of Ukraine's CyberPolice suggested Monday...

Col. Serhiy Demydiuk, the head of Ukraine's national Cyberpolice unit, said:

'They knew about it,' he told the AP at his office. 'They were told many times by various anti-virus firms. ... For this neglect, the people in this case will face criminal responsibility.'..."

http://hosted.ap.org/dynamic/storie...ME&TEMPLATE=DEFAULT&CTIME=2017-07-03-07-53-55

["They knew about" what? The specific NotPeyta or general vulnerabilities in its software?]

 

M.E. Doc situation - pitiful to say the least. According to NH-ISAC, the only confirmed infection vector was the hacked M.E. Doc hacked server.

Detailed explanation of #NotPetya network propagation. The NSA exploits were only employed if all other propagation methods failed. Of note is this. This attack would have succeeded on any patched device. The malware can spread to other networks as long as the targeted network has mapped drive access to them. Finally, simply using an IDS and blocking SMB access to the Admin shares would have stopped it.

Ref.: https://nhisac.org/nhisac-alerts/petya-ransomware-updates/

-EDIT- The above also explains how the malware spread to commercial concerns outside of the Ukraine. Those affected concerns had given file sharing rights for their networks to the infected Ukrainian concerns.

Like I posted at the beginning of this thread, "a worm is a worm." It also is quite evident that a number of work-wide concerns need to "beef up" their network security against external worm base attacks.

Also this type attack is applicable to any home user networks that are not using Windows HomeGroup networking since those networks would be using the SMB protocol to communicate. Again, the Microsoft patch only protects against the known SMBv1 vulnerability. It does not prevent against misuse internally of all the remaining SMB protocol versions.

 

"NotPetya: Why Would Russia Target Kaspersky AV?...

Much has been made about the fact that the NotPetya virus appears to have been designed as a wiper, and not as a genuine piece of ransomware. The virus also checks for avp.exe (Kaspersky Antivirus) and then wipes the bootsector of any device with the file present...

...[T]he specific targeting of Kaspersky Antivirus harkens back to the vindictive nature of low level cyber criminals, such as those which famously write hate messages to Kaspersky and Brian Krebs regularly...

...n January when Shadow Brokers claimed to be disappearing forever, they called out Kaspersky specifically in a dump of dated Windows files (SB trolled Kaspersky even more on Twitter, though deleted all those old tweets last week).

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug. TheShadowBrokers is giving you popped files and including corresponding LP files...

So not just cybercriminals with a grudge against Kaspersky for cooperating with western law enforcement, but the source of some of the exploits used in this attack, has targeted Kaspersky in the past.

I don’t know the answer. But it’s one counterargument to the rush to blame Russia that, in my opinion, needs some answers."

https://www.emptywheel.net/2017/07/03/notpetya-why-would-russia-target-kaspersky-av/

 

Well, it not only targeted Kaspersky but Symantec Endpoint and Norton. My take is that these two vendors are the prevalent ones used by commercial concerns in the Ukraine.

 

The Office: Life after a virus.

 

https://threatpost.com/researchers-find-blackenergy-apt-links-in-expetr-code

 

"Family firm in Ukraine [Intellect Service, the creators/publishers of M.E.Doc] says it was not responsible for cyber attack

...'[In] their first interview with foreign media since the attack, the Linniks said there was no evidence M.E.Doc, which is Ukraine's most-popular accounting software, was used to spread the virus and they did not understand the charges against them...

Cyber security investigators are still trying to establish who was behind the attack...

'What has been established in these days, when no one slept and only worked? We studied and analysed our product for signs of hacking - it is not infected with a virus and everything is fine, it is safe,' said Olesya, managing partner at Intellect Service.

'The update package, which was sent out long before the virus was spread, we checked it 100 times and everything is fine'...

[The article then discusses that Ukranian police investigators suspect/believe otherwise-unclear]...

'We have issues with the company's leadership, because they knew there was a virus in their software but didn't do anything ... if this is confirmed, we will bring charges,' Serhiy Demedyuk, the head of Ukraine's cyber police, told Reuters in a text message [apparently speaking to the issue of the Company's knowlege of the virus' presence - unclear].'

Olesya said the company was cooperating with investigators and the police were yet to reach any conclusions...

[Olesya is reported as saying] 'M.E.Doc is a transportation product, it delivers documents. But is an email program guilty in the distribution of a virus? Hardly.'..." [apparently saying that it was emails that contained the "virus", if any, not the M.E.Doc software update.]

http://in.reuters.com/article/us-cyber-attack-ukraine-software-idINKBN19O2DK

[IMHO, the language of this article is ambiguous respecting the actual specific findings of The Ukranian Cyber-Police as opposed to those of unamed Ukranian officials and specified software/security companies.]

 

As these attacks continue we will most likely see it as a new war weather the correct countries are involved or not. It could be a sabotage on a certain country.
Which means this is WAR. How far it goes is unknown at this point. All major players are beefing up their cyber and military war. Just like Kennedy stopped the Cuban missile crises. hopefully trump can stop this new war. This is not fear mongering but very serious stuff people.

 

Interesting.

Appears the software is a proprietary e-mail product. The question is if M.E. Doc is responsible for the content it delivers? Apparently not based on its response. Wonder if its customers realized that fact?

Now for the $64,000 question. Want to bet the content is in a proprietary format that cannot be scanned by conventional AV software? Sad to say, but it appears to me these eastern European countries are a disaster waiting to happen.

-EDIT- Also M.E. Docs statements don't sync with the NH-ISAC findings noted in reply #239 which found a backdoor on their web site allowing for an actual malware download they used for their testing.

Also noted in the Olesya posting are Eset's comments:

Since these are "internal" messages, no one would suspect any links or the like would be malicious.

 

'The company has lost 10 years worth of data'. How does that happen? Do they not backup?!

 

https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/

 

Remember what I have been saying about backdoors?

Factoring in the M.E. Doc web site backdoor that NH-ISAC found, what we have here is a major software provider thoroughly infested with malware. What is negligent on M.E. Doc's part in my opinion is why was not a full security and forensic analysis done on their installation after the May ransomware incident?

 

It appears that a version of such an analysis, although perhaps more limited than what @itman recommends, may have been done and discovered "problems". -- Would you like some wrecklessness with that negligence ?

https://www.wilderssecurity.com/thr...bal-cyber-attacks.395036/page-10#post-2689644