Features

Petya Ransomware – Detection and Response: Skybox Security Report

Petya, like WannaCry, signals a new era of cybercrime where global, distributed cyberattacks that are affecting all industries and geographies. The good news is that most distributed cybercrime attacks can be prevented or disrupted with proper vulnerability and threat management practices. The challenge, though, is doing that across an enterprise–scale network with limited resources.  Skybox observes this newest weapon of cyber criminals and points out ways how organizations can safeguard themselves from such vulnerabilities in future.

What is Petya?

Petya (Not Petya) is a new strain of ransomware that started spreading globally on June 27, 2017. As of this writing, Symantec, Palo Alto Networks and others have confirmed that Petya, like WannaCry, appears to be using the Eternal Blue exploit which targets a group of Microsoft Windows vulnerabilities collectively known as MS17-010. They are identified in the Skybox Intelligence Feed by the following CVE numbers: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147 and CVE-2017-0148.

Other possible methods of propagation are still under investigation, including potential targeting of an exploit for the CVE-2017-0199 vulnerability.

Who is impacted?

Petya, similar to WannaCry, is targeting multiple organizations globally in a variety of industries. Ravid Circus, VP of Products for Skybox Security explains, “There are several reasons why organizations fall victim to attacks like Petya and WannaCry, but chief among them is the issue of complexity,” says Ravid Circus, VP of Products for Skybox Security. “Every organization in the world is grappling with complexity. Sprawling networks with millions of assets and vulnerabilities, mobile devices, disconnected security controls, hybrid and multi–cloud environments, legacy systems that are outdated, and a threat landscape that is always changing. Most companies don’t have the tools or time to examine the complex relationships between these things, or to orchestrate the response to the risks demanding immediate attention. To protect against attacks like Petya and WannaCry, security pros need to rethink their approach, starting with gaining complete visibility of their attack surface and exposures. They should also be automating everything from risk assessments to analysis to remediation priorities. We’ve seen how quickly Petya can spread; relying on manual methods to combat it is from now on out of the question.”

Is there a patch?

Yes!

Microsoft has delivered a patch for CVE-2017-0199, as well as for all systems affected by MS17-010 vulnerabilities, including systems that are not currently supported by the company, such as: Microsoft Windows XP, Windows Server 2003 and Windows 8.

Note: Skybox published the vulnerabilities in the Skybox Intelligence Feed on March 15, 2017, with a recommendation to patch immediately. In addition, after assessment of real–time threat intelligence by the Skybox Research Lab, the MS17-010 vulnerabilities were marked as “exploited in the wild” on April 18, 2017, in Skybox Vulnerability Control.

Ravid continues, “While Petya fits in the new echelon of global, distributed ransomware, it preys on classic cybersecurity weaknesses — known vulnerabilities with known exploits,” says Ravid Circus, VP of Products for Skybox Security. “This tells us many current vulnerability management programs aren’t built to tackle today’s threats. Organizations struggle to understand their network and security gaps and which issues demand immediate attention, like vulnerabilities used in active attack campaigns. They fundamentally need to gain visibility over their network — physical and multi–cloud networks, operational technology and mobile devices — and correlate that information with vulnerability and threat intelligence. With this context, they can quickly understand where their risks lay, how they could be exploited, what issues take priority and how best to fix them.”

Recommendations

Protect and Respond: The Skybox Security Suite

Skybox solutions for vulnerability and threat management, firewall management and security policy management can assist in the remediation of vulnerabilities associated with Petya and the access rules it exploits. These solutions can also help protect against similar attacks in the future.

Vulnerability and Threat Management

Use Skybox Vulnerability Control to identify and remediate vulnerabilities exploited by the Petya attack.

Step 1: Discovery

Skybox Vulnerability Control can identify all devices that contain Petya–related vulnerabilities. This identification can be performed within minutes by the vulnerability detection feature.

After remediation steps are complete, Skybox recommends repeating vulnerability detection to ensure all vulnerable devices have been addressed. Vulnerability Control can also be used to quickly track remediation efforts by running it every few hours (this is not possible with a traditional scan).

Step 2: Prioritization

Vulnerability Control identifies the Petya–related vulnerabilities as being “exploited in the wild” and tags them as a critical severity. Skybox Horizon also highlights vulnerabilities exploited in the wild, exposed in your network or with exploit code available, identifying them throughout organizational units and across geographies. This makes understanding which vulnerabilities require immediate triage and remediation.

Skybox’s attack simulation identifies exposure to attack from third–party and other external connections. You may wish to close off these connections to protect against future infections.

Preventing a similar attack in the future

  • Address underlying issues around poor cyber hygiene immediately
  • Conduct a complete risk assessment of vulnerabilities in your network, including public and private clouds, using Vulnerability Control
  • Prioritize vulnerability remediation by “imminent” and “potential” threats using Vulnerability Control; develop a plan to remediate imminent threats immediately and track through to completion; deal with potential threats over time
  • Change your approach from simple vulnerability management to threat–centric vulnerability management, TCVM
  • Identify and audit your network perimeter to ensure ingress/egress is properly identified; understand the extent of access that all third parties have into your network using Network Assurance and Firewall Assurance
  • Audit network and firewall infrastructure regularly for misconfigurations using Firewall Assurance and Network Assurance
  • Build compliance and risk assessments into firewall change processes using Change Manager
  • Develop fit–for–purpose organizational access policies and configuration standards using Firewall Assurance and Network Assurance
  • Build and maintain a detailed understanding of the assets within your network, including on– and off–premise and multi–cloud networks, aligned to business criticality using the Skybox

Security Suite platform

If you have additional questions or would like a product demonstration to guide you through any of the steps we’ve recommended, please contact us.

Step 3: Remediation

Apply patches and use IPS signatures, access rules and network segmentation to block attack paths. Use the Remediation Center feature in Vulnerability Control to track the remediation status of Petya–related vulnerabilities, ensuring that all proper procedures were carried out and no devices omitted. Skybox recommends adopting an approach of using Vulnerability Control to continuously monitor for new vulnerabilities and identify changes in asset exposure, as well as the emergence of new threats.

Firewall and Security Policy Management

Although Petya’s propagation methods are still being identified, many researchers believe that Petya is leveraging the same Server Message Block (SMB) network kernel vulnerabilities used by WannaCry. Use Skybox Firewall Assurance, Skybox Network Assurance and Skybox Change Manager to change firewall or network device rules and block the propagation of the exploit.

  • Identify all routes and firewall rules that are using the infected services — SMB: 135, 139, 445
  • Review and consider their need as part of network segmentation to minimize the spread of infection
  • Create change requests to remove these rules and prevent further infection
  • Review network topology, third–party connections and access routes
  • Ensure these routes block any potential attack paths

Related posts

Quick Heal Targets Enterprise Security

adminsmec

Partners are the key to transform UC into reality…

adminsmec

Surveillance: How promising is the Future for Partners?

adminsmec