When the Wannacry ransomware tore through the UK and Europe in May, there was a certain logic to the heightened scale of damage. Ransomware attacks were nothing new, but this one had a secret weapon, a sophisticated software exploit known as EternalBlue, published by the Shadow Brokers in April and believed to have been developed by the NSA. It was nation-state level weaponry turned against soft, civilian targets, like robbing a small-town bank with an Abrams tank. If you were looking for answers on how it spread so far so fast, you didn’t have to look far.
Now, just over a month later, a new strain of ransomware has inflicted similar damage with almost none of that firepower. A variant of the Petya family of ransomware, the virus has infected thousands of systems across the world, including massive multi-national corporations like Maersk, Rosneft and Merck, but it’s done so with far less raw material. Petya is still using EternalBlue, but by now many of the target organizations are protected, and that exploit is far less crucial to the ransomware’s spread. Instead, Petya exploits more fundamental vulnerabilities in the way we run networks and, more crucially, deliver patches. They’re not as eye-catching as an NSA exploit, but they’re more powerful, and could leave organizations in a much more difficult position as they try to recover from today’s attacks.
Spreads SUPER fast – saw org 5K systems hit in under 10 minutes.
Restarts computer with ransom message (MBR).
— Dave Kennedy (ReL1K) (@HackingDave) June 27, 2017
Where WannaCry focused on poorly patched systems, Petya seems to have hit hardest among large corporate networks, a pattern that’s partially explained by how the virus spread. Once a single computer on a network was infected, Petya leveraged Windows networking tools like Windows Management Instrumentation (WMI) and PsExec to infect other computers on the same network.
Both tools are normally used for remote admin access, but security researcher Lesley Carhart says they’re often used by attackers as a way to spread malware within a compromised network. “WMI is a super-effective lateral movement method for hackers. It’s frequently allowed and built-in, so rarely logged or blocked by security tools,” says Carhart. “Psexec is a bit more depreciated and more monitored but still very effective.”
Even networks that had patched against the EternalBlue exploit were sometimes vulnerable to attacks launched from within the network. According to F-Secure’s Sean Sullivan, that’s in keeping with previous Petya attacks, which have historically targeted large companies likely to quickly pay out ransoms. “This started as a group targeting businesses,” Sullivan says, “and you have them picking up an exploit that’s perfect to nail businesses with.”
The more troubling aspect is how Petya got into the computers in the first place. According to research by Talos Intelligence, the ransomware may have spread through a faulty update to a Ukranian accounting system called MeDoc. “Based on observed in-the-wild behaviors,” the company writes, “we believe it is possible that some infections may be associated with software update systems for… MeDoc.” MeDoc has denied the allegations, but a number of other groups have concurred with Talos’s finding, pointing to what appears to be a forged digital signature in the payload. If that signature was effective, it would have given attackers a clean way into almost any system running the software.
That would also explain Petya’s heavy footprint in Ukraine: as many as 60 percent of total infections were in the country, including the country’s central bank and largest airport.
It’s not the first time hackers have compromised auto-update systems to deliver malware, although the attack has usually been restricted to nation states. In 2012, the Flame malware compromised the Windows update process to deliver malware to targets in Iran, an operation that many have attributed to the US government. A 2013 attack on South Korean banks and TV stations also spread through compromised internal patching systems.
NYU security researcher Justin Cappos, who works on securing patching procedures as part of The Update Framework, says those underlying flaws are remarkably common, either because organizations don’t sufficiently verify updates or because the underlying keys are insufficiently protected. At the same time, compromising software updates is one of the most powerful ways to compromise a machine.
“It’s like the holy grail for attackers,” says Cappos. “This piece of software is on every computer, it usually runs with admin access, it makes outgoing connections that tend to be encrypted and it bypasses any firewall you have.”