Home Security ‘Defanged’ NotPetya released in a controlled environment

‘Defanged’ NotPetya released in a controlled environment

The UK-based cyber security company, NCC Group, has been able to replace the destructive parts of NotPetya with telemetry and safeguards. It was then released into a live environment.

In June 2017, an unnamed client requested NCC Group to assist with research on the likely impact of the NotPetya malware in their live environment.

The client was fortunate in that they had not been affected, but wanted to know how bad it would have been if the alleged Russian-derived attack had impacted them.

The client asked, “So, would NCC Group be interested in producing a NotPetya simulation program? i.e. a NotPetya clone that we can run inside of our network, but with the ransomware removed and safeguards to ensure it stays within our network. Also could you create some reporting so that we can understand what mechanism it used to move between each host and how long it took to move around the network?”

After discussions, a set of requirements were created:

  • Target operating systems
  • Target enumeration mechanisms
  • Propagation mechanisms
  • Exploits
  • Enable/propagate switches
  • Kill/remove switches
  • Telemetry and reporting
  • Clean-up and removal
  • Anti-network saturation algorithm

The first four essentially mirrored NotPetya’s functionality, while the remaining five acted as safeguards and included data collection:

  • IP address whitelists to target and ensure we only run within
  • DNS held pre-shared secrets that were checked and validated for their ability to run and be killed/removed
  • Regular heartbeats
  • State reporting
  • Success/failure reporting

After development and testing, the pseudo-malware, dubbed EternalBlue, was released onto the customer’s engineering network (a live environment, but not the corporate systems) on 7 December 2017.

According to NCC, the release generated far more data than was expected and was able to move through the network very quickly.

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel-level access.
  • It infected those three machines.
  • Within 10 minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • A total of 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Anti-virus on some target computers detected the virus – it will be adjusted to bypass this problem and then it will be deployed into the full production environment very soon.

More results to come.

Image: © User:Colin / Wikimedia Commons / CC BY-SA 4.0


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service