Home Security ‘Defanged’ NotPetya released in a controlled environment

‘Defanged’ NotPetya released in a controlled environment

‘Defanged’ NotPetya released in a controlled environment Featured

The UK-based cyber security company, NCC Group, has been able to replace the destructive parts of NotPetya with telemetry and safeguards. It was then released into a live environment.

In June 2017, an unnamed client requested NCC Group to assist with research on the likely impact of the NotPetya malware in their live environment.

The client was fortunate in that they had not been affected, but wanted to know how bad it would have been if the alleged Russian-derived attack had impacted them.

The client asked, “So, would NCC Group be interested in producing a NotPetya simulation program? i.e. a NotPetya clone that we can run inside of our network, but with the ransomware removed and safeguards to ensure it stays within our network. Also could you create some reporting so that we can understand what mechanism it used to move between each host and how long it took to move around the network?”

After discussions, a set of requirements were created:

  • Target operating systems
  • Target enumeration mechanisms
  • Propagation mechanisms
  • Exploits
  • Enable/propagate switches
  • Kill/remove switches
  • Telemetry and reporting
  • Clean-up and removal
  • Anti-network saturation algorithm

The first four essentially mirrored NotPetya’s functionality, while the remaining five acted as safeguards and included data collection:

  • IP address whitelists to target and ensure we only run within
  • DNS held pre-shared secrets that were checked and validated for their ability to run and be killed/removed
  • Regular heartbeats
  • State reporting
  • Success/failure reporting

After development and testing, the pseudo-malware, dubbed EternalBlue, was released onto the customer’s engineering network (a live environment, but not the corporate systems) on 7 December 2017.

According to NCC, the release generated far more data than was expected and was able to move through the network very quickly.

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel-level access.
  • It infected those three machines.
  • Within 10 minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • A total of 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Anti-virus on some target computers detected the virus – it will be adjusted to bypass this problem and then it will be deployed into the full production environment very soon.

More results to come.

Image: © User:Colin / Wikimedia Commons / CC BY-SA 4.0

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

RECOVERING FROM RANSOMWARE

Ransomware is a type of malware that blocks access to your files and systems until you pay a ransom.

The first example of ransomware happened on September 5, 2013, when Cryptolocker was unleashed.

It quickly affected many systems with hackers requiring users to pay money for the decryption keys.

Find out how one company used backup and cloud storage software to protect their company’s PCs and recovered all of their systems after a ransomware strike.

DOWNLOAD THE REPORT!

 

Popular News

 

Telecommunications