By The CyberWire Staff
Petya picks up where WannaCry left off.
A new disruptive campaign of uncertain origin, originally but probably inaccurately characterized as ransomware, hit targets in Europe and elsewhere Tuesday. Ukraine was particularly affected, with banks (including ATMs), many government offices, and electrical utility networks (including those engaged in monitoring radiation levels at the former power plant in Chernobyl) suffering heavily. The Russian oil firm Rosneft also reports being affected (and has archly expressed the hope that the attack isn't connected to ongoing legal disputes with its domestic rival, oligarch-run Sistema). Beginning almost immediately, the infestation spread to many other countries. Early cases were reported by the Danish shipping concern A.P. Moller-Maersk (interrupting operations at many ports Maersk runs around the world), pharmaceutical company Merck (this in the US), Deutsche Post (its operations in Ukraine), British advertising agency WPP, a Cadbury chocolate factory in Tasmania, medical centers in the US, and port facilities in Los Angeles and Mumbai, to name a few of the more prominent infections (The CyberWire). The effect has been worldwide, and the attack is regarded as more serious than WannaCry (Stuttgarter Nachrichten).
Group-IB believes the attacks on Ukraine and Rosneft were simultaneous and coordinated (Reuters). Kaspersky and Flashpoint were early in saying they'd observed signs of the Petya (a.k.a. Petrwrap, a.k.a. Goldeneye, a.k.a. NotPetr, a.k.a. ExPetr, a.k.a. Nyetya) strain of ransomware in the attacks. Petya, formerly used in targeted attacks spread by phishing with malicious Word files, has been altered to gain wormlike functionality and incorporate the EternalBlue exploit the ShadowBrokers leaked on April 14th of this year. Noting this evolution, some analysts have called the ransomware "NotPetya" or "Goldeneye," but these names all refer to the same attack. It seems not, contrary to early reports and general expectation, to have used email as its principal vector. Instead it established itself in its first targets through a compromised update delivered to Ukrainian users of MeDoc tax accounting software (Tanium).
Many have compared Petya to WannaCry. They both look like ransomware, they're both worms, and they both take advantage of EternalBlue. They're also both indiscriminate. But this version of Petya is in many ways better crafted and more destructive than WannaCry. Petya attacks master boot records, which makes it more dangerous, and Petya also doesn't show the sort of stumblebum fumbling with Bitcoin wallets so much in evidence with WannaCry. And of course and unfortunately, this version of Petya didn't come with a readily accessible kill switch. A researcher has developed what's being called a "vaccine" or a "localized kill switch" that could be installed to protect individual machines, but that's a different matter (ABC News). Some ISACs took prompt and effective action (The CyberWire), and there are various measures enterprises can take on their own to protect themselves (The CyberWire).
If one accepts this Petya variant's self-presentation as ransomware, its rapid spread would be due either to the inherent difficulties of containing malware (especially true of worms), or to deliberate misdirection, or to simple willingness to take such targets of opportunity as present themselves. Many have noted that the attack coincided with Ukraine's observance of Constitution Day on June 28th. While the putative ransom note's text appeared in English, Ukrainian authorities blame Russian hackers and call the attack misdirection for malware installation (Reuters). The attack, says Ukraine's SBU security service, was committed by the same actors who hit the power grid around Kiev last December, and those actors, says the SBU, were Russian espionage services (Fortune). Russia denies complicity, of course. Russian officials say they were victims too, and Kremlin mouthpiece Dmitri Peskov has called for international cooperation against cybercrime (Reuters). Whether one sees infestations at Rosneft and a few other Russian sites as exculpatory evidence or as provocation and misdirection will depend on how historically informed one's interpretations of official Russian motives are.
The researcher known as the grugq has a clear analysis of what's up in Medium; he calls the relationship to Petya "skin-deep," and sees misdirection, not extortion. There's another interesting development: F-Secure says it's found signs EternalBlue was incorporated into Petya/Nyetya/NotPetya six months ago. That's before the ShadowBrokers dumped the exploit, which suggests the authors are either close to the Brokers (perhaps as suppliers) or had independent access to the exploit (Computing).
But it doesn't appear to be true ransomware at all (Independent). Instead, it seems to be, effectively, a wiper. The growing probability that the attack is destructive lends some credibility to those who see this as espionage or hybrid warfare as opposed to crime. We've followed most coverage in calling the attack "ransomware," but it's unlikely the victims could recover their files even if they paid the ransom. Most researchers by week's end were calling it a wiper that repurposed some Petya code (SecureList).
So the campaign was probably intended to be destructive and disruptive from the outset, with the code simply masquerading as ransomware. Cisco's calling it "Nyetya"—Russian wisecrack duly noted (Economic Times). At least one security firm CEO, KnowBe4's Stu Sjouwerman calls it "open cyber warfare" and specifically blames Russia's GRU military intelligence service (which you may know as Fancy Bear) (BusinessWire). NATO, without formal attribution and certainly without invoking Article 5, has announced it will increase its cooperation with Ukraine and provide assistance in defense against cyberattacks (Ukrinform). States or crooks, the glum consensus is that we'll see more mass attacks of this general kind in the near future (PCR).
Financial losses put down to the pandemic are of course so far unknown, but speculation rates them as likely to be high (Chicago Tribune). Ransomware and wiper attacks have been costly (This is Money). One wild card will be litigation: some observers are thinking about how long a patch has been available for the exploits used in this campaign (roughly a quarter, which is a long time by security standards, even granting the greater difficulty of patching some specialized industrial control systems). They're led to speculate that there's a prima facie case of negligence on the part of companies who failed to apply Microsoft's patches (Bloomberg). India's government said this weekend that it's negotiated a deal with Redmond to enable Indian users to upgrade to Windows 10 at a discount, for security reasons (Indian Express).
The campaign's exploitation of EternalBlue, which the ShadowBrokers leaked along with claims it was a stolen NSA exploit (Business Insider), has brought harsh scrutiny of NSA's ability to secure its cyber tools. How did the ShadowBrokers get the code in the first place? (New York Times)
With the latest "Petya/PetrWrap ransomware" outbreak on the rise, are you protected?
Learn how to detect and respond to "Petya/PetrWrap ransomware" with AlienVault USM.
More from WikiLeaks' Vault7, and a teaser from the ShadowBrokers.
Late Wednesday WikiLeaks dumped another alleged CIA document from its Vault7. It purports to be a manual for "ELSA," a tool for tracking users of Wi-Fi-capable Windows devices based on the ESS (Extended Service Set) data of nearby Wi-Fi networks (Bleeping Computer). It has the sleazy vibe of a stalkerish mating app (WIRED). On Friday WikiLeaks released another leak, a manual for "OutlawCountry," which they claim is CIA-developed spyware designed to compromise Linux systems (Bleeping Computer). There's no clear explanation yet of where WikiLeaks gets its material.
Also on Wednesday RT reported that the ShadowBrokers were getting ready to name and shame an Equation Group operator who'd tweeted rude things about the Brokers. They claim the operator is responsible for crafting exploits used against Chinese targets (Newsline). And, not that you'd be interested in joining, but the ShadowBrokers say their exploit-of-the-month club did so well in June that they're doubling membership fees in July (Register).
Many are fed up with the apparent leaks and the collateral damage their release is working (The CyberWire). (NSA isn't talking, but they can't be happy, either.) There are renewed calls in the US Congress to scrap the Vulnerability Equities Process in favor of full and immediate disclosure of all zero-days the Intelligence Community comes up with (New York Times). It's unlikely for many sound reasons that such a policy would actually be enacted and enforced, but there's a mood running strongly against "stockpiled zero-days."
Accelerate Malware Analysis with Orchestration (Webinar, June 22, 2017)
As malware becomes more advanced and harder to detect, cyber analysts are increasingly inundated with more work. The more menial tasks a security team performs, the less likely they are to have the time to properly analyze or defend against malware. Join ThreatConnect, Cisco Umbrella, and Cisco Threat Grid as they discuss how to defend your organization and utilize orchestration to enhance malware analysis capabilities.
Lost in the noise: Ukraine's other infestations.
The week of June 19th saw another ransomware campaign hit Ukraine. It didn't spread, much, and it's been completely overshadowed by news of Petya/Nyetya/NotPetya, but the little-known malware, "PSCrypt," was aggressive and damaging. It seems to have been designed to hit Ukrainian targets only, which is odd, showing a national focus not usually seen in cyber crime. This points, of course, to a Russian hand, either security services or some of those "patriotic hackers" Mr. Putin has recently praised (Bleeping Computer).
There were also reports Thursday (sourced to the researcher "Malwarehunter") of another ransomware campaign loose in Ukraine (Bleeping Computer). No distinctive name for this one, yet: it's being called a "WannaCry clone." This one seems, again, to have targeted the country's power grid (Reuters).
Brute-force bears.
Last week's attempt to brute-force credentials on the UK Parliament's email system is being blamed on Russian intelligence services (The Guardian). Around ninety accounts belonging to MPs and staff members are thought to have been attacked, fewer than feared, but still enough (BBC). Skeptics think the attack too crude, too noisy, to have been the work of any intelligence service, and to be sure the evidence is circumstantial, the conviction founded as much on a priori probability as anything else. But it's worth recalling that other operations have been brazen enough: Cozy Bear rested quietly in the US Democratic Party's systems for months until Fancy Bear blew the gaff by rummaging around without any evident concern about whether anyone knew a Bear was there.
Parliament has continued to restrict remote access to its networks as it works to shore up security (Information Management).
Medical device manufacturers must lead on cybersecurity in an increasingly connected healthcare system.
While connected medical devices provide patients and physicians with technology to better manage chronic conditions, improve outcomes and reduce overall cost of care, it also increases cybersecurity risk exposure. In a new white paper, The Chertoff Group and Abbott evaluate the risk-benefit tradeoff of connected medical device use and identify ways for the medical device industry to come together and implement trusted security measures that will anticipate and address emerging cyber challenges.
ISIS continues to show limited skills against poorly protected targets.
ISIS has excited much concern in cyberspace, and while the Caliphate's ability to inspire terror attacks without using a vulnerable command-and-control infrastructure is indeed worrisome, fears about cyber attacks properly so-called have proven overblown. But Islamist extremists do succeed in achieving nuisance levels of vandalism and defacement. In the US over last weekend various Ohio state government sites were defaced by ISIS-sympathizing hacktivists. The same Algeria-based crew also hit a county government in Maryland (Ars Technica). The latter vandalism is cheeky: the county affected, Howard County, is in NSA's backyard.
In the meantime, no hacktivists or hoods better mess with Livingston County, Michigan, which in a fate-tempting media advisory says it's devoted a lot of attention to shoring up its defenses (CIO Insight). Seriously though; Livingston County is doing a number of sensible things, especially in preparing for ransomware attacks with systematic backup and recovery plans.
The Five Eyes take another look at the crypto wars.
The Five Eyes (Australia, Canada, New Zealand, the United Kingdom, and the United States, close collaborators in signals and other forms of intelligence) are reconsidering their positions with respect to the widespread availability of strong, end-to-end encryption. Australian delegates to the Five Eyes senior meeting that opened Tuesday in Canada arrived with a mandate from their Government to push for limits on encryption (CRN). The UK has already made its position in favor of limitation known. How the matter will appear to the other three eyes remains to be seen, but the US Intelligence Community at least had seemed to have given up backdoors and crypto limitation as poor policy mixed with dreamy aspirations about practical impossibilities.
Much of the motivation to restrict access to encryption comes from concerns that criminals and (especially) terrorist organizations will escape effective surveillance that could enable governments to stop attacks before they start. Such concerns are both real and serious, but it's unclear how backdoors (to take the mode of access most often discussed) would help, given the extent to which so much terrorist online activity is open, overt, and carried out by known wolves. Let the Manchester bomber's use of YouTube stand for all the rest (Times).
The brute force attack on Westminster plays into these deliberations as well. There seems a degree of cognitive dissonance, irony, or perhaps sheer brass in any government's push for backdoor access to everyone else's systems when that government can't secure its own legislature's emails (Bleeping Computer).
Some of the Five Eyes' closest allies are also enacting increased surveillance powers. On June 22nd Germany's Bundestag expanded the circumstances under which that country's authorities would be authorized to use their Staatstrojaner lawful intercept tool (Spiegel). Surveillance is a sensitive matter in Germany, and the measures have drawn their share of opposition (Deutsche Welle). The revisions to state authority are here as elsewhere motivated largely by concerns over the threat of terrorism, particularly terrorism connected with Islamist unrest and the attendant refugee crisis in the Middle East. There are actually six laws that significantly affect government surveillance, collection, and immigration control: the Telecommunications Data Retention Law, the Flight Passengers Data Law, the Source Telecommunications and Online Surveillance Law, the Law for the Better Enforcement of a Duty to Leave, the Video Surveillance Improvement Law, and the Network Implementation Law (Deutsche Welle).
At Chatham House in the UK, Defense Secretary Fallon outlined his Ministry's approach to cyber operations (Gov.uk).
Feel vulnerable to insider threats? 74% of organizations feel the same way.
According to a recent survey, 57% of respondents cite insufficient data strategies and solutions TO COMBAT the rise in insider threats. You need an effective insider threat program to bridge the gap. Our eGuide can get you started.
And the Five Eyes aren't entirely comfortable with what they see out China-way, either.
China has promised not to snoop on the Canadian private sector, and not to steal said sector's intellectual property. Canada's agreed to do the same with respect to China, since it's a bilateral agreement and that's how those things work (Infosecurity Magazine).
No one really thinks Canada was up to no good inside Chinese corporate firewalls, of course, but there's plenty of suspicion running the other way, however, and at least two of the other Five Eyes are not at all comfortable with whatever spyware they think may arrive with Chinese telecom products. Australia's government is moving sensitive data out of a center in Darwin that's received significant Chinese investment and Chinese tech, and it's unlikely those data are coming back soon (Telecomasia). In the US, the House of Representatives is considering legislation that would prevent the Department of Defense from buying Chinese telecommunications gear (Washington Free Beacon). It also would forbid buying Russian kit, but the Defense Department was in any case unlikely to buy from those sources anyway, so the measure would principally affect Chinese vendors.
China is flexing its muscles in cyberspace at least as much as it is in the South China Sea (Foreign Policy), where a quadripartite naval posedown has been running for some time (Cyberscoop).
Carrots, sticks, and regulators (and GDPR).
The European Union's General Data Protection Regulation goes into effect next May. A technical approach adopted by Google to stripping medical information from search results may have some relevance as data handlers consider the (very difficult) task of GDPR compliance (Naked Security).
In general, companies view the advent of new regulatory regimes, in particular GDPR, with unease (Help Net Security). With great uncertainty comes great trepidation.
Those optimists inclined to see carrots may wish to consider that the sort of stick GDPR might wield against non-compliant companies was adumbrated this week in a different case entirely. The European Union hit Google with a record fine for anti-competitive behavior: a cool $2.7 billion for goosing search results in its own favor (Apple Insider). Google will appeal, but Mountain View isn't optimistic: Google has said it expects to pay in full (CNBC). It may get worse: Margrethe Vestager, the EU's Commissioner for Competition, followed up the regulatory finding by encouraging companies whose business may have been damaged by anti-competitive practices to use her report as the basis for civil suits against Google (Sunday Times).
Russia wants to see source code. America has other concerns.
We noted last week that Moscow had demanded that US companies open their source code to inspection as a condition of doing business in Russia (Reuters). The stated concern is security; a desire to ensure no espionage tools are being quietly smuggled in.
The US Government seems to have concerns about Russian tech. A bill before the US Senate would bar the Department of Defense from using Kaspersky products. At this stage the proposed legislation is more gesture than probable law, signaling a Congressional disposition to get tough with Moscow. Meanwhile, the FBI this week began interviewing Kaspersky employees pursuant to what Kaspersky characterized as "due diligence" conversations (Reuters). The Russian government says it will retaliate if the Americans give Kaspersky products the boot (Bloomberg).
Pushing for a break on cyber insurance (or offering warranties).
Apple and Cisco are pushing insurers to give their customers (that is, those who are also customers of Apple and Cisco) a break on cyber insurance rates (Reuters).
A different approach is also emerging: a small but growing number of security vendors are offering customers warranties that would indemnify them for costs and penalties incurred should an attack succeed despite installation and proper use of a security product (MIT Technology Review).