The CyberWire Daily Podcast 6.28.17
Ep 380 | 6.28.17

Petya/PetrWrap/Goldeneye updates.


Dave Bittner: [00:00:00:11] Thanks again to all of our supporters on Patreon. You can check out to find out more.

Dave Bittner: [00:00:10:02] The Petya ransomware pandemic has spread essentially everywhere. It's worse than WannaCry, and shows how little many enterprises did to protect themselves even after WannaCry's shot across their bow. Tanium's Ryan Kazanciyan joins us with the latest from their investigation.

Dave Bittner: [00:00:31:22] It's time to take a moment to tell you about our sponsor, Recorded Future. Recorded Future's the real time threat intelligence company, whose patented technology continuously analyzes the entire web, to develop information security intelligence that gives analysts unmatched insight into emerging threats and, when analytical talent is as scarce and pricey as it is today, every enterprise can benefit from technology that makes your security teams more productive than ever. We at the CyberWire have long been subscribers to Record Future's Cyber Daily and, if it helps us, we're confident it will help you too. Subscribe today and stay a step or two ahead of the threat. Go to to subscribe for free threat intelligence updates from Recorded Future. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:26:09] Major funding for the CyberWire Podcast is provided by Cylance. I'm Dave Bittner in Baltimore with your CyberWire summary for Wednesday, June 28th, 2017.

Dave Bittner: [00:01:35:22] Today's news is dominated by what we'll call, for convenience sake, the Petya pandemic. It's going by different names. PetrWrap, NotPetya and Goldeneye, to take three alternatives, but it's the same disturbing product. The ransomware infestation began in Ukraine, and has still hit that country most severely, but it's spread rapidly around the world, worming its way through Windows systems that haven't patched for the EternalBlue exploit used last month by WannaCry.

Dave Bittner: [00:02:03:00] Joining us is Ryan Kazanciyan, Chief Security Architect at Tanium.

Ryan Kazanciyan: [00:02:06:10] So yesterday morning, June 27th, around eight or nine am eastern time, just as I was getting up, there was some initial chatter of this ransomware strain infecting a number of organizations, primarily in the Europe and Eastern Europe region. There were a couple of reported infections around Ukraine and then we started to see some spread with organizations really throughout the world, even a handful in the United States, reporting that they had been impacted by this. It was initially thought to be a variant of the Petya ransomware, a malware family that had been seen earlier this year. It has since been thought to be a different or at least slightly related, but not necessarily just a minor update to the original Petya malware. So a few people have taken to calling it “Nyetya” and other little puns and variants on that name.

Dave Bittner: [00:03:09:05] So, as we're recorded, it's Wednesday morning on the 28th, where do we stand right now?

Ryan Kazanciyan: [00:03:14:07] Today we have a much clearer understanding of how this ransomware operates, how people initially got infected and how it propagated from yesterday. There was a bit of fog of war yesterday, as this first emerged. You have to imagine that organizations that were targeted by it were busy putting out fires and, in the meantime, a lot of security vendors and security researchers were trying to piece together information from publicly available sources to understand how this thing worked. So there was initially some incorrect assumptions made, a few people started looking at samples and VirusTotal found some that were definitely this new malware, some that were not actually related and so there were some indicators of compromise that didn't actually end up applying. What we now know today is that the malware initially was transferred to impact organizations through a software update that was laden with the malware, and that software update was for a Ukranian tax accounting software package from a company called MEDoc and, as part of that update, the organization was apparently hacked and the updated software included the malware delivery mechanism. That is, in, fact how the initial set of victims got the ransomware. word document attached to emails. That actually turned out to be incorrect, a few researchers had mistakenly correlated an unrelated malware family sample to this campaign. But when you look at the initial method of entry you can get a sense of how victim organizations have been targeted and chosen by the attacker. If you see something that's like a blast email campaign targeting thousands or tens of thousands of accounts, then you can kind of sense, get a sense of what the targeting is. In this case, when you pinpoint a very specific vendor like Me-Doc, that has a very specific customer base from the regionality and industry perspective, that certainly changes the scope of the attack and might provide some clues as to the attackers in town.

Ryan Kazanciyan: [00:04:34:01] The initial thought had been that this malware was transferred to victim organizations by means of a malicious Word document attached to emails. That actually turned out to be incorrect. A few researchers had mistakenly correlated an unrelated malware family sample to this campaign. When you look at the initial method of entry, you can get a sense of how victim organizations have been targeted and chosen by the attacker. If you see something that's like blast email campaign targeting thousands or tens of thousands of accounts that you can get a sense of what the targeting is.

Ryan Kazanciyan: [00:05:11:19] In this case, when you pinpoint a very specific vendor like MEDoc that has a very specific customer base from the regionality and industry perspective, that certainly changes the scope of the attack and might provide some clues as to the attacker's intent.

Dave Bittner: [00:05:28:00] At this point, what do we know about propagation?

Ryan Kazanciyan: [00:05:31:06] So once an organization is compromised, once there's a patient zero, the malware uses a few different methods to propagate within that organization's network. The first thing that it actually does is rather unique compared to WannaCry in that this strain of malware actually recovers credentials from your infected system, specifically the Windows accounts that are either local to the box or have recently logged in and still has credentials cached in memory. It uses those credentials to attempt to authenticate to other Windows systems in the same network, using Windows protocols that are just native to the operating system. Therefore, it has a built-in renamed PS exec utility that it uses with those credentials, that it recovers to try to reconnect with the shares on the hosts and, once it's connected to those, it uses a combination of WMI, which is a native Windows tool, to basically execute the payload that drops the malware onto that host. What you ended up seeing is, even if you were patched against the most recent vulnerabilities of Windows, if your Windows environment was set up such that you had common credentials that could be used to mount administrative shares from host to host, or if a highly privileged user was unfortunately patient zero, then that allowed the malware to propagate to a lot more shares. So it really became an automated version of the types of lateral movement that targeted attackers will often apply when moving from host to host. and the only distinction between WannaCry and this attack contained is that this did not focus on spreading outside of the corporate network, by means of the SMBv1 attack. It was more of a sort of fall back mechanism for propagation to complement the method that used the credentials on the box.

Ryan Kazanciyan: [00:07:11:17] So that was the first method. The second method was similar to WannaCry in that it used the EternalBlue SMBv1 exploit and the only distinction between WannaCry and this attack is that this did not focus on spreading outside of the corporate network by means of the SMBv1 attack. It was more of a fallback mechanism for propagation to complement the method that used the credentials on the box.

Dave Bittner: [00:07:41:21] So is there any sense for how wide this may spread?

Ryan Kazanciyan: [00:07:46:03] It's still difficult to tell if we're at the long tail of propagation or if there's going to be a point of the hockey stick growth that you sometimes see with some of these campaigns. The fortunate thing is that, because the initial entry vector is fairly targeted in that, coming from the Ukrainian attack software, it is unlikely that a very large number of organizations had a patient zero. Therefore, the damage that was done would likely be largely contained to those initial victims. That being said, there's nothing stopping the attacker from repackaging the same malware to be carried over different attack vectors, like, for example, an office macro attack, as was initially speculated to be one of the means of transmittal. So it would not surprise me to see follow up campaigns, or copycat campaigns, that iterate on the same concept. The fact remains that between organizations that failed to attach in a primary manner, and that have not locked down their Windows network to prevent these sorts of host to host lateral movement, lots of other attackers can learn lessons from what worked and what didn't work in previous campaigns and adapt their future campaigns accordingly.

Dave Bittner: [00:09:07:05] And, so, how about prevention. How can people protect themselves against this?

Ryan Kazanciyan: [00:09:11:15] It's interesting. Everyone says that WannaCry caught the entire industry with their pants down insofar as almost no one was being as aggressive as they should have with patching. You had a three month old patch for a 30 month old protocol, SMBv1, that Microsoft has been telling people to disable for upwards of three or four years now. Yet still WannaCry was around and, months and months later, no one patched. There are a lot of reasons behind that, I don't need to say that for victim shaming purposes, patching in many organizations is tedious and complex and a lot of the patch management and systems management solutions that companies used are using ancient technology. So systems management and the discipline and focus around that ends up being really critical here. The same is true for this most recent strain of malware, where, yes, it's true, even if you were patched it could still propagate but the principles around locking down lateral movement, protecting credentials on end points, restricting the types of host to host traffic that this malware took advantage of has again being talked about for upwards of five years as principles to restrict any form of lateral movement, not just wormable attacks. I look at these as failures of systems management more so than simply matters of failing to detect a new strain of malware. The reality is there will always be new strains of malware that our prevention tools fail to detect, there will always be new attack vectors that a lot of security preventions will have failed to consider.

Dave Bittner: [00:10:47:17] Our thanks to Ryan Kazanciyan from Tanium for taking the time out to join us this morning. As you might imagine, they've been busy.

Dave Bittner: [00:11:00:00] A few words about our sponsors at E8 Security. If you've been to any security conference over the past year, you've surely heard a lot about artificial intelligence and machine learning. We know we have. But E8 would like you to know that these aren't just buzz words, they're real technologies and they can help you derive meaning from what an overwhelmed human analyst would see as an impossible flood of data. So go to and let their White Paper guide you through the possibilities of these indispensable emerging technological tools. Remember, the buzz about artificial intelligence isn't about replacing humans, it's really about machine learning and technology that's here today. So see what E8 has to say about it and they promise you won't get a sales call from a robot. Learn more at, and we thank E8 for sponsoring our show.

Dave Bittner: [00:11:55:19] I'm pleased to be joined once again by Ben Yelin. He's a senior law and policy analyst at the University of Maryland Center for Health and Homeland Security. Ben, welcome back. You and I often talk about these cases that are making their way through and we say to ourselves, this one may make its way to the Supreme Court. Well, today, we're talking about one that did make its way to the Supreme Court. It actually got a unanimous decision. Take us through, what have we got here today?

Ben Yelin: [00:12:18:09] It's rare to see unanimous decisions on things that we would think of as controversial, but that's exactly what we saw in this case called Packingham V North Carolina. The state of North Carolina passed a statute that made it a felony for registered sex offenders to access social media websites, like Facebook and Twitter, if they might encounter minors on those websites. The Supreme Court, in an eight-zero decision, the US Justice, Justice Gorsuch, did not take part in it, held that this law is unconstitutional and that's not surprising. Justice Anthony Kennedy, who wrote the opinion, wrote and I quote, "A fundamental principle of the First Amendment is that all persons have access to places, where they can speak and listen and then, after reflection, speak and listen once more." Ever since the Supreme Court really started to explore First Amendment's jurisprudence, particularly in the last 80 years or so, they've been extremely hesitant to allow what we call prior restraint and that's restriction on a method of speech, before the speaker has even uttered those words. It's one thing for law enforcement to punish somebody for the words that have been spoken and there are a number of exceptions in First Amendment jurisprudence that allows punishment for somebody's words.

Dave Bittner: [00:13:34:11] What we always think of as shouting fire in a crowded movie theater, that's what everyone always says - you can't do that, right?

Ben Yelin: [00:13:41:10] Yes. If you're speech would create what we call imminent lawless action, and that's the legal standard, then that's not constitutionally protected speech. Those are the kind of restrictions that the Supreme Court has generally allowed over the years. Where they've been extremely hesitant to restrict anybody, even the most objectionable people in society, people who've been convicted as sex offenders, they've been incredibly reluctant is to limit any venues for speech. It makes sense to us, this is the equivalent in the 1800s of preventing somebody from going into a public square and making a political statement. You can't prevent somebody from using a venue to speak their mind entirely and I think it's completely unsurprising that the Supreme Court reached this decision unanimously, whatever you think about the plaintiffs in this case, I think they're upholding a fundamental tenet of our First Amendment.

Dave Bittner: [00:14:36:08] Interesting for us specifically because this is one of the first cases that have made it to the Supreme Court that have to do with social media and these modern methods of communication.

Ben Yelin: [00:14:47:06] Yes. In effect, what this decision is saying is that people have a constitutional right to use social media. Again, social media has just become a venue to be used, it's the equivalent to any physical place or any other type of place. It's a place where people can speak political ideas, where there can be a marketplace of ideas, even for the most objectionable views. The Supreme Court is acknowledging that, even though these are private entities, you can't ban a person from using this critical venue, this is just the way we get our ideas out in the 21st century. I think the Supreme Court is recognizing that principle and, from now on, there is a precedent that a person has a constitutional right to use social media to express themselves and I think that's going to be a very important precedent going forward.

Dave Bittner: [00:15:33:10] Ben Yelin, thanks for joining us.

Dave Bittner: [00:15:38:10] And that's the CyberWire. We'll be back to our usual mix of news tomorrow. In the meantime, you can check our CyberWire daily news brief at Thanks to all of our sponsors, who make the CyberWire possible, especially to our sustaining sponsor, Cylance. To find out how Cylance can help you, using artificial intelligence, visit The CyberWire podcast is produced by Pratt Street Media. Our Editor is John Petrik, Social Media Editor is Jennifer Eiben, Technical Editor is Chris Russell, Executive Editor is Peter Kilpe and I'm Dave Bittner. Thank you for listening.