Sunday, July 02, 2017

WannaCry overshadowed a more serious attack on credentials via DoublePulsar and foreshadowed Petya

The global impact of the WannaCry ransomware attacks made international headlines, but a recent story in the New York Times suggests that the noise from this event may have overshadowed a more serious attack that stems from the same leaked NSA hacking toolkit as WannaCry but is much more difficult to detect.

One company affected by this alternate attack - IDT Corporation, a US-based telecommunications company - was hit two weeks prior to WannaCry being unleashed. The exploit that affected IDT used the same technical attack vector as WannaCry, but then layered a second kernel-based attack called DoublePulsar to first steal an employee's network credentials and then turn into a standard ransomware attack, apparently to hide the more nefarious motive of credential theft.
... the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines. Worse, the assault, which has never been reported before, was not spotted by some of the nation’s leading cybersecurity products, the top security engineers at its biggest tech companies, government intelligence analysts or the F.B.I., which remains consumed with the WannaCry attack.
...in this case, modern-day detection systems created by Cylance, McAfee and Microsoft and patching systems by Tanium did not catch the attack on IDT. Nor did any of the 128 publicly available threat intelligence feeds that IDT subscribes to. Even the 10 threat intelligence feeds that his organization spends a half-million dollars on annually for urgent information failed to report it.
The unanswered question is: how many organizations are affected but do not realize it? In this case, when the ransomware is cleaned up, the problem is not over... and this fact isn't easily discovered.
Were it not for a digital black box that recorded everything on IDT’s network, along with Mr. Ben-Oni’s tenacity, the attack might have gone unnoticed.
Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons.
Attacks that are widely-detected and have serious visible impact grab the headlines, but attacks that are allowed to go on for months without detection are arguably far worse as they can either provide ongoing entry to a private network at will, or can set the stage for triggering some future large-scale, coordinated attack using agents that have been spread throughout a network.

Also interesting is that, although the IDT attack preceded the latest revision of the Petya attack, it shares the above advancements with Petya (NotPetya) as the latter not only tries to exploit the same SMB vulnerability as WannaCry but then tries to steal credentials from the local credential store and make further authorized connections around the network using legitimate channels.

As with WannaCry, the following factors contributed to prevention:
  • Anti-phishing programs: Malware commonly enters an organization's network via e-mail attachments that are clicked on and run by an employee.
Once malware has entered the network, the extent to which it succeeds spreads is determined by the points that follow.
  • Regimented OS patching program: Ensuring that software (especially OS) updates are applied in a timely manner across the entire organization. To spread over the network, both attacks used the same SMB-based vector that had been patched in March 2017. The IDT attack used a second vector that was also patched at that time.
  • Privileged access management: Although some ransomware limits itself to the user space, those like Petya will request and use administrator privileges if they are available to infect the file system and take over the entire PC during the next reboot. Consider what this means when your credentials are stolen and are then used in conjunction with administrator-level privileges on a Windows server to remotely execute code on that server.
  • Managed end user devices: IDT had patched its corporate systems but was affected when a contractor connected to the company network from a personal computer highlighting the potential risks of unmanaged bring-your-own-device (BYOD) facilities.

No comments: