Industrial sites, companies at risk to sophisticated ransomware
Industrial sites, along with other industries, are undergoing an attack from a new version of ransomware that is being called quite a few different names, but is infecting networks in countries across the globe.
Petya ransomware, which is what it is mainly called, encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate the ransomware exploits vulnerabilities in server message block (SMB).
This malware is being compared to the WannaCry outbreak that struck computers in more than 150 countries last month—but so far, at least, Petya seems to be spreading more slowly in only about 64 countries. Like WannaCry, the Petya ransomware demands a $300 bitcoin payment to retrieve encrypted files and hard drives. As of Wednesday morning, the account had received around $10,000. German email company Posteo blocked the email address the Petya hackers were using to confirm ransom payments.
Some of the victims so far are the Ukrainian government, its National Bank and biggest power companies; airports and metro services in the country are also feeling the effect.
"The Ukraine continues to be in the cross-hairs of persistent cyber attackers," said Edgard Capdevielle, chief executive of Nozomi Networks. "Whether you believe the Ukraine is a test-bed for nation state aggression or an issue between two specific countries, the continued barrage of attacks against Ukrainian infrastructure is disturbing."
Companies fall victim
Shipping company A.P. Moller-Maersk reported a computer systems outage on Tuesday which it said could be a global issue.
"We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently assessing the situation," Maersk said on Twitter. A Maersk spokeswoman said the cause of the breakdown was not yet known, but that it could extend across the company’s global operations.
Russia’s top oil producer Rosneft said Tuesday its servers had been hit in a large-scale cyber attack, but its oil production was unaffected.
The malware is similar to WannaCry but leverages other techniques to propagate and encrypt systems, said Patrick McBride from Claroty in a blog post.
Our initial analysis suggests that Petya’s potential impact on ICS networks appears to be more severe than WannaCry due to the following:
- Impact on ICS Microsoft Windows machines: Petya does not encrypt files one by one per a matching extension list, but encrypts the master file table (MFT) so that the file system is not accessible – effectively bricking the machine. This means any infected HMI would be locked immediately. While this would not directly impact the underlying process, it would deprive all visibility and monitoring capabilities which would lead in most to all cases to shut down. The OT network would have to stay in manual mode until recovery of the infected Window endpoints. Further, other SCADA components e.g., historians, backup servers and engineering stations would also be impacted.
- Propagation: Petya’s propagation capabilities surpass those of WannaCry, as it leverages the user’s privilege to propagate throughout the network (using PSexec). It also utilizes WMI as a propagation vector. McBride also said the mitigation steps are similar to those used in WannaCry. Patch the following CVEs, he said: CVE-2017-0199 and CVE-2017-0144.
McBride added some additional protection and recovery steps:
- Block SMB & WMI port 135, 139, 445,1024-1035 TCP – if possible.
- 1. NOTE: Some ICS software relies on these services so this can impact operations.
- 2. Customers can use the Claroty Platform to determine if their current ICS environments are leveraging these ports/protocols.
- Block execution of .exe within %AppData% and %Temp% as a temporary measure to avoid infection until other mitigation steps can be taken. This may cause issues—for example it will impact installers, but provides temporary relief until other mitigation steps can be taken.
- Check logs for IOCs below
- If infected:
- Try to avoid a reboot. Shutdown -a to abort the shutdown and preserve a copy of the MFT table from memory for recovery. (cmd /k shutdown -a)
- Try not to format the encrypted systems but rather get its image for use in recovery steps.
"Although details are still emerging, one thing is clear, attacks such as these do not discriminate between geography or industry," said David Zahn, GM of ICS cybersecurity at PAS. "Like the Wannacry attack, critical infrastructure was caught in the cross hairs with early reports identifying oil & gas and power as victims. Banking and pharmaceuticals also experienced issues.
"Prima facie, the motive behind this attack looks financial. But, were the motivation different, we’d face a much more serious situation today. Within critical infrastructure companies, such as chemical processing, there are proprietary industrial control systems responsible for production reliability and safety," Zahn said. "Compromising these systems could impact the environment, cause injury, or disrupt production. It’s also possible the effect would be less noticeable. Imagine the process at a pharmaceutical plant being altered instead of halted."
New era of attacks
"It would seem we have arrived at the dawn of the ICS (Industrial Control System) attack," said Bryan Singer, director of security services at IOActive. "For the past ten years any attacks to industrial control systems have been one off, specifically targeted attacks by insiders; or otherwise had very limited visibility. For instance, we still talk about Vitek Boden from 2001 and Stuxnet in 2010. But it seems like over the last few weeks we have hit a new era, it is now impossible to say ‘that can’t happen to us’ any more."
"The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing Eternal Blue to spread to other systems before encrypting files and demanding payment," Singer said. "One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload."
"If rumors prove true that this attack was initiated by the External Blue Exploit, it is a well-known vulnerability using SMB v1," said Andrea Carcano, co-founder and chief product officer of Nozomi Networks. "SMB is a protocol used often in the industrial networks. Therefore, security staff should be identifying any Microsoft systems in their ICS that could be exploited and take immediate remediation steps to patch them."
Gregory Hale is founder of ISSSource. This article originally appeared on ISSSource’s blog. ISSSource is a CFE Media content partner. Edited by Carly Marchal, content specialist, CFE Media, email@example.com.
See more ISSSource articles below.