The Ivanti Threat Thursday Update for July 6, 2017: Petya, and Beyond

Greetings. The latest Petya ransomware attack is still very much in the news, but it’s not the only issue demanding the attention of IT and cybersecurity leaders and teams. As always, please let me know what you think, about Petya, ransomware, cybersecurity, and/or this Update. Thanks in advance.

NotPetya: Weaponized Ransomware?

Microsoft published a blog post on June 27 detailing how the latest Petya variant includes multiple methods for spreading quickly across a network after infecting just a single connected machine. According to Microsoft, these “added lateral movement capabilities” include “multiple methods responsible for:

  • stealing credentials or reusing existing active sessions
  • using file shares to transfer the malicious file across machines on the same network
  • using existing legitimate functions to execute the payload or abusing SMB vulnerabilities for unpatched machines”

In the same post, Microsoft also recommends specific steps enterprises can take to improve defenses against this latest threat.

  • Install security update MS17-010 as soon as possible.
  • Until that update can be installed everywhere it is needed, disable SMB v1, and consider blocking incoming network traffic on ports 139 and 445, the ports targeted by the latest Petya variant.
  • “Secure privileged access” by limiting admin rights to those who really need them.
  • Allow only trusted applications to run on your networks (as Windows 10.5 does by only allowing applications from the Windows Store to run).
  • Monitor all networks closely for suspicious activities.

Microsoft also advises enterprises to keep their Windows deployments and antivirus software up to date for access to the latest built-in “features and proactive mitigations.”

In a follow-up post, Microsoft says that based on its telemetry, more than 70 percent of affected systems were located in Ukraine, and the “majority of infections were observed in Windows 7 machines.”

What We Say: The effects of the latest Petya attack may have been less widespread than Microsoft and others expected, but its implications are nonetheless significant. As we said in our webinar, Petya And Weaponized Malware: Is Ransomware the New DDoS Attack?, this latest threat marks an apparent shift in the focus of ransomware and other malware. NotPetya and WannaCry appear to have been designed specifically to disrupt and disable enterprise networks. This shift underscores the need for multi-layered, proactive protections for all enterprise networks.

We have published a summary of highlights from the webinar, as well as select questions and answers from the session. Also, last week’s Threat Thursday update includes links to other resources to help you protect your networks. And of course, you can access the entire webinar on demand using the link above.

Cryptocurrency Exchange Hacked

Hackers have apparently identified another class of low-risk, high-reward targets for cyber attacks: virtual currency exchanges. A July 5 BBC report said that the Bithumb cryptocurrency exchange had discovered that an employee’s PC had been hacked, resulting in the theft of personal details for more than 30,000 customers.

“Bithumb allows its members to buy and sell the virtual currencies Bitcoin and Ethereum. It is South Korea’s biggest cryptocurrency exchange, based on recent trading volumes, and one of the five largest in the world.” The breach involved an employee’s home PC, and took place in February, but was only discovered on June 29. Bithumb reported the breach to authorities the next day, and has promised to compensate customers for any resulting losses.

What We Say: Virtual currencies are used by ransomware developers to extract payment from their victims. That makes these exchanges repositories for potentially huge volumes of anonymous, easily disposable cash. Attacks on such exchanges therefore seem likely to increase, in volume and sophistication, which may force ransomware attackers to find other ways to get paid. Meanwhile, a key take-away from this particular breach is that for maximum protection, your cybersecurity efforts must extend to remote, transient, and mobile users.

Ransomware: The Arms Race Continues

On July 5, Bleeping Computer reported that decryption software had been released for the Mole02 variant of ransomware known as CryptoMix (or “Cryptomix”). The decryption software is available free of charge, according to the report, which also included detailed instructions for how to use it to recover encrypted files for free.

On the same day, Bleeping Computer also reported that a new CryptoMix variant known as Azer had been discovered in the wild. A primary difference is that the Azer variant embeds 10 different RSA-1024 public encryption keys. “One of these keys will be selected to encrypt the AES key used to encrypt a victim’s files. This is quite different compared to the Mole02 variant, which only included one public RSA-1024 key.”

Also on July 5, Bleeping Computer reported that a new version of the decryption software for BTCware ransomware had been released. The report added that BTCware is “one of the most active ransomware families today,” generating a support forum thread that has now reached 20 pages, compared to other ransomware support threads that are only 1-2 pages long.” No word on any new BTCware variants—yet.

What We Say: Ransomware and malware developers are at least as focused on innovation as their counterparts in the legitimate software marketplace. This makes cybersecurity resemble the arcade game Whack-a-Mole. The minute one ransomware or malware variant is “whacked,” one or more new variants arise. Effective cybersecurity requires combinations of technologies to detect ransomware and malware, prevent it from running and spreading, and remediating the effects of successful attacks, wherever connected endpoints may be located. In other words, defense in depth.

Ivanti: Here to Help

Ivanti cybersecurity solutions enable you and your team to deliver true defense in depth across all your enterprise’s most critical servers and endpoints. And to help even more, select combinations of those solutions are available to new and current Ivanti customers at discounts of up to 30 percent. Check out the offer details, as well as the free trials of Ivanti patch management solutions we offer. And keep reading our Patch Tuesday and Threat Thursday updates, so you know what you need to keep pace with constantly evolving cybersecurity threats.