Petya and Weaponized Malware: Is Ransomware the New DDoS Attack?
June 29, 2017
Phil Richards | Chief Security Officer | Ivanti
Chris Goettl | Manager, Product Management, Security | Ivanti
Amber Boehm | Manager, Product Marketing | Ivanti
In this emergency webinar, our security panel is getting together to discuss the Petya attack, where malware is going, and what it means for you. Specifically, we'll cover:
- The latest on Petya and how it compares to WannaCry
- What this attack and others tell us about the future design and potential crushing impact of malware
- How you can stop it from bringing your business to its knees.
Read the Webinar Recap Here
Read the Webinar Q&A Here
Amber: A few introductions today―my name is Amber Boehm, and I'm the Manager of Product Marketing at Ivanti. With me in the room today is Phil Richards, our resident CISO, and Chris Goettl, head of Security Solutions for Ivanti. We will leave time for questions at the end of the webinar, so go ahead and submit those anytime via the Q&A form. We'll also be live-tweeting this webinar, so you can engage anytime via Ivanti webinars, and that's with an ‟s.” Thank you. Let's get started. Chris, why don't you take it away?
Chris: Thanks, Amber. Before we get too far into this, let's take some time for a movie plot. Let's go through the plot of the movie quickly and talk about our hero. The hero of our story starts his day pretty typically: grab a coffee, go to work. He jumps on the metro and takes that into town. Partway through his day, a disturbance starts in the office. A progression of employees chatter in the background. People move around the office, phones ring, people sound very confused and start asking questions. More and more heads pop up from cubes. Finally, our character’s screen suddenly blue screens, and the system reboots. We see text on the screen, and suddenly a red and black skull and crossbones starts flashing on the screen. A textbox comes up―a red screen with white text saying that the system has been ransomed.
About an hour goes by, and our hero lacks the ability to reach IT or get any resolution to the issue because everybody in the office is down, completely inoperable. The hero of our story and some coworkers decide, "Hey, let's go grab lunch."
Walking out, our hero needs to grab some cash. As the group walk down the street toward their favorite café, they stop at an ATM. There's a bit of a crowd around the ATM. As our hero tries to shoulder up to the ATM, a now easily recognizable red screen with white text shows on the screen. One of the coworkers says, "Don't worry. I got lunch covered. Let's go grab some food." They continue around the corner and get to the café. A lot of people are huddled around the doorway, and as the group try to push their way to the front, too, a hostess says, "Sorry, we can't serve anybody. All of our systems are down. We can't process any credit cards or even open the till to take cash."
Across town, banks, government offices, retail stores, shops, restaurants, coffee shops, the rail station, the airport, all sorts of services used on a daily basis are affected in a very short period of time. They get text messages from people saying, "Yeah, I couldn't even get gas today."
Enter the Hollywood movie villain, who demands billions of dollars. To be honest, this is what happened in the past day and a half, especially in Ukraine. The only difference was no Hollywood movie villain demanded a payment, but there was a very recognizable disturbance across an entire nation that reached out globally over the past couple of days.
Phil: Right, Chris, this does read like a Hollywood script, but for the folks in Ukraine, this was no Hollywood movie. This actually happened. The types of disturbance and the type of disruption across the entire infrastructure of that nation, as you just talked about, actually occurred only a few days ago in Ukraine.
Amber: Okay, so let's get the download now. What are we really talking about with this attack? Is it the return of Petya? Is it NotPetya? What's the story there?
Petya or NotPetya?
Phil: There have been discussions about whether this is a return of the original Petya. Let me back up a little bit. Petya is a malware ransomware attack that occurred in December of 2016, so about six months ago, or so. The screen we're showing on our board right now was one of the key pieces that showed your system was infected with Petya. This same screen was used in the most current ransomware attack, and there were definitely some code sharing or code components that look like Petya. But make no mistake, this is not the same ransomware attack that occurred in December of last year. This is a much different one, and it's a much more serious set of attacks. We'll go through that and talk about it a little bit.
Chris: Yes. It is kind of funny, though, seeing some of the debate back and forth between security practitioners about is this Petya, is this NotPetya? But whether it is or is not Petya, we definitely have a serious threat on our hands.
Amber: Let's take a look at those mechanics. How is Petya infecting systems?
How Petya Gets In
Chris: There are a couple of things Petya uses to get an initial foothold in an environment. One that's been talked about quite a bit is an update that was made available in April's Patch Tuesday. It’s an office exploit that exploits how RTF documents are used, and it allows the attacker to gain control of the system. This was used in examples of watering hole and phishing attacks, URLs that could download that malicious document. Even more interesting, however, is the fact that a Ukrainian financial tech company called MeDoc―this company creates tax software and is one of two vendors in Ukraine that businesses submit their taxes through every year, so you have the choice between these guys and one other vendor―
Phil: Let's talk about this a little. Here in the United States, when an individual or a company needs to file their income taxes, they have hundreds if not thousands of providers they can choose from to run their taxes and submit them to the government. In Ukraine, there are two is what I understand.
Chris: Yes, and in this case, the attackers were able to exploit systems in this particular firm’s environment. The attackers loaded up an update MeDoc pushed out on June 22―five days before the attack launched. They loaded up this update for MeDoc’s own software with the malware that then was able to launch on request and launch the initial kind of target zone. The epicenter of this definitely was focused at a specific area. There were additional attacks used to get that initial infection, but this MeDoc attack was definitely responsible for the opening salvo of this attack.
Phil: What a great way―speaking as a criminal, I guess―what a great way to gain a significant foothold in a specific geography, a specific nation, such as Ukraine.
Amber: Let's talk about part two of the attack. Once the malware infects the system, how does it spread through the network?
How Petya Spreads after the Attack
Chris: There are a few things used here, and this is where Petya starts to become NotPetya. There are a lot of methods being used to spread throughout the environment. First of all, and the one that's getting the most notoriety, is the resurgence of the Eternal Blue exploit, which was resolved back in March as MS 17-010. This allowed Petya or NotPetya to spread rapidly using the SMB exploits that were so successful in WannaCry. But―
Phil: Right. As you said, Chris, this is an SMB exploit that was leaked to the world as a series of attacks that were created by the National Security Administration in the United States. Those attacks are part of how this particular virus spreads and has been spreading so rapidly, but it is not by any means the only method by which that virus is spreading.
Chris: The interesting part of this is Eternal Blue is the one probably getting the most notoriety, but if you look deeper into this, there's a combination of things going on under the hood. It's using a piece of malware called mimikatz, which can mine passwords or credentials from the system it infects. Once it does that, it uses common tools within the environment, WMIC and PsExec, to try to authenticate to other systems in the environment so it can spread further.
Phil: This is important to understand because this is how regular hackers get into a system. Exploits and automated methods of getting into a system through vulnerabilities and things like that are somewhat noisy, and they're somewhat easy to detect. If someone is a strong hacker, what they usually use are these more stealthy tools, such as mimikatz, WMIC, and PsExec, to gain access and elevate their credentials and work to gain access to other systems. That's really what these tools are for. That capability was embedded into this malware. It's sophisticated on a different level, because it uses a different toolset than most malware has in the past.
Chris: It's automating the behavior of what an advanced persistent threat would do. If you have an attacker live in your environment, and it’s trying to move throughout the environment, these are the things it would do to move around. The scary part, though, is that Petya can do this in a very short time, and then it launches the disruptive part of its attack. We have some specifics from Symantec on exactly what's being done and how it's doing it. The first thing it's doing is scheduling a reboot of the system.
Petya Uses the Master Boot Record
Phil: Right, and this is really an ingenious thing. We need to go back a bit. What Petya does is encrypt what's called the Master Boot Record. This is the record at the zero block of a disk that describes what the disk is, what its geometry looks like, where the delineations on the drive exist, and things like that. By encrypting that, what happens is, if you're booted up to a Windows system, your Windows system will continue to function as normal, but the next time you reboot, the system will be blocked and you’ll never be able to reboot again.
By scheduling a reboot, what it’s done is give itself time to use that machine as a launch pad, so the malware can proliferate across the network to other systems using the tools we talked about―mimikatz, WMIC, PsExec, and the SMB exploit from Eternal Blue. There's a lot going on here, but the linchpin, really, is by scheduling that reboot rather than forcing an immediate reboot, it bakes in time to make sure the software proliferates. This is a well-engineered piece of malware.
Amber: We have a question from someone in the audience who wants to know if it actually downloads PsExec, or if it finds it already in the environment.
Chris: I haven't seen specifics around that. Any researcher who has found this level of depth on the attack has confirmed that WMIC and PsExec are being used. I'd have to look and see if they're confirming that―
Phil: I looked into this a little, and there are remediations available by simply disabling WMIC and PsExec, which indicates the attackers are not downloading those tools. Another component that's important is a lot of these tools, including corrupting the Master Boot Record, require administrative privileges on the machine, so this malware absolutely depends on admin privileges being used by the local user.
Chris: Right. One of the biggest things about this is it's mimicking behavior an attacker would do to spread throughout the environment, but its time scale is much quicker, and it's targeted at widespread, massive disruption.
How Petya Moves Quickly
Phil: We can talk about that a little, the time factor. One of the things that allows this to occur so quickly is the intent of this malware is not to encrypt everything on the disk. It’s only trying to encrypt a small component of the disk, which is the Master Boot Record. At the largest, this component is about 100mg in size. That means the attack can complete rapidly, much more rapidly than if the malware were hunting for specific files to encrypt and trying to encrypt thousands or tens of thousands of files.
Is Ivanti Dependent on WMIC?
Amber: I have another question. A participant would like to ask about LVMS, having received queries from Ivanti customers who are concerned that if they disable WMIC in their environment, it may impact LVMS. The question is whether Ivanti is totally dependent on WMIC.
Chris: It's not totally dependent on it, but there are some functionalities that would use WMIC. One thing we probably want to do is get a support case open, and we can get you some specifics on that. That's a note I can take. I know we have our support teams actively writing up guidance and recommendations on how to mitigate some of the attack vectors. We could talk about some of those things a little, locking down privileges, for example. One of the things Symantec noted in their write-up is the encryption of the MBR will only work if the attacker has admin rights. If you're running as a regular user, the attack to encrypt the MBR would fail. One thing our security suite does have on the LDSS side is the ability to protect the Master Boot Record. There are a few possibilities there, but it would be a good idea to open a case and get some specifics about what features would be disrupted by disabling WMIC, and then we can get you better guidance on that.
Amber: A couple of other questions, but they are more for the discussion that's coming up, so when we get there, we will cover those, certainly.
Chris: All right.
Amber: All right. There's a lot of speculation about what the objective was. Chris, tell us was this actually for profit, was it not, what's the story?
Chris: There's a progression that’s happened with ransomware. Ransomware had a resurgence in the past couple of years. It also evolved into ransomware as a service. It became so lucrative, you had a multitiered economy built off ransomware. You could subscribe to and build out variants of it, and perform your next attack very easily. Then WannaCry hit. WannaCry was a huge success as far as how disruptive it was, but a grand failure as far as how much it monetized. Really, it looked like there was no payout intended, or maybe it wasn't big enough for the attackers to bother going after it.
There are really good notes about this from a researcher named Nicholas Weaver. He works at the International Computer Sciences Institute and is a lecturer at UC Berkeley. He confirmed that Petya is well engineered to be disruptive while masquerading as a ransomware strain. One thing he notes that backs that up is it includes the same Bitcoin address for every victim. Typically with a ransomware attack, there's usually a unique Bitcoin―
Phil: That's right. Even if it's not unique, there's a series of Bitcoin addresses that go from dozens to hundreds of Bitcoin wallets. The intent is to defray or make it more difficult to see how successful a ransomware attack is.
Chris: And WannaCry had four at least, right?
Phil: That's right. WannaCry had three or four and was somewhat of a failure. Everybody in the world was paying attention to the Bitcoin addresses. We need to remember that Bitcoin wallets are publicly available for view, so you can see how much money is going in. You can't see who's putting money in and who's taking money out, but you can see that money is going into the accounts and money is coming out. For WannaCry and Petya, nothing has been withdrawn from any of those Bitcoin wallets.
Chris: Right. Interestingly enough, in this case, the attackers are asking those who they're trying to extort to communicate with them via email. This is a deviation from typical ransomware campaigns.
Phil: That's right. Email is traceable, easy to follow, and easy for law enforcement to get their hands on and identify, possibly even trace back to, who sent the original emails, or at least find or locate who sent them. Given this is such a well-engineered piece of malware, it's fairly safe to assume some of these things we're talking about―the Bitcoin wallet and email address―were set up as window dressing and not necessarily as major pieces of what the attackers were trying to do. Somebody who would schedule a reboot of a machine rather than force a reboot is not the kind of person who's going to put their email address out on the wire so they can be found out.
Chris: On the anonymity note, most previous ransomware attacks, actually nearly all of them, tried to use something like Tor to provide anonymity and make sure they would be hard to track down. Now, funnily enough, the one email address that was going to be used to communicate back out and give people their decryption key was stopped by the ISP where that account was registered very shortly into the attack. That one avenue was basically blocked.
Phil: Yes, and that happened 6, 8, 10 hours into the attack, so if you were planning on paying a ransom to get systems back up, not only are you unlikely to get any kind of crack code or anything like that to recover your Master Boot Record, but the criminals also have no way of sending that information to you.
Chris: You know, I've no doubt about the details we have. Several of those were pulled from articles. Krebs on Security had a great synopsis that had a reference from Mr. Weaver on his research and a very comprehensive way of laying it out that definitely pointed to that. If we look at this graph―Phil, we talked about this a little yesterday.
Where Ransomware Is Heading
Phil: This tells a good story about where ransomware is going right now, and how this is ransomware by window dressing, and not ransomware in fact. The black line on this graph shows the amount of money that's gone into the WannaCry Bitcoin wallets, which is not significant. There's only $29,000 after the first 24 hours vs. the first 24 hours of the Petya attack, which is the purple line. You can see that people started to pay ransoms, and then everybody got smart and said, "Hey, you know what, it doesn't make any sense." By the way, the amount of money in that account is not a lot different. It's up to $10,600 or something like that, which is not much higher than it was after the first 24 hours. Effectively, this is ransomware by category, not ransomware in actual fact.
Amber: If it's not for profit, then what's really going on? What does this mean for businesses and people in general around the world? What should we expect is coming soon?
Chris: It's interesting. Take a look at this image, which has been doing the rounds. It showed up first on Twitter. This is a supermarket in east Ukraine. You can see the very recognizable screen with the red text showing these systems have been ransomed. Think of this outside this one store, then think of this at ATMs, bank tellers, and gas stations.
Phil: These screens, by the way, are point-of-sale devices. This is how people check out with their bags of groceries. With these screens, these systems are locked up. There's no way for individuals to pay for their goods.
Chris: At the airport, if the screen was locked out there, how could they give people tickets or check their bags or anything else? The metro station would be unable to scan people through or provide tickets for people to get on trains. Even shipping could be disrupted to the point that ships might have to be anchored and told to wait until systems can be brought back online to guide them. This is a significant disruption.
If you look at the types of businesses hit in the initial hours in Ukraine, you have everything from government, airports, metro, other forms of transit, gas stations, ATMs and banks, this was a very broad attack. Because they used a very easy attack vector to get into a broad number of businesses at the epicenter, they could do a lot of damage. This next slide, also taken from the Symantec site, points out where the target was.
Phil: It becomes clear that this malware, which is somewhat ingenious as we’ve said, is clearly targeted at a specific geography, the Ukraine area in particular. We're not going so far as to say it’s a cyberwarfare technique. We think there's still quite a bit of analysis and assessment that needs to take place in terms of how this happened, who did it, and what their intent was. We'd be speculating on intent, at this point, but we think it's pretty clear this was targeted, the malware is weaponized, and the focus is not to bring money into the coffers of the attackers.
Amber: Now we have questions. People would like to know if any systems such as flight control, 911, etc., have been impacted by this. Do we know?
Chris: Reports were a little difficult out of the Ukraine airport, which was hit very hard. There was no confirmation that air traffic control was hit. The airport had disruptions at the airline level, which to me is baggage desks, check-ins, processing people through the system, and not at the air-traffic-control level. We did not see any reports of that.
Phil: We know that infrastructure systems were targeted. For example, Ukrainian government officials were impacted. Infrastructure systems were targeted. We don't have confirmation that those systems were attacked or exploited.
Chris: When you go beyond that, you could see other countries that were hit. With something this sophisticated that could spread this easily, there were targets hit that may have been unintentional. Some of these could have had ties to or interests in Ukraine, as well. Some examples of that are shipping in the region, and other similar things that seem to have been targeted as part of the initial opening salvo.
Phil: Right, and even if they're not Ukrainian-facing organizations or companies, they had very specific interests in the Ukraine area.
Chris: Some of that collateral damage goes as far as a well-known chocolatier that had a facility hit in Australia.
Amber: Chocolate? Oh man, now I’m concerned. This is going too far.
Chris: It's okay, Amber, it was only one of their facilities, but this is an example. As it reached out globally, there were probably many other things hit that were completely unrelated to the initial intent. This is the scale of what this type of attack can do.
Phil: One thing to recognize is a lot of the proliferation capabilities of this malware were focused on internal networks. The focus was absolutely on getting all the machines in a specific subnet or a specific network locked down. There was not much focus on expanding outside that internal network. That was done more at the level of compromise of specific entities that could then be used to push the malware into those organizations.
Chris: Looking at the evolution here, what's different now than it was six months ago?
Phil: Over the last few attacks, I think things have changed quite dramatically. This is ransomware in name only. One of the things you mentioned earlier, Chris, is this is ransomware that's being used for other purposes. Maybe you want to go into that a little bit.
Amber: Just to clarify, someone wants to know about the slide showing only 40 companies being hit in the US. Can you explain what we're looking at when we talk about this slide?
Phil: Well, first of all, it's a point in time. It's as of a specific time. When this information was collected, only about 40 to 45 companies were impacted in the United States.
Chris: I can pull up that page real quick, and we can reference that to answer that question.
The Evolution of Ransomware
Phil: While you're doing that, let's go back a couple of slides, so we can talk a little about what's different now versus six months ago. The spread of ransomware has become a lot more sophisticated and targeted. Ransomware is really ransomware in name only, at least that seems to be the direction it's going. That's not to say we won’t have more ransomware attacks where people are trying to extort money, but ransomware is becoming more of a tool, a weaponized tool. The compromise, the focus, is not really about money in some of these more recent attacks.
Ransomware is a tool for disruption. It has become a tool for denial-of-service attacks, social disruption, economic disaster creation, that sort of thing. It's become bigger than anything we've seen before. It goes well beyond extorting money from individuals or even from companies. To say ransomware is becoming weaponized is an accurate portrayal, I think, and it's targeted at decimating economies, infrastructure, social structure, and things like that.
Chris: This is going beyond any type of ransomware we've seen before. WannaCry was an initial taste. If we look at WannaCry as the alpha, is this the beta? Is the real thing yet to come? Where could it go from here? An excellent combination of vulnerabilities allowed this attack to be successful―WannaCry and now this.
There's another Windows Search exploit that could be exploited through SMB remotely over the network without authentication, which was resolved in June. If people don’t have that one in place, that was known to be exploited in the wild, as well. Could that be the next tool used for a wide scale attack like this? If we don't get that patched in a timely fashion, if we don't start to lock down permissions, if we don't start to layer on additional defenses to prevent a sophisticated attack like this, it does go beyond a company being hit.
By the way, that Semantic graph, by the time they posted that article on the 27th, that was the number of organizations reporting disruptions in each of those countries. It was 40 at the time on the 27th when it was aired, not that that's all that have been hit so far. There may be more.
Amber: You mentioned patches for SMBs. There is a question from one of our listeners who wants to know if there have been any issues confirming compliance with those patches. She's read about potential problems with ever-changing information and difficulty making sure those patches are in place across your systems.
Importance of SMB Patches
Chris: On the Ivanti communities, for any of our patch solutions, you should be able to find an article describing exactly which updates you need to have in place to make sure these vulnerabilities are plugged. We focused on the original Eternal Blue exploit, but we also added details about the June SMB exploit I just spoke of. Those details are available in our communities.
For those of you running Windows 7 through Windows 10, and the server OSs as well, if you do the monthly rollups and you've done any of the roll-ups between March and now, you have the original Eternal Blue vulnerability plug. If you haven't done the June update yet, there is another, actually there were two exploits in the wild, two zero days that were resolved, as well, both of which would be things you probably want to get in place.
If you're doing Windows 7 through Server 2012 R2, everything shy of Windows 10, there is a security-only bundle. If you're doing the security-only, you needed to make sure the March and June updates were in place to plug the specific vulnerabilities I talked about.
In the articles on our communities, we have the KBs, the specific KBs you should be able to verify are in place, and for any of our patch solutions, you should be able to find that information or generate a report that can show you what KBs are there and confirm those are in place. If you are using one of our patch solutions, and you need those articles but can't find them, reach out to our support teams, and they can point you to them very quickly. Otherwise, look to the community, and you should find that information.
A Defense-in-Depth Strategy
Phil: I want to pivot a little on this. We talk a lot about patching, and patching is extremely important. These two ransomware attacks underscore the importance and necessity of a defense-in-depth strategy which, by the way, Ivanti provides from a desktop perspective. If we look at the two attacks we're talking about today, a few things jump out at me―the criticality of patching, the importance of application management, not being able to run WMIC or PsExec except under certain circumstances as an application, is something that certainly can help mitigate the environment. With the WannaCry virus last month, antivirus was an important capability in terms of arresting its deployment throughout an environment. That's less important in this one, it would be less effective. but it is part of the defense-in-depth discussion. We talked a little about privilege management. That wasn't a big deal for WannaCry, but it's a huge deal for this particular attack. Ivanti also provides the ability to protect the Master Boot Record from being written to or encrypted. Having these capabilities as depth components helps ensure your company is insulated from these sorts of attacks.
Chris: Right, a layered approach, making sure you're patching frequently, you've reduced privileges as effectively as possible. A few of our SEs globally have created videos showing how the attack is performed and how it's blocked using our application control feature sets. Payloads that try to execute but are untrusted will be blocked if you have whitelisting in place. We have traditional and dynamic whitelisting capabilities. That provides another layer of ransomware and malware defense.
With an attack this sophisticated, which can do a variety of things and was built to get around any one or two levels of security, you need to make sure you have an effective layered approach to security. A defense-in-depth approach that includes controlling admin rights, patching critical items diligently, and being able to trust third-party vendors. In one of these attacks, to get that initial foothold was a Microsoft update that's been available since April . The other was a very specific vendor in a specific region where, reportedly, their update system was used as a platform for launching the initial attack at a broad spectrum of these companies.
Phil: The bottom line is there are some initial attack vectors that you won’t be able to defend against. If you happen to be a company in Ukraine, you have to pay taxes. If you happen to use one of the two tax software capabilities available and it happens to be this one, you would be infected.
What you can do, after the initial infection, is arrest its deployment across the rest of your environment. This ransomware was geared to deploy rapidly and infect everything else in your network. The only way to protect yourself against it is to have additional capabilities that arrest that kind of deployment model.
Chris: Right. Going back to was this a real attack, was it a proof of concept? Regardless, this took ransomware to a new level. If you look at the image on the left, try to feel what it's like to be in this situation. We have to look past one grocery store and look at all the other things hit in that opening attack. You can't get gas. You can't get cash from the ATM. You can't get into the bank teller to get cash, your ability to buy groceries―
Phil: You can't take a bus. You can't take a subway. You can't take a plane.
Chris: Right, and the long-term effects of disrupting shipping and other ways of things coming in and out of the country adds extra long-term effects, as well. This isn't ransomware extorting money at a few POS systems in a specific location. This is a widespread disruptive attack at not only businesses, but also on a social and economic level.
Phil: This hit critical infrastructure in Ukraine.
Chris: There's very little ability to look at this any other way than to say this is ransomware that's been weaponized for more than its original purpose.
Phil: You're exactly right, and I think you said it very well. As we're trying to protect our companies and our society, we need to put ourselves in the position of the people who are walking out of this grocery store empty handed because they have no way of purchasing goods. By the way, this is still going on in Ukraine. They're still recovering. The potential impact to a society and to an economy is pretty devastating.
Chris: That's where we want to wrap the conversation today. We had that opening, cinematic view of what's happening, and now closing with the reality of what people close to the epicenter of where this hit are experiencing. It's a very real difference in the world that we all need to start thinking about―securing our own environments, what part is being played by everybody out there, how we’re securing our future, how we’re ensuring it's not only about business anymore. It's about everything outside that business as well, everything around us―people, society, the economy.
At this point, we can answer any other questions we have, Amber.
Amber: We'll move to questions, and please go ahead and continue to ask questions until the session is over. If we don't get to you, we will provide a blog post shortly after the webinar where we will list all the questions and answers. Even if it's the final minute, get your question in, and we'll get it answered for you.
Let's take a look at a couple of questions about Ivanti . We have a listener who says Ivanti doesn't check for the MS 17 patch specifically, which could leave you vulnerable if the patch wasn't installed correctly, or if a change was made to the machine afterward. He wants to know how we deal with that.
The MS 17-010 Patch
Chris: Each of the products is a little different in how they do their assessments and enforce a baseline. You won't see MS 17-010. That designation no longer exists under Microsoft. Only if you have Windows XP or Server 2003 will you see the traditional bulletin style. In this case, you’ll see see it as a KB number. Let me do this. We actually have some of these KBs.
Amber: We had requests for all of those. We will definitely put that in the blog post.
Chris: I have a blog post already up that gets into this, so go to our blog at Ivanti.com/blog, then go to security and look for the post: Our Global Ransomware Attack Based on Petya. In the initial write-up I did at more of a technical level, I talked about some of the CVEs being used in some updates. Here are the specific KBs per OS you want to make sure are in place if you're doing the security-only bundles. If you're doing the monthly rollups, I don't have those specifically, but we can get those. If you've done the monthly rollup for March, April, May, or June, you have that MS 17-010 bulletin in place. Have you done either the monthly rollup or one of the specific KBs listed here? I know our support organization was working on specific details per product line, so I will follow up with them to make sure they have everything covered. We'll also expand on this with any additional questions that come up on the call today and make sure those details are provided. The cumulative is really what you're looking for. If you're doing the security-only, those KBs are listed here.
If you're running XP, Vista, 2003, or even Windows 8―not 8.1, but Windows 8―they are the OSs that have been end-of-lifed. Microsoft has a page that lists a number of additional updates for end-of-lifed platforms. In June, for those who caught my Patch Tuesday webinar, we talked about this. Microsoft also has a recommendation all the way back to MS 08-067. For those of you who remember Conficker, this was the update that plugged those vulnerabilities. Microsoft is saying to get these bulletins in place, including MS 17-010, that's Eternal Blue, MS17-013, the latest SMB vulnerability that was released in June. Again, you're not going to see those two designations, the traditional bulletins. Microsoft moved away from that, for the most part, in March, so their use of it here only confuses matters. What you want to do is confirm the KB articles and make sure you have those.
There are a number of other CVEs. These updates were also released for older platforms, so make sure you get these updates in place if you're running those older systems. They are now publicly available, and you should take their recommendation. Microsoft didn't have to do this. They did it because they see a significant risk if you don't have these things in place. We'll get additional content up on the communities to expand on and plug gaps from questions we're getting today.
Amber: We have a question about the MBR. How does Ivanti protect the Master Boot Record?
How Ivanti Protects the MBR
Phil: First of all, let's back up a little. MBR is the area on a disk that describes what's happening on the disk. One of the things Ivanti security suite software does is detect any changes written to that record. It interrupts those changes with a dialogue that says, "Hey, somebody's trying to write to the Master Boot Record. Is this something you want to authorize?" The individual user has the ability to arrest the changes at that point.
Chris: That's for the security suite, especially from the traditional Ivanti platform. If you're an LDMS customer and have the security suite module, that functionality is in that product set.
Amber: We have another question about security rollups. This listener says when he searches on Shavlik for MS17-0607, it doesn't show an installable option in the patch template.
Chris: This is one where you may need to get in touch with support, but I can give you a couple of tips. If you're looking for each of the different rollups, this is what the security-onlys look like. We give it an artificial bulletin designation, so MS 17-06S07 is the June security-only for Windows 7.
Phil: I see what you're saying. Specific CVs are underneath that.
Chris: Correct. You can see the KB 4022722. That would be the Microsoft KB this is under, but you won't see the Microsoft bulletins anymore. They don't have them anymore. Now you'll see the CVEs that are resolved under here, as well. This would be the June security-only. If you go back to the April update for Windows 7, this is where we were still fine-tuning what the new formats were going to be, but this is the one you would want to have in place to plug WannaCry.
I’m trying to remember the exact CVE.
Chris: That was the bulletin, but I can't remember the exact CVE number off the top of my head, but the CVEs listed here are the ones resolved by that security rollup.
If you're doing the cumulative rollup, if you do April, May, and June, they're all in there. It's cumulative, so it includes all the previous months. The security-only is where you have to worry about two specific ones. If you're doing the monthly rollup, you get everything each month, whenever you do the update. Do the June one if you're doing the cumulative, and you’ll get all the CVEs.
If you have other specifics, something to do immediately is make sure your content is up-to-date. If you go to Help > Refresh Files, that will force the content update, and then you can see if that update is available and downloadable. If it's still not, for some reason, contact the support team. I'd have to get more details about your situation to understand better how to help you.
Amber: Phil, talk about whether there's any truth to the perfc read-only file being a vaccine against attacks.
Is Perfc Read-Only a Vaccine?
Phil: One of the things this ransomware does is try to catalog machines through WMIC. When it identifies, for example, your machine Amber, what it does is look for the existence of itself on your hard drive. It looks for a file called perfc.dat in the Windows directory. If it finds it, it leaves your machine alone and moves on to the next machine, so if you create a file called perfc.dat that's read-only, it will find it and move on. If your network has been infected, that's one way of ensuring machines are able to stay inoculated, or vaccinated I guess, from the infection.
Chris: Tricking it into thinking, "Oh, I've already done this."
Phil: The logistics of doing that across every machine on your network is a little challenging. If you can put that file in the Windows directory on all the machines in your network, you have the ability to do the other things that will make sure you are not only protected from this infection, but you're protected from others, as well. Is it a way of stopping or arresting the deployment of this particular ransomware? Absolutely.
Amber: Going back to patching, the next question is, is there a patch for Windows 10?
Windows 10 Patches
Amber: For this attack, for the SMB, I assume.
Chris: The SMB fixes were in the March update for Windows 10, as well. The original WannaCry did not affect Windows 10, but later variations were created that could affect Windows 10. The reason Windows 10 was deemphasized initially was the proof-of-concept code wasn’t developed for Windows 10 yet, but researchers had confirmed ways to bring it to those platforms.
If you're on the Windows 10 track, you don't have the cumulative or monthly security bundle, you only have the cumulative rollup. If you've done March, April, May, or June on a Windows 10 system, you’ve protected yourself against Eternal Blue. I highly recommend getting the June update because there's a new SMB vulnerability confirmed to be exploited in the wild, which is a vulnerability in Windows Search. Locally on a machine, you could do a search that would let you take advantage of this vulnerability and take control of the system. You can do the same exploit that lets you take control of a system remotely over the network without authentication, the same level of severity as Eternal Blue and its siblings that was resolved in March, but this June vulnerability has the same wormlike potential as the original Eternal series of vulnerabilities. For any Windows 10 platforms, I highly recommend you get the Windows 10 June cumulative in place, and you'll be covered not only for the March SMBs, but also this new one.
Phil: I want to underscore a point you made earlier about the MS 17-010. That is an exploit number or a KB article, It's not the specific patch that goes on Windows 10, Windows 7, and Windows 8. Is that right?
Chris: Absolutely. Microsoft is moving away from their old bulletin designation. Everything for the OS is cumulative bundles, and you’ll look for a specific KB article. In the case of the security-onlys, those are here. We’ll make sure the specific KBs get into community docs also, so you know how to ensure you have the right ones on your machines.
Phil: Because Microsoft is changing the way they do things, it might be a little tricky, but if you're using Ivanti software, and you're using those cumulative patches, you can rest assured you have the right kind of patches for your platforms.
Chris: Look to those community articles for your respective product, and that will show you the guidance on how to ensure you have those on your systems.
Amber: All right. We have a question. We're back to the MBR. Does your MBR protection care if CMBR is encrypted with other tools like McAfee, BitLocker, etc.?
Phil: The Ivanti tool allows MBRs to be written over and changed. That's what encryption does, so you can certainly use a BitLocker or McAfee tool that will do whole-disk encryption, including the Master Boot Record. By the way, all of those tools have a sliver of the MBR that stays unencrypted, because something has to be unencrypted before the disk can boot up. The Ivanti tool allows changes to occur, but it flags you if it happens during the day. That wouldn't happen during a normal business day for most people. Usually it’s something that happens with setup or system setup. The Ivanti tool flags you and asks if you want that to continue to happen.
Amber: Let's see what we have. Does Shavlik examine the actual DLL versions for vulnerabilities on the rollups?
Chris: You can see the files and registry keys that are evaluated here. This is the security-only bundle for April. You can see all the files being evaluated, the location they should be in, the names of the files, the version they should be, and even criteria such as file must not exist or if it's required, criteria depending on what type of file it is and if it's going to be there or not. We have lots of criteria that confirm how to do that, including registry and file protection, so the answer is yes.
Amber: Regarding the June vulnerability you were talking about, does it affect SMBv1 only, or all versions?
Chris: In the Microsoft article, it doesn't specify. I heard a report that it's later SMB versions, too, but I couldn’t confirm that.
Amber: For the MBR again: Does your solution have a mechanism to allow changes to the MBR, or do you have to reboot into safe mode?
Phil: It allows changes in the MBR. You don't need to boot into safe mode to make those changes. It flags them, it warns you. By the way, that's a configuration setting, as well. You can determine certain classes of machines where the MBR can be modified or not.
Amber: One more question. Patch for Windows: Is that a standalone platform? The listener mentions that Shavlik used to complement SCCM and other platforms. Let's talk about patch for SCCM vs. patch for Windows.
Chris: Patch for SCCM is the Ivanti plugin that brings our third-party catalog of updates into SCCM. You've invested time and effort in scaling that out, so you only want the third-party catalog to expand into that. It's a great complement to an SCCM instance. It doesn't bring our additional features like reboot control, staging, integration with virtual, vSphere, the ability to do templates and snapshots and things like that, but you get the breadth of our catalog. That's based on a content subscription. It's a very cost-effective complement to SCCM that takes a lot of the burden of packaging up and delivering software off your FTEs. We have over 130 non-Microsoft product families that we support out of the box.
The patch for Windows product you're looking at here is based on our legacy Shavlik Protect product line. This is a standalone product. If you're not running SCCM on your server environment, you may choose to run this standalone product there. It's ideally suited for a data center, agentless capabilities, VMware integration for doing a lot of the things there. It has some very nice features like our Cloud Agent, which allows a system to go off network, persist off network for as long as it needs to, and still be maintained. This gives you a different platform than SCCM. It can control stages of the process more granularly than SCCM allows. It allows different types of baselining, the Windows platform, and third-party products' all in one solution, so it would be a replacement for SCCM.
Amber: All right, that's the hour. We will make sure all the questions are answered in a blog post following the webinar, so don't worry, we will get to everything you asked. With that, we'll wrap up. Thank you for joining, and we hope you'll join us again very soon.