Archive

Yet Another Ransomware That Can be Immediately Detected with Process Tracking on Workstations

By Randy Franklin Smith

As I write this, yet another ransomware attack is underway. This time it’s called Petya, and it again uses SMB to spread. But here’s the thing — it uses an EXE to get its work done. That’s important because there are countless ways to infect systems, with old ones being patched and new ones being discovered all the time. You definitely want to reduce your attack surface by disabling/uninstalling unneeded features.  Plus, you want to patch systems as soon as possible.

Those are preventive controls and they are irreplaceable in terms of defense in depth. But no layer of defense is ever a silver bullet. Patching and surface area management will never stop everything.

So, we need an effective detective control that tells us as soon as something like Petya gets past our frontline preventive layers of defense. The cool thing is that you can do that using nothing more than the Windows security log – or even better – Sysmon. Event ID 4688, activated by enabling Audit Process Creation for success, is a Security log event produced every time an EXE loads as a new process.

If we simply keep a running baseline of known EXE names and compare each 4688 against that list, BAM!, you’ll know as soon as something new, like Petya’s EXEs, run on your network. Of course you need to be collecting 4688s from your workstations, and your SIEM needs to be able to do this kind of constant learning whitelist analysis. You are going to get events when you install new software or patch old software, but only when new EXE names show up.

The only problem with using 4688 is it’s based on EXE name (including path). Bad guys can – but don’t usually bother to use replace known EXEs to stay below the radar. That would defeat the above scheme.  So what can you do? Implement Sysmon, which logs the hash of each EXE. Sysmon is a free element of Microsoft Sysinternals written by Mark Russonovich and friends. Sysmon event ID 1 (shown below) is logged the same time as 4688 (if you have both process creation auditing and Sysmon configured) but it also proves the hash of the EXE. So even if the attacker does replace a known EXE, the hash will difference, and your comparison against known hashes will fail – thus detecting a new EXE executing for the first time in your environment.

Log Name: Microsoft-Windows-Sysmon/Operational
Source: Microsoft-Windows-Sysmon
Date: 4/28/2017 3:08:22 PM
Event ID: 1
Task Category: Process Create (rule: ProcessCreate)
Level: Information
Keywords:
User: SYSTEM
Computer: rfsH.lab.local
Description:
Process Create:
UtcTime: 2017-04-28 22:08:22.025
ProcessGuid: {a23eae89-bd56-5903-0000-0010e9d95e00}
ProcessId: 6228
Image: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
CommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –type=utility –lang=en-US –no-sandbox –service-request-channel-token=F47498BBA884E523FA93E623C4569B94 –mojo-platform-channel-handle=3432 /prefetch:8
CurrentDirectory: C:\Program Files (x86)\Google\Chrome\Application\58.0.3029.81\
User: LAB\rsmith
LogonGuid: {a23eae89-b357-5903-0000-002005eb0700}
LogonId: 0x7EB05
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA256=6055A20CF7EC81843310AD37700FF67B2CF8CDE3DCE68D54BA42934177C10B57
ParentProcessGuid: {a23eae89-bd28-5903-0000-00102f345d00}
ParentProcessId: 13220
ParentImage: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
ParentCommandLine: “C:\Program Files (x86)\Google\Chrome\Application\chrome.exe”

Tracking by hash will generate more false positives because anytime a known EXE is updated by the vendor, the first time the new version runs, a new hash will be generated and trip a new alarm or entry on your dashboard. But this tells you that patches are rolling out and confirms that your detection is working. And you are only notified the first time the EXE runs provided, you automatically add new hashes to your whitelist.

Whether you track new EXEs in your environment by name using the Security Log or by hash using Sysmon – do it!  New process tracking is one of those highly effective, reliable and long lived, strategic controls that will alert you against other attacks that rely on EXE still beyond the horizon.

EventTracker has a built-in feature that will detect and alert on EXEs and DLLs the first time they run, plus they just released a Dormant Malware Hunter in the latest version of their software. Modern malware, including ransomware, copies itself with different names and hashes to various folders, so that if the original is identified and removed, the clones remain ready to attack at a later time. The Dormant Malware Hunter identifies hidden EXE and DLL files that have never executed, while exempting those found on a known safe files list. As a result, copies of malware can be removed from the network, preventing re-infection or propagation.

Petya Ransomware – What it is and what to do

A new ransomware variant is sweeping across the globe known as Petya. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems. While it was first observed in 2016, it contained notable differences in operation that caused it to be “immediately flagged as the next step in ransomware evolution.”

What is it?

This is a new generation of ransomware designed to take timely advantage of recent exploits. This current version is targeting the same vulnerabilities (ETERNALBLUE) that were exploited during the recent Wannacry attack. In this variant, rather than targeting a single organization, it uses a broad-brush approach that targets any device it can find that its attached worm is able to exploit.

The gravity of this attack is multiplied by the fact that even servers patched against the SMBv1 vulnerability exploited by EternalBlue can be successfully attacked, provided there is at least one Windows server on the network vulnerable to the flaw patched in March in MS17-010.

How it spreads?

Early reports also suspected that some infections were spread via phishing emails with infected Excel documents exploiting a CVE-2017-0199, a Microsoft Office/WordPad remote code execution vulnerability.

The attackers have built in the capability to infect patched local machines using the PSEXEC Windows SysInternals utility to carry out a pass-the-hash attack. Some researchers have also documented usage of the Windows Management Instrumentation (WMIC) command line scripting interface to spread the ransomware locally.

Unlike WannaCry, this attack does not have an internet-facing worming component, and only scans internal subnets looking for other machines to infect. Once a server is compromised by EternalBlue, the attacker is in as a system user.

What it does

The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools. Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note.

The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.

The criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net,” thus confirming the transactions.

There is no kill-switch as of yet, and reports say the ransom email is invalid, so paying up is not recommended.

Technical Details

Talos observed that compromised systems have a file named “Perfc.dat” dropped on them. Perfc.dat contains the functionality needed to further compromise the system and contains a single unnamed export function referred to as #1. The library attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user through the Windows API AdjustTokenPrivileges. If successful, the ransomware will overwrite the master boot record (MBR) on the disk drive referred to as PhysicalDrive 0 within Windows. Regardless of whether the malware is successful in overwriting the MBR or not, it will then proceed to create a scheduled task via schtasks to reboot the system one hour after infection.

As part of the propagation process, the malware enumerates all visible machines on the network via the NetServerEnum and then scans for an open TCP 139 port. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise.

The malware has three mechanisms used to propagate once a device is infected:

  1. EternalBlue – the same exploit used by WannaCry.
  2. Psexec – a legitimate Windows administration tool.
  3. WMI – Windows Management Instrumentation, a legitimate Windows component.

These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally.

For systems that have not had MS17-010 applied, the EternalBlue exploit is leveraged to compromise systems.

Psexec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user’s windows token to install the malware on the networked device. Talos is still investigating the methods in which the “current user’s windows token” is retrieved from the machine.

C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1

WMI is used to execute the following command which performs the same function as above, but using the current user’s username and password (as username and password).

Wbem\wmic.exe /node:”w.x.y.z” /user:”username” /password:”password” “process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1″

Once a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA encryption. Additionally, the malware cleans event logs on the compromised device using the following command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

What steps has EventTracker SIEMphonic taken?

  1. Closely monitoring announcements and details provided by industry experts including US CERT, SANS, Microsoft, etc.
  2. Reviewed the latest vulnerability scan results from your network (if subscribed to ETVAS service) for vulnerable machines. ETVAS service subscribers who would like us to scan your network again can request us at ecc@eventtracker.com and we will perform a scan at your convenience.
  3. Updated the Active Watch List in your instance of EventTracker with the latest Indicators of Compromise (IOCs). This includes MD5 hashes of the malware variants, IP addresses of  C&C servers, the email address wowsmith123456@posteo.net
  4. Monitoring system reboots and additions to the Scheduled Tasks list
  5. Watching Change Audit snapshots in your network for changes to registry (RunOnce)
  6. Updated ETIDS with snort signatures as described by Cisco Talos
  7. Performing log searches using known IOCs

Recommendations

  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
  • Perform a detailed vulnerability scan of all systems on your network and apply missing patches ASAP.
  • Limit traffic from/to ports 139 and 445 to internal network only. Monitor traffic to these ports for out of ordinary behavior.
  • Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
  • Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.

Perfect protection is not practical

With distressing regularity, new breaches continue to make headlines. The biggest companies, the largest institutions both private and government are affected. Every sector is in the news. Recounting these attacks is fruitless. Taking action based on the trends and threat landscape is the best step. Smarter threats that evade basic detection, mixed with the operational challenge of skills shortage, make the protection gap wider.

An overemphasis on prevention defines the current state of defenses as shown in the pie chart below.

pie-chart

According to ISACA’s 2015 cybersecurity report , over 85% of senior IT and business leaders report that they feel there is a labor crisis of skilled cybersecurity workers. Gartner believes approximately 50% of budgeted security positions are vacant; on average, technical staff spend about four years in a position before moving on. The threats that this outnumbered corps are working to confront are evolving so fast that security departments’ staffing methods are often hopelessly out of date.

prefect-protection

The main lesson to learn is that “perfect protection is not practical, so monitoring is necessary.”

Are you feeling overwhelmed with the variety, velocity and volume of cyber attacks? Help is at hand. Our SIEMphonic managed detection and response offering blends best-in-class technology with a 24/7 iSOC to help strengthen your security defenses while controlling cost.