NotPetya, a recent malware, masquerading as the known Petya ransomware started wreaking havoc at a world scale last week. Initially, it looked like another wave in the malware storm that started with Shadow Brokers’ publication of EternalBlue and other zero-day vulnerabilities in Windows OS. And, in fact, NotPetya used EternalBlue as one of the lateral movement methods in its arsenal. But, apparently, the developers of NotPetya wanted to hit some high-value targets and the risk that these networks had already been fully patched would have ruined their attack.
To overcome this hurdle, it seems that the developers of NotPetya ransomware used good-old hacking techniques and used a modified version of open-source Mimikatz tool to steal passwords and password hashes that are stored in machine's memory and infect other machine in the network using PsExec with pass-the-hash and other credential theft techniques. As Avi Kama mentioned in his insightful blog, once an attacker is inside the network, he is likely to use stolen credentials and use Active Directory to infect other machines in the network. The fact that Mimikatz software and pass-the-hash have been around for some time should raise serious alerts - how come this type of attack is so successful? What should security professional do to protect their network?
Here are 4 things security teams can do to prevent these type of attacks from hitting their networks:
Basic ProtectionThis has been discussed in great detail pretty much everywhere. Always make sure all your systems are patched with most recent updates. In addition, you should probably use some sort of endpoint protection solution. Combining these two will probably be helpful thwarting 95% of the attack (those that are less targeted and sophisticated)
Detection is not enoughSome security products offer advanced threat detection. But sadly, detection alone is not not enough in such cases. As mentioned in a previous blog, all it takes to cause serious harm to your network is a few minutes. By the time you see the alerts in your security analytics solution or SIEM, the NotPetyas of the world will have already scrambled all your data. To really stop such attacks you need a security product that integrates real time response upon detection of suspicious activity.
Pass-the-hash happens due to bad security practicesPass-the-hash and other credential theft techniques happen when high privilege user accounts aren’t secured properly. Some admins aren’t aware where their credentials are circulating. If you're an admin, the laptop that you helped install a printer on, the mobile phone you use to download emails, the machine that runs scripts with your user account - all of these are potential targets that could be used to steal your credentials. Microsoft issued a comprehensive manual on how to properly secure privileged accounts and stop pass-the-hash - I strongly suggest you read it. A User and Entity Behavior Analytics (UEBA) software solution can assist with analyzing the behavior and risk of each privileged account and find use-cases where best security practices aren’t applied at your organization and give you the opportunity to fix issues before it is too late.
Protect your privileged accountsPrivileged accounts require stronger protection. As previously mentioned, being able to respond in real-time to potential threat is critical. When privileged accounts are used in an anomalous manner, you want to be able to force a Multi-Factor Authentication (MFA) step in addition to the password verification. When the credentials are used in the usual manner, the user would be available to approve the activity. But in case of a malware, moving laterally in the network, using stolen credentials, the MFA will not be answered and the attack would simply be blocked.