One security conscious $100 billion company this week exposed its global production IT environment to a de-fanged version of the fast-moving, data-destroying NotPetya malware that crippled several large corporations last June.
The worm, dubbed EternalGlue, was created by researchers at NCCGroup, which named its modular malware after the National Security Agency’s EternalBlue weapon — the leaked exploit that helped both WannaCry and NotPetya rapidly overtake networks where at least one Windows machine had been compromised. The malware also employed an open source credential stealing tool called Mimikatz, as well as other techniques like credential impersonation.
Western governments fingered North Korean hackers for WannaCry and Kremlin-backed hackers for NotPetya. NotPetya caused over $1 billion in damages across FedEx’s European subsidiary TNT Express, Maersk, and Mondalez International.
NCCGroup rebuilt NotPetya in June 2017 for a customer who wanted to see how they would have fared if they’d been infected. Naturally, the customer didn’t want it to destroy their data, so they asked NCC to create a payload that delivered “telemetry and safeguards”.
The pseudo-malware copied the way NotPetya spread, but included safeguards such as enable and propagate switches, kill and remove switches, telemetry, and a clean-up tool. Additional safeguards included measures to whitelist certain IP addresses, and success and failure reporting.
The first run of EternalGlue was in December last year on a portion of a customer’s network that was isolated from IT systems at headquarters. The malware was run on one machine with no privileges, found three un-patched machines and proceeded to attack them by obtaining kernel level access and then infecting them. However, some antivirus products were detecting it.
The latest tweaks to EternalGlue mean it can now evade antivirus even where it detects a previously seen sample or malware displaying similar behavior. It was also adjusted to steer clear of this particular customer’s industrial control systems.
NCCGroup’s analysis of EternalGlue’s successes and failures turned up a key setting that other enterprises should probably follow to limit the damage of NotPetya or its many copycats, like BadRabbit and malicious crypto-miners that also employ EternalBlue and other tricks it used.
That setting is "Account is sensitive and cannot be delegated”, which stops an account’s credentials from being forwarded to other computers on a network by a trusted application.
As Microsoft explained in a blogpost about the setting: "If a trusted computer is compromised, the trusted application could act on behalf of any user that has presented itself to the service to perform malicious activity. If an account has 'Account is sensitive and cannot be delegated' set, then its credentials can not be reused by a trusted service. This limits the scope of attacks that use delegation, e.g. elevation of privilege activities.”
NCCGroup found this setting was effective at blocking NotPetya’s non-EternalBlue method for spreading across a network. NotPetya also spread through token impersonation.
“We found that this configuration would have hindered NotPetya propagation significantly using the token impersonation route for domain admin accounts,” NCCGroup noted.
Microsoft’s patch for EternalBlue is now over a year old and most of the customers systems exposed to the simulated attack it seems were patched. During the five hour attack, just one host was found to be vulnerable to EternalBlue, however 209 hosts were compromised by stealing admin tokens. Of these, 152 were compromised using NotPetya’s token impersonation method.
According to NCC, the customer pulled the plug -- or hit the kill command -- on the exercise because the “speed and exponential nature propagation was picking up beyond their risk tolerance threshold.”
NCCGroup has detailed other lessons learned in this blogpost and says it is building other tools for spreading malware beyond the NotPetya techniques it borrowed.