際際滷

際際滷Share a Scribd company logo

Volodymyr Ilibman - Close Look at Nyetya Investigation

OWASP Kyiv
OWASP Kyiv

First-hand experience shared by the guy who has been a part of the June, 27 attack investigation and response from the very beginning.

1 of 36
Downloaded 10 times
Close look at Nyetya investigation Volodymyr Ilibman Cisco Ukraine
亠仄 弍亟亠仄 亞仂于仂亳 舒仍亠亟仂于舒仆亳亠 仆舒仍亳亰 仗仂于亠亟亠仆亳 Nyetya 于仂亟 亳 舒亠亞亳亳 仗亠亟仂于舒亠仆亳
丱仂仆仂仍仂亞亳 仂弍亳亶 27 亳ミ術 弌舒仍亳 仗亳仂亟亳 仗亠于亠 仂仂弍亠仆亳 仂 亰舒舒亢亠仆亳亳 11:00 12:00 舒仂于亠 亰舒舒亢亠仆亳 (仄亠亢亟 12.00 亳 16.00) 17:50 亠于亠 亠亰仍舒 亳仍亠亟仂于舒仆亳亶 Talos 仂仗弍仍亳从仂于舒仆 于 弍仍仂亞亠 21:33. 亠于仂亠 仂亳亳舒仍仆仂亠 仗仂仄亳仆舒仆亳亠 仂 于亠从仂亠 亰舒舒亢亠仆亳
弌仄仗仍 弍仍 仗亠亠于舒亠仆 于 12:54 仂亟仆仂亞仂 亳亰 从仍亳亠仆仂于
仍仂 亰舒仄亠亠仆仂 仂亠仆 弍仂亠 舒仗仂舒仆亠仆亳亠 仗仂 亠亳 亠亠亰 SMB
舒仗仂舒仆亠仆亳亠 亰舒仆亳仄舒仍仂 10-30 仄亳仆
丱仂仆仂仍仂亞亳 仂弍亳亶 27 亳ミ術 弌舒仍亳 仗亳仂亟亳 仗亠于亠 仂仂弍亠仆亳 仂 亰舒舒亢亠仆亳亳 11:00 12:00 舒仂于亠 亰舒舒亢亠仆亳 (仄亠亢亟 12.00 亳 16.00) 17:50 亠于亠 亠亰仍舒 亳仍亠亟仂于舒仆亳亶 Talos 仂仗弍仍亳从仂于舒仆 于 弍仍仂亞亠 21:33. 亠于仂亠 仂亳亳舒仍仆仂亠 仗仂仄亳仆舒仆亳亠 仂 于亠从仂亠 亰舒舒亢亠仆亳
亠亠仂仄 29 亳ミ術 于 亳亠于 仗亳弍仍舒 从仂仄舒仆亟舒 亠舒亞亳仂于舒仆亳 Cisco 亟仍 仗仂仄仂亳 Talos- 仆舒 仄亠亠
M.e.Doc Connection
The Backdoor Contacts upd.me-doc.com.ua every 2 mins If finds a proxy: Retrieve email data from local me-doc Wait for & execute commands These commands almost certainly used to distribute Nyetya.
M.e.Doc Connection
Restoring Connections
仆舒仍亳亰 仗仂于亠亟亠仆亳 Nyetya
Propagation ETERNALBLUE Scans IP subnet 139 TCP Perfc.dat PSEXEC WMI ETERNALROMANCE
Malware Credential Stealing Command line Modified version of Mimikatz pen testing tool. Credentials passed over a named pipe. Malware collects stolen credentials as it propagates. Collects users token via Windows API. rundll32.exe C:Windowsperfc.dat,#1 60 "username:password C:WINDOWSTEMP561D.tmp, .pipe{C1F0bf2d-8c17-4550-af5a-65a22c61739c}
Propagation Perfc.dat If MS17-010 not applied: Trigger EB or ER exploits. Installs modified DP backdoor. Installs perfc.dat, executes as a dll. DoublePulsar modified command codes modified response codes modified response location in SMB packet ETERNALBLUE ETERNALROMANCE MODIFIED DOUBLEPULSAR
Propagation Perfc.dat PSEXEC Drops PsExec as dllhost.dat. Uses stolen user token. Connects to new machine (IP: w.x.y.z). Installs perfc.dat, executes as a dll. C:WINDOWSdllhost.dat w.x.y.z -accepteula -s -d C:WindowsSystem32rundll32.exe C:Windowsperfc.dat,#1
Propagation Perfc.dat WMI Uses stolen username & password. Connects to new machine (IP: w.x.y.z). Installs perfc.dat, executes as a dll. Wbemwmic.exe /node:"w.x.y.z" /user:"username" /password:"password" "process call create "C:WindowsSystem32rundll32.exe "C:Windowsperfc.dat" #1"
Encryption Process Schedule reboot in 1hr Encrypts files RSA 2048 Escalate privileges of current user Encrypts MBR (if administrator) Final log clean up ETERNALBLUE PSEXEC WMI ETERNALROMANCE
Payload
Genuine Ransomware? 則 Single bitcoin wallet means difficult to follow who has paid. 則 Single contact email address, now blocked 則 you cant contact the criminals even if you want to. 則 If admin, MBR is overwritten. 則 If MBR not overwritten, wipes first 10 disk sectors. 則 If have software avp.exe running, wipes first 10 disk sectors.
弌于磶仆仂亶 M.E.Doc 仂仍仆亶 仂亠 Eng: http://blog.talosintelligence.com/2017/07/the-medoc-connection.html 丕从: http://www.cisco.com/c/dam/global/ru_ua/solutions/security/ransomware /pdfs/cisco_blog_ransomware_attack_ua_upd4-graphics.pdf
Cisco Talos: 仍仂仄仍亠仆仆亳从亳 仂从舒亰舒仍亳 仂 于仂亰仄仂亢仆仂亳 亟仂舒于仍 仍ミ頴笑 从仂亟 于 80% 于亠亟仂仆仂仆 从仂仄仗舒仆亳亶, 从仂仂亠 亳仗仂仍亰ム M.E.Doc. 舒仍仂于亠仂仆仂 亠 亟仂仗 舒从仂亞仂 仂于仆 弍亠亰 于亠亠仆仆仂亳, 仂 仄仂亢仆仂 仗仂仍亳 舒仆舒仍仂亞亳仆亶 亟仂仗 于仂从亳仄 仗亳仂亳亠仂仄 于 弍亟亠仄 亟亳仆 亳亰 于于仂亟仂于
亳, 舒亰于亠仆舒仆仆亠 舒舒从仂亶 1. 弍仆仂于仍亠仆亳亶 Windows 于舒舒亠 亟仍 亰舒亳 2. 仆亳于亳 于亳亳从仂亶 仄仂亞 仗亠亟仂于舒亳 亰舒舒亢亠仆亳亠 3. 个舒亶亠于仂仍 c仗仂仂弍亠仆 于 仂亟亳仆仂从 仂舒仆仂于亳 舒仗仂舒仆亠仆亳亠 于亳仂于 4. 仂仍亰仂于舒亠仍 - 舒仄仂亠 仍舒弍仂亠 亰于亠仆仂 5. 亠 弍亠亟 亳亰-亰舒 亳亳仆亞舒
WHAT COULD HAVE BEEN DONE DIFFERENTLY? 1. Secure Development Lifecycle
WHAT COULD HAVE BEEN DONE DIFFERENTLY? 2. Threat Information Exchange
WHAT COULD HAVE BEEN DONE DIFFERENTLY? 3. 舒亳亳 亠弍
WHAT COULD HAVE BEEN DONE DIFFERENTLY? 則 Patching 則 Least Functionality 則 Least Privilege 則 System and Network Monitoring 則 Network Segmentation 則 Processes and Policies http://blog.talosintelligence.com/2017/08/worm-defense.html Back to Basics: Worm Defense in the Ransomware Age
亠亰仂仗舒仆仂 亠于亠仆 亳 从仍亳亠仆从亳 弌 ....Patching and upgrades should be prioritized on these systems and customers should move to transition these systems to Windows 10, following the guidance from Microsoft on securing those systems Cisco TALOS The MEDoc Connection 亠亰仂仗舒仆仂 弌 Windows 10, Mac 亳 Linux 仆亠 磦仍ム 仗舒仆舒亠亠亶
亠亰仂仗舒仆仂 亠于亠仆 亳 从仍亳亠仆从亳 弌 亠亰仂仗舒仆仂 弌 + 亞舒仆亳亠仆亳亠/舒亰亞舒仆亳亠仆亳亠 亟仂仄亠仆仆 仗仂仍仆仂仄仂亳亶 + 弌仂亰亟舒仆亳亠 弍亠仍/亠仆 仗亳从仂于 仗仂亠仂于 + 仂仆亳仂亳仆亞 亳仗仂仍亰仂于舒仆亳 亳亠仄仆 亳 亠亠于 亠仂于 + 于舒从仂仆舒 舒亠仆亳亳从舒亳 + 仗仂仍亰仂于舒仆亳亠 亳亠仄 Breach Detection Systems / EDR/ 仗亠仂仆亳 ..
弌仆亳亢亠仆亳亠 亳从仂于 Supply Chain 亟亠仆亳亳从舒亳 亠于亳仂于 仂仂仆仆亳 从仂仄仗舒仆亳亶 亳 舒仄仂仗亳舒仆仂亞仂 亟亠仍亠仆亳亠 亠于亳仂于 于 仂亟亠仍仆 亰仂仆() 弍亠亰仂仗舒仆仂亳 弌亠亞仄亠仆舒亳 亳 仄亳仆亳仄亳亰舒亳 仗仂仍仆仂仄仂亳亶 Supply-Chain
舒亰弍亳 亠 仆舒 亠亞仄亠仆 (DC, 亳仍亳舒仍, 于仆亠仆亳亠 亠于亳, 仗舒仆亠) 亞舒仆亳亳 亳仍亳 亰舒仗亠亳 舒亳从 仄亠亢亟 亠亞仄亠仆舒仄亳 (于从仍ム舒 TCP 139/445) 仂于仂亠 仆舒仗舒于仍亠仆亳亠 - 仄亳从仂亠亞仄亠仆舒亳 弌亠亞仄亠仆舒亳 于仆亠仆仆亠亶 亠亳 亞舒仆亳亳 亠 舒仗仂舒仆亠仆亳 malware 弌亠亞仄亠仆舒亳
仂亟仂亟 DefCon 于 仗亳仄亠仆亠仆亳亳 仗仂仍亳亳从 弍亠亰仂仗舒仆仂亳 仂仍亳亳从亳 于 亰舒于亳亳仄仂亳 仂 仂于仆 亞仂亰
仂亟亞仂仂于亳 亳 仗仂于亠亳 仗仍舒仆 亠舒亞亳仂于舒仆亳 /Disaster Recovery/BCP
Stay Informed Spreading security news, updates, and other information to the public ThreatSource Newsletter cs.co/TalosUpdate Social Media Posts Facebook: TalosGroupatCisco Twitter: @talossecurity White papers, articles, & other information talosintelligence.com Talos Blog blog.talosintelligence.com Instructional Videos cs.co/talostube
www.talosintelligence.com blog.talosintel.com @talossecurity

More Related Content

Volodymyr Ilibman - Close Look at Nyetya Investigation