Petya/NotPetya: Why it’s Time to Lock Down Third-Party Risk
In opinion / By Phil Muncaster / 11 July 2017
Ransomware has been the talk of the town again over the past couple of weeks. Just as admins had cleaned up the last of the WannaCry mess, the alarm bells started ringing on yet another apparent global epidemic, dubbed ‘Petya’ by some and ‘NotPetya’ by others. The emerging story is evolving by the day. But as I see it now, this incident should be viewed less as an urgent “ransomware wake-up call” for organisations, and more of a cautionary tale highlighting the cybersecurity risks facing firms with extensive international partner networks and branch offices.
A strong case has been made that Petya was intended primarily to destroy and disrupt IT systems in Ukraine, and managed to spread globally through the VPNs of multi-nationals with offices or partners in the country.
This attack campaign, built on malware that shares some similarities with Petya ransomware, seems to have been disguised by its authors as a money-making venture. In fact, after landing on 27 June, it soon spread to scores of countries worldwide, infecting businesses with ransomware which encrypted files, replaced the Master Boot Record (MBR) and requested payment in crypto-currency. It also spread laterally across networks via NSA exploit EternalBlue, like WannaCry.
However, a few things didn’t add up. For one, the attackers modified the MBR so that it couldn’t be recovered, according to Eset.
“Specifically, the attacker cannot provide a decryption key and the decryption key cannot be typed in the ransom screen, because the generated key contains non-acceptable characters,” the firm explained in a blog post. That’s not the behaviour of a financially motivated cybercriminal. Then there was the disproportionately large number of victim organisations based in the Ukraine: 12,500 machines on the first day alone, according to Microsoft.
The threat also contained additional propagation mechanisms to help it spread laterally, even more effectively than WannaCry. It used legitimate security tool Mimikatz to harvest log-ins which – if the target machine had admin credentials – could enable it to infect others on the network via the PsExec and WMIC Windows utilities.
Finally, there’s the evidence suggesting that the initial attack vector was a compromised version of ME Doc, accounting software used by 80% of Ukrainian businesses. Eset claimed the attackers had access to the update server of ME Doc owner, Intellect Service.
“Using access to this server, attackers pushed a malicious update that was applied automatically without user interaction. That’s why so many systems in Ukraine were affected by this attack. However, it seems like the malware authors underestimated the spreading capabilities of Diskcoder.C [Petya/NotPetya],” it explained.
“Why are there infections in other countries than Ukraine? Our investigation revealed that affected companies in other countries had VPN connections to their branches, or to business partners, in Ukraine.”
The weakest link
So, what we have is a destructive malware campaign disguised as a money-making ransomware blitz, which got out of hand. The Ukrainian security services have directly blamed Russia, but aside from attribution this is a great example of the security risks presented by partner organisations and satellite offices. They will be more pronounced in larger multi-nationals, but even SMEs these days may have numerous overseas partners.
Verizon warned in its most recent Data Breach Investigations Report (DBIR) that smaller firms are often “identified as a soft target useful as a stepping stone to their partners’ systems”. US retailer Target was famously breached and 70 million records/40m card details stolen after hackers compromised an HVAC supplier’s network log-ins. That attack happened in 2013 but the same concerns are still very much alive and well. Last year, three call centre workers in India working for TalkTalk outsourcer Wipro were arrested after using the ISP’s customer data to commit fraud.
Some 70% of senior execs polled by the Shared Assessments Program last year believe third-party risk is significantly increasing, while just a quarter (26%) think their risk assessment of controls in this area is effective. As if that weren’t bad enough, only 18% of those polled said they conduct third-party risk assessments. Other estimates suggest as many as 63% of breaches can be traced to third-party vendors.
Time to manage risk
Best practice cybersecurity is all about effective risk management. Yet it seems that too often IT bosses are overlooking their overseas offices, and particularly their third-party providers. It’s vital that they are subject to the same security controls and high standards as the mothership. These should include things like multi-factor authentication for network access; “least privilege” access policies; user education to spot phishing attempts; comprehensive incident response plans; prompt patching; continuous network monitoring; and network segmentation. The latter in particular can help prevent the spread of ransomware laterally across a company.
More generally, the following can help you better manage risk across third-parties:
Draw up detailed service-level agreements (SLAs) with suppliers, specifying what security controls/standards they need to apply
Consider enforcing compliance with formal cybersecurity standards such as ISO 27001, COBIT or even the government Cyber Essentials scheme
Conduct your own regular audits/pen testing
Deny network access from any unapproved source
Know where data is stored and understand where it could be transferred to at all times
Once a contract/relationship is completed, revoke network access and ensure all shared data is returned or destroyed
Major organisations including global law firm DLA Piper and Danish shipper Maersk are only just getting operations back to normal, over a week after Petya/NotPetya struck. It’s vital that IT bosses stay on top of third-party risk, and ensure their entire organisation is covered by the same high security standards.