In June 2017, an unnamed client requested NCC Group to assist with research on the likely impact of the NotPetya malware in their live environment.
The client was fortunate in that they had not been affected, but wanted to know how bad it would have been if the alleged Russian-derived attack had impacted them.
The client asked, “So, would NCC Group be interested in producing a NotPetya simulation program? i.e. a NotPetya clone that we can run inside of our network, but with the ransomware removed and safeguards to ensure it stays within our network. Also could you create some reporting so that we can understand what mechanism it used to move between each host and how long it took to move around the network?”
- Target operating systems
- Target enumeration mechanisms
- Propagation mechanisms
- Enable/propagate switches
- Kill/remove switches
- Telemetry and reporting
- Clean-up and removal
- Anti-network saturation algorithm
The first four essentially mirrored NotPetya’s functionality, while the remaining five acted as safeguards and included data collection:
- IP address whitelists to target and ensure we only run within
- DNS held pre-shared secrets that were checked and validated for their ability to run and be killed/removed
- Regular heartbeats
- State reporting
- Success/failure reporting
After development and testing, the pseudo-malware, dubbed EternalBlue, was released onto the customer’s engineering network (a live environment, but not the corporate systems) on 7 December 2017.
According to NCC, the release generated far more data than was expected and was able to move through the network very quickly.
- The customer ran it on one machine in their engineering network with no privileges.
- It found three machines unpatched.
- It exploited those three machines to obtain kernel-level access.
- It infected those three machines.
- Within 10 minutes it had gone through the entire engineering network using recovered/stolen credentials.
- It then took the domain about two minutes later.
- A total of 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.
Anti-virus on some target computers detected the virus – it will be adjusted to bypass this problem and then it will be deployed into the full production environment very soon.
More results to come.
Image: © User:Colin / Wikimedia Commons / CC BY-SA 4.0