The advanced capabilities of organized hacker groups and cyber threat actors are an increasing global threat to information systems. Rising threat levels place more demands on cybersecurity personnel and network administrators to protect information systems. Protecting network infrastructure is critical to preserving the confidentiality, integrity, and availability of communication and services across an enterprise.
Cyber campaigns—such as NotPetya—are examples of increasingly advanced threat actor activity. NotPetya encrypts the victim's files with a dynamically generated, 128-bit key and creates a unique ID of the victim. However, there is no evidence of a relationship between the encryption key and the victim's ID, which means it may not be possible for the attacker to decrypt the victim's files even if the ransom is paid. It behaves more like destructive malware rather than ransomware.
NotPetya leverages multiple propagation methods. According to malware analysis, NotPetya attempts the lateral movement techniques below:
· PsExec - a legitimate Windows administration tool
· WMI - Windows Management Instrumentation, a legitimate Windows component
· EternalBlue - the same Windows SMBv1 exploit used by WannaCry
· EternalRomance - another Windows SMBv1 exploit
Security experts recommend organizations remain vigilant and aware of potential malicious cyber activity ahead of upcoming national holidays, including Ukraine's Constitution Day on June 28, 2018. NotPetya coincided with a national holiday of the targeted nation.
CERT Bulgaria recommends users and administrators to implement the following recommendations:
- Limit unnecessary lateral communications.
- Ensure you have fully patched your systems, and confirm that you have applied Microsoft's patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Conduct regular backups of data and test your backups regularly as part of a comprehensive disaster recovery plan.
- Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
- Manage the use of privileged accounts. Implement the principle of least privilege. Do not assign administrative access to users unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
- Secure use of WMI by authorizing WMI users and setting permissions.
- Utilize host-based firewalls and block workstation-to-workstation communications to limit unnecessary lateral communications.
- Disable or limit remote WMI and file sharing.
- Block remote execution through PSEXEC.
- Segregate networks and functions.
- Harden network devices.
- Secure access to infrastructure devices.
- Perform out-of-band network management.
- Validate integrity of hardware and software.
- Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices.
Note: Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. Weigh the benefits of mitigation against potential disruptions to users
For more information please visit: