On the NotPetya / GoldenEye / Nyetya ransomware attack

Last update: happy July 4th, American readers! – For the original article, read below the line-break.

Update 4: Analysis on the backdoor by ESET

ESET posted a thorough and interesting analysis. Couple of takeaways:

  1. Intruders were apparently in the network for +/- 3 months (or longer?)
  2. Analysis confirms the regular MeDoc software update method as the NotPetya delivery mechanism. In fact, the delivery mechanism works/worked identical to NotPetya’s own spreading method (rundll32.exe, as per the ESET article).
  3. The backdoor was specifically designed for the Ukraine, it seems. EDRPOU values have no use outside the Ukraine.

Particularly the inclusion of EDRPOU enumeration by the backdoor implies specifically targeting the Ukraine by the threat actor. This is also completely consistent with the geo-restricted watering hole attack on the Bahmut news site (see earlier).

Considering the MeDoc software is Ukraine-specific already, however, it does raise the question if this backdoor was intended to target specific companies (EDRPOUs are supposedly unique assigned to a company?). Was NotPetya indiscriminately launched against all successfully backdoored company networks (a ‘burn notice‘ for the existing backdoor/exploits/tooling if you will) or were specific companies targeted based on these EDRPOU numbers (also possible based on NotPetya’s attempts to cover its tracks)? If someone knows whether or not Ukrainian companies exist that had the backdoor, but were not attacked with NotPetya, I’d like to know!

Update 3: Attribution speculation

I have some doubts whether this was a Russian operation.

Ukrainian intelligence is now claiming that this was a Russian attack. It is common knowledge and obvious that nation-state attacks at this kind of scale need the approval of the president/prime minister. Exactly because of the potential scale and impact of cyberattacks, this certainly would not be any different in Russia. In other words: I believe Putin would have had to approve NotPetya’s deployment at some point.

Consider that Putin is a (former..?) top-ranking life-time KGB/FSB intelligence officer, would he really approve an attack at this scale and level, with so much collateral damage, all the while leaving (too) obvious pointers back to Russia? The NotPetya design and purpose certainly wasn’t “Amateur Hour”. That said, I can imagine it be an intentional play: “Make the clues too obvious to be believable”, but it could simply be a false-flag operation too: Ukraine recently voted to make NATO membership one of their primary goals, and this could be a move to speed up their application/approval process.

Of course, this is all very much speculation, but it’s certainly food for thought.

Update 2: MeDoc and watering hole confirmed

It has been confirmed that the MeDoc software’s update mechanism was used to deploy NotPetya. As stated, MeDoc is specific to Ukrainian companies (useless to others), because it is needed to exchange tax/accounting information with the Ukrainian government. Also, a Ukrainian news site, Bahmut, was used as a watering hole attack: visitors coming from Ukrainian IP ranges were being actively attacked with the NotPetya malware (through known browser exploits).

Update 1: a high ranking Ukrainian intelligence officer was killed yesterday was killed on the same day as the NotPetya outbreak.

But maybe that was just a coincidence..?


Introduction

Undoubtedly you have heard by now that on June 27th, a massive ransomware attack, dubbed NotPetya / GoldenEye / Nyetya struck several large business throughout the world. In this post, I’d like to make the argument that this was a targeted attack at the Ukraïne, disguised as a ‘regular phishing / ransomware’ attack.

What NotPetya does

The delivery mechanism for NotPetya has been established by several sources now and is believed to be the M.E.Doc updater mechanism. M.E.Doc (www.me-doc.com.ua) is an Ukrainian accountancy company that provides accounting/tax software for interactions with the Ukrainian government. Secondary sources are purported to be phishing e-mails making use of the .HTA (CVE-2017-0199) exploit. NotPetya is otherwise similar (hence the name) to the Petya ransomware. It replaces the Master Boot Record with a fake CHKDSK screen, while in reality the files are being encrypted. At the end, it displays a ransomware notice instructing the user to pay $300 in BitCoin equivalent to a single address.

A targeted attack?

For the following reasons, I believe NotPetya to be a targeted attack at the Ukraine, aimed at causing the largest possible disruption of services and operations throughout the country:

  • NotPetya is somewhat unique in its aggressiveness and combination of exploitation techniques: it attempts to leverage PsExec, WMIC, harvested credentials (from memory), ETERNALBLUE (CVE-2017-0143) and ETERNALROMANCE (CVE-2017-0144) attacks to move laterally across the network.
  • NotPetya was deliberately spread on June 27th. June 28th is a national holiday in the Ukraine (Constitution Day). This is reminiscent of the WannaCry attack on a Friday, before the weekend, that was attributed to the LAZARUS group.
  • NotPetya specifically leveraged the Ukrainian MeDoc company, providing services specifically for the Ukraine, as the initial infection vector.
  • Spreading happens specifically on the local subnet, contrary to the WannaCry attack. I would expect ‘regular’ ransomware to attempt to maximize spreading, instead of deliberately targeting only part of a network.
  • The inbuilt scheduled ‘shutdown’ of an hour after the infection and aggressive lateral movement, but before the actual encryption, causes most systems in the network to reboot and become unusable at roughly the same time, maximizing the chance of disabling an organization’s operations entirely.
  • The unusual and advanced combination of exploit attacks does not align with the ‘amateuristic’ approach to the actual ransomware payment of ‘only’ $300 to a single BitCoin address (which was promptly suspended). This could be construed to mean that the effect of ransomware was not the primary goal.

Conclusion

Undoubtedly there will be a lot of ongoing speculation and analysis, including on attribution. That said, I feel that the behaviour of NotPetya and the current information points to a targeted attack on the Ukraine, with the ‘collateral damage’ world-wide being an intentional attempt at a ‘smoke screen’ by the Threat Actor.

This blog is a personal blog and does not reflect the opinions, standards, etc. of my employer. If you have questions or comments, please feel free to reach out to me personally at penguin <kajigger> dhcp <doohickey> net.

Posted in DHCP | Comments Off on On the NotPetya / GoldenEye / Nyetya ransomware attack

New spam botnet?

I run my own domain name(s) and E-mail servers. It’s not that hard to do, and you should really consider it, instead of handing over your domains and E-mails to some ‘free’ service provider like Google (remember: if something is free, you are the product).

This, of course, means that I can change and tune everything to my liking. For instance, I use ClamAV, SpamAssassin, Spamhaus, SPF, DKIM, DMARC and Sieve to severely cut down on the amount of spam/malware that makes it into my family’s/friends’/own mailboxes. In fact, maybe one or two mails actually make it through the filters on a monthly basis – it’s nice to look at the statistics 😉 I like to auto-blacklist the hosts (hosts.deny) that try to send spam as well.

Interestingly, in the past two weeks I’ve gone from +/- 30K of those blacklisted hosts to over 70K. Considering that those 30K hosts took many months to collect, more than doubling the amount in the span of just two weeks is quite unusual. I dug into the mail logs and discovered the following so far:

  • It’s all individual hosts, doing one attempt only
  • The hosts are located all over the world, although they primarily come from China, Russia, former Soviet block and Brazil
  • Almost 100% of these hosts are already blacklisted on the zen.spamhaus.org list
  • The forged ‘From:’ header follows the same pattern, <randomfirstname>.<randomnumber>@<somedomainname>. Examples are: Summers.6182@pmcvideoproductions.com, Crane.148@florentina.ro
  • Connections appear in batches, but are evenly spaced in time: roughly 5-6 seconds per connection attempt
  • The E-mails contain the usual malware/phishing attempts (Locky, other ransomware).

Seems like a new spam botnet came online.

Posted in DHCP | Comments Off on New spam botnet?

UCD Master’s Programme in Digital Investigation and Forensic Computing

Introduction

Friday August 12th marked the end of my 2-year part-time study at UCD’s M.Sc. in DIFC with me handing in the final paper for the Digital Investigation project. Since my previous employment was as a University College lecturer, I thought I would do a write-up on how I’ve experienced DIFC from my own perspective as an educator, student and professional in this field. Please note that the course content follows the part-time study model (2 years) and my opinions/thoughts might not be indicative of what full-time students experience.

Signing Up

Signing up for DIFC is a multi-stage process, consisting of submitting a request for enrollment accompanied by two qualified references. After being accepted, you need to complete an exam with a follow-up interview. The exam covers a wide variety of IT-related subjects (in my case: anything from programming algorithms to OS memory management to database engineering), and you only get an hour to complete it. Cheating is pointless/impossible: the exam is only handed out at the moment the hour starts, and is immediately followed by the interview. After I had completed the exam, the interviewers called me on Skype to go through the exam questions step-by-step, asking for the answers and my explanation/reasoning. I wouldn’t say the exam is difficult per sé, but it might be advisable to do a refresher course on some of the subjects.

If successful, you’re officially enrolled and you start to receive E-mails on signing up for classes, your UCD account, paying fees, etc. This is where DIFC could certainly improve: particularly for foreign/international students, who are not ‘on-campus’ or have been at UCD before, it can be a bit of mystery where all relevant information is accessible. Perhaps an early online classroom session where you are guided through setting up the most basic stuff would help?

Module & Course Formats

The actual courses are laid out in a quarter/semester form. The starter courses are more entry-level, designed to get everyone up to the same level of knowledge. Progressively, the courses get more difficult and continue to combine and build on the knowledge that was acquired earlier. Particular module/course highlights for me were the IT Law module by TJ McIntyre, the Information Security course parts by Michael Harris and the reverse engineering classes by Dr. Gladyshev:

  • I’ve always been interested in IT Law, and TJ is a particularly engaging lecturer, extremely knowledgeable and was always willing to extensively answer questions that came up. The IT Law module is tough (prepare to write a LOT of papers) but very rewarding and very informative!
  • Michael’s course stood out due to the pentesting theory classes and practical assignment – we were gradually taught about all the types of security issues that can present themselves in web development, and the accompanying assignment consisted of writing pentest report on a virtual environment that we were allowed to pentest in any way we wanted (within reason: don’t break stuff for your fellow students)
  • The reverse engineering was extremely difficult in some ways; despite having some pre-existing knowledge of assembly and seeing good examples during the lectures, it was just hard work implementing the knowledge in practice. The assignment consisted of being given an executable file, individually compiled and unique for each student, that was exhibiting ‘malware behaviour’. During the classes, we were instructed in the basic usage of IDA (Free version) and OLLYDBG to debug executables, but this was somewhat superficial and it took me quite some blood, sweat and tears to finish the actual assignment. On a funnier note, I did figure out how to leverage the information from the provided malware in other, destructive ways, leading me to sending a responsible disclosure to Dr. Gladyshev on a late Friday night 😉

The lessons themselves are simultaneously ‘live’ in the actual classrooms and in an online (AdobeConnect) environment. It makes the part-time and remote students feel ‘part of the classroom’ and connect with the full-time students, which is great! Generally this worked well, but the initial courses suffered a bit from poor video/audio setup. This was partially due to the quality of the technical equipment, partially due to poor internet connectivity. Regardless, this only happened a few times and the quality was generally quite good. Presentations were a combination of theoretical concepts, mixed with practical assignments and discussion, which made for an engaging classroom experience.

Exams & Assessments

On average, 2-4 exams are handed out per course, which are graded American-style: F, D, C, B, A with +’s and -‘s, D being a minimum ‘passing grade’. The exams wildly vary in type (which I consider a good thing!) and size: anything from a short paper to a full-blown pentest report. Although most of DIFC is possible through remote studying, some exams require you to be present – at least two visits to Dublin are required. Notable moments are the on-site exams around December and March, as well as the forensic interview/search & seizure/courtroom workshops. The dates for these required visits are communicated well in advance. Nevertheless, it is highly recommended to still book flights & accomodations as early as you can: Dublin is a popular city and prices can fluctuate strongly, particularly during conference season (as happened with my visit(s)). The last DIFC course module is the Digital Project, where you are required to come up with a practical research project in the field of Digital Forensics. The examinations for this are different; rather than individual assignments, you report on the different milestones of your project: doing a literature study, building a proof of concept, evaluating the results and writing an academic-quality paper.

Summary

The M.Sc. programme is well-worth the one (full-time) or two (part-time) year(s) of your life. Issues over the last two years were non-existent or minor, but they were at least readily explainable and understandable from a practical / logistics / educational point of view (at least in my opinion).  Where I think DIFC could be improved is the communications, course theory and assistance:

  • Getting up to speed as a ‘new’/’new-to-UCD’ student was slow and we had to figure out a lot of things for ourselves.
  • Course theory did not always match the same level of depth as the practical assignment that was connected to it. While not a necessity, it would be good if the assistance (e.g. through the Ph.D. students) for some of the subject matter (reverse engineering – see above) would be more accessible and easier to plan.
  • Scheduling appointments felt very ad-hoc and doing this over E-mail was inefficient, at best – perhaps some centralized method of scheduling could help?

The M.Sc. in Digital Investigation and Forensic Computing truly shines in its hands-on, practical approach and the engaging content and lessons.

Acknowledgements

I would like to thank everyone who’ve helped to make the years at UCD simply awesome:

  • UCD: Pavel, Babak, Mike, TJ, Andy, Mark, Owen, Lee
  • Fellow UCD students & friends: Michel, ‘The Three Dan-s’, Andrea, Bushra, Louw, Andy, Mitchell, Robert
  • Family & friends: Eva, Oscar, Jan, Carla, Hans, Elmer, Toni, my parents
  • Everyone at KPN and the HvA that made it possible for me do this study!

I hope I didn’t forget anyone in this list. If I did: sorry, tell me!

Posted in DHCP | Comments Off on UCD Master’s Programme in Digital Investigation and Forensic Computing

Forged messages in Skype Chat (resolved!)

When I logged into Skype this morning, I received a message from an old colleague/friend I still occassionally chat/lunch with:

...] xxxxxx: http://goo.gl/3RVgvc?32017=[myusername]

Now, obviously I would never click on this (please don’t click on it either!), as it immediately rings several alarm bells. A quick investigation with a URL expander proved my suspicions: it leads to referral spam/survey website.

What struck me as odd, was that this friend ‘knows his stuff’ and would never let himself be tricked into participating in these scams, click on random links, fall victim to trojans/malware, etc.

As soon as he came online, I pointed out out that there might be something wrong with his Skype account. He immediately jumped to action and quickly determined that his system was squeaky clean. Even more importantly, his computer was, in fact, turned off at the time of this message. This left us with three options:

  1. Maybe his Skype-account had been brute-forced? This seemed extremely unlikely, as he uses a randomly generated strong password (everyone should)
  2. LastPass had been compromised. This was also exceedingly unlikely, as this would require an additional strong password and posssession of his Yubikey… (really, he knows his stuff ;))
  3. So, that left us wondering if something was up with Skype…?

He contacted Skype support and the transcript(*) was interesting, to say the least:

 Arlene Joy R: at 8:52:14 - Well actually, no one hacked your account
 Arlene Joy R: at 8:52:27 - Thank you for bringing this to our
                            attention
 Arlene Joy R: at 8:52:49 - we are actually aware of this concern,
                            where links are sent to all of your
                            contacts
 Arlene Joy R: at 8:52:57 - this is the spam virus
 Arlene Joy R: at 8:53:17 - Let me assure you that Skype is already 
                            on top of this situation and we’re doing
                            the best we can to rectify this.
 You:          at 8:53:15 - sorry my computer was turned off at time
                            of spreading
 You:          at 8:53:30 - how can the computer sent links if it
                            is turned off and nobody has my
                            password?
 Arlene Joy R: at 8:54:04 - yes that is correct there are cases that
                            it was sent even if you are not logged
                            in on your computer

This was followed by the Skype Support Engineer giving instructions to unlink all applications to Skype(**), wiping all of Skype’s application and temporary files and the chat history.

Update 1: another friend also reported receiving the same message.

So, does anyone have an idea what’s going on?

Update 2: a Microsoft/Skype engineer contacted me to figure out what was going on.

Apparently this is a known issue with Skype accounts that might have been linked to e.g. old Hotmail-accounts, or a disconnect (no synchronization) between an old Skype password and an MSA password. In short, if your password to one of these old accounts is compromised, it can also be used to login to Skype. Yes, you read that correctly: you can have multiple working passwords for one Skype account/username!

Thanks to Microsoft for contacting me about this. I’m not sure how I feel about the principal possibility to have multiple working passwords for a single Skype account, but at least it’s good to know how to mitigate this issue if you’ve been affected.

TL;DR: If you’ve used Skype for many years, it might be linked to old Microsoft accounts (e.g. Hotmail): make sure you are using strong passwords for those old accounts to prevent malicious logins on Skype as well.

(*) transcripts were cleaned up and reformatted for legibility
(**) Messenger+/MirandaNG: only worked locally and weren’t compromised either

Posted in DHCP | Comments Off on Forged messages in Skype Chat (resolved!)

DHCP Network Solutions

What is this site about?

If you arrived here by accident or curiosity, click here for more information about this website.

What is ‘DHCP’ anyways?

The Dynamic Host Configuration Protocol automatically assigns IP addresses to computer systems on a network, defined in RFC2131. Basic information on getting started with DHCP (the Dynamic Host Configuration Protocol) is available on this website.  For simple use of IPv6 in networks, DHCPv6 is no longer necessary; it can be easier to use RADVD (which employs the ICMPv6 protocol). Of course, one might still use DHCPv6 for specific static assignments etc. Clients ask the network for configuration information, known as Router Discovery, and IPv6 routers will answer with a Router Advertisement packet that contains the appropriate settings. Consequently, you should normally never block ICMP traffic on IPv6 networks.

About me

More information about me and my work is available under the Portfolio tab.

Posted in DHCP | Comments Off on DHCP Network Solutions