New Massive Global Cyber Attack Petya
A massive Cyber attack started in Ukraine last night. As far as we know it started spreading in Ukraine, but has now gone global. It has hit some of the largest banks in Ukraine as well as the power grid. At the time of this writing many companies throughout Europe are also being hit. This is very much like WannaCry in that it uses the EternalBlue attack that was stolen from the NSA. Once you have been encrypted your desktop goes into a DOS prompt and requests that you give $300 in bitcoins and send them to a specific address. Once your machine becomes infected it scans the network to try to infect other machines in your organization. There have been reports that it has encrypted 5,000 machines in 10 minutes, so this is spreading fast.
Unfortunately, there is a lot of conflicting news out there at the moment. One of the reasons some believe it is spreading so quickly is that is combines a client side attack (CVE-2017-0199) and a network based attack (MS17-010). The first is a Microsoft Office vulnerability patched in April, and the latter is the Wannacry vulnerability also patched in April. It uses the Office vulnerability to get into your company, it then extracts passwords from your local machine, then spreads via the EternalBlue/WannaCry exploit across your organization. There have also been reports that a version of Loki malware, which uses an office Macro vulnerability, to spread. Finally, there are reports that the malware, if it can’t use EternalBlue will use a Microsoft utility called PSEXEC to spread through the system. It uses credentials stolen from the original host, and subsequent hosts to spread in this direction.
The best way to be secure, is to make sure your machines are patched. We also recommend that users are not administrators on their machine, and as always, we recommend not opening emails or attachments that you were not expecting.
We at Thrive are continuing to monitor the situation. Please contact us if you have any questions or to learn more about how we can help protect your company from attacks like this. Follow us on LinkedIn, Twitter, Google+ and Facebook for updates.