Change the Battlefield: Detecting Lateral Movement of Petya

Share Post

Just one month after WannaCry Ransomware compromised more than 200,000 machines in over 100 countries, Petya (or called Netya, Petrwrap) has covered all headline news again since its initial outbreak in Ukraine. Although Petya hasn't infected as many machines as WannaCry, it's still considered as a more severe and sophisticated attack because it's more targeted, destructive, and enterprise infrastructure focused. Only one system was required for Pedtya to take hold and multiply within an organization.

Security teams can help prevent future ransomware attacks like Petya by detecting and analyzing how the worm-like infection moves laterally within their IT infrastructure. Below is our analysis of Petya's movements and advice about how your security team can better prepare for and deal with these types of attacks.


Image: Google

With the complete reverse engineered details of Petya attack, we confirm again that detecting lateral movement is very critical and effective when combating modern complex enterprise attacks.

  1. Compromise is inevitable

Software vulnerability has existed since its creation. With today's increased variety and complexity of enterprise software, it's unfortunate that zero-day vulnerabilities such as EternalBlue (Petya's starting point) will be discovered even more often in the future. Although the security industry has advanced in preventing and detecting malware, compromised users or devices are still not a matter of if, but when

  1. Start small, move laterally

The ultimate goal of all advanced or targeted attacks is "data" – the high-value business sensitive data. In most enterprises, this kind of high-value data is stored only on a small set of highly-protected servers, which are typically not the first compromised victims. Therefore,  attackers need to figure out some way to move laterally from the first victim to its ultimate target within the enterprise.

  1. SMB vulnerabilities may be different, but kill chains are similar

Although Petya uses two new exploits for the Server Message Block (SMB) vulnerability EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145), we noticed its subsequent kill chain steps are actually very similar to previous enterprise attacks like Target data breach and Sony breach back in 2013 and 2014.

Below is a table describing the common lateral movement steps observed from those prior attacks with using Petya as the example mechanism. In addition, we also briefly explain the behavior anomaly signals we should detect from each step. By understanding these, your organization should be better prepared for future attacks.

Lateral Movement StepsPetya BehaviorBehavior AnomaliesData Source
Internal ReconnaissanceRun DhcpEnumSubnets() and DhcpEnumSubnetClients() to enumerate DHCP subnets and hostsUse of enumerating commands of (admin) accounts, servers, services, and network from new hostsServer Security Log
Host ScanScan the above hosts for vulnerable tcp/139 and tcp/445 servicesConnection to the same port number(s) over a large number of internal hosts within short period of timeNetwork Packets
Credential TheftUse CredEnumerateW() and Mimikatz like tool to steal all other user credentials stored in the memory of compromised serverUse of suspicious credential stealing commands or toolsServer Security Log
Pass-the-HashRemotely execute malware using WMIC/PSEXEC tool with credential NTLM hash (or Kerberos ticket) copied from compromised serverUser authenticates to new host(s) first time using hash logon rather than interactive logon, followed by execution of suspicious commandsServer Security Log,

Domain Controller Security Log

Each of the above anomaly signals may not individually indicate an attack, but aggregating all the signal and correlating them with the same entity (user) is much more definitive. When we observe some (or all) above anomalies from the same user or host over time – especially in some expected temporal sequence order, we can detect the lateral movement of this kind of real attack with high confidence.

This is the approach that Aruba IntroSpect (formerly Niara) uses to detect attacks such as Petya, based on behavioral changes of compromised users and systems.  Once IntroSpect raises an alert, security teams can shut down the attack via policy-based actions in Aruba ClearPass before the damage is done.

Petya is a great example for understanding the lateral movement of ransomware. This, coupled with using behavioral analytics software will enable your organization to be better protected from future attacks.