alphaspirit - Fotolia


How NotPetya ransomware used legitimate tools to move laterally

WannaCry and NotPetya ransomware woke enterprises up to an expanded threat landscape. Expert Michael Cobb explains these threats and what enterprises can do to stop them.

The recent headline-grabbing outbreaks of WannaCry and NotPetya ransomware were a very public reminder of just how much the criminal hacking of corporate networks has evolved in recent years.

In particular, NotPetya ransomware demonstrated the abuse of legitimate tools to extend network penetration. Referred to as living off the land, this strategy offers several advantages to the attacker, and it is likely to be seen more often in future attacks against corporate networks.

Gaining unauthorized access to an organization's network is the precursor to a wide range of computer crimes, from stealing data to ransoming files. When crafting code to achieve these ends, attackers create a series of modules that perform the initial infection, explore available network connections and then compromise additional systems on the network. To the extent that these modules are identifiable as attack tools by security software, they are susceptible to detection, drawing attention to the attack.

So why not use legitimate tools that won't be detected as invasive and won't immediately cause network traffic monitoring alarms to go off? That's what NotPetya ransomware did, making effective use of two popular tools, PsExec and Windows Management Instrumentation Command-line (WMIC), to achieve lateral movement in compromised networks.

Living off the land

PsExec does not come with Windows, but is part of the popular PsTools suite. Designed to enable users who have the appropriate authentication to run commands on remote machines, PsExec can redirect command output to the local machine. If that sounds like a powerful tool for network administration and support, you're right, and it is widely used by IT departments.

Another powerful tool for managing Windows networks is WMIC, the command-line and scripting interface to Windows Management Instrumentation. WMIC has been preinstalled as part of Windows since Windows 2000, and it enables anyone with the right credentials to script anything, from closing and uninstalling programs on remote systems to remotely modifying security settings.

Unfortunately, protecting your systems against malware that is abusing otherwise legitimate tools is not trivial. Either removing the tools or limiting access to them may break or interfere with current system administration practices; this is part of what makes these tools attractive to attackers.

Both of the tools abused by NotPetya ransomware require credentials, so how was NotPetya able to use them? It employed the Mimikatz tool, a well-known credential dumper designed to extract plaintext passwords and hashes from memory on Windows systems, including those of local administrators and domain users.

Defensive measures

Against such an attack vector, there are two defensive strategies: improving credential hygiene and tightening privileged access. Here are some specific suggestions from security software company Eset:

  • avoid using the same administrator credentials on workstations and servers;
  • if your computers belong to a domain, change the domain admin passwords to more sophisticated ones; and
  • likewise, if a local administrator account exists on a computer, change the password to one that is tougher to crack.

Eset also recommends, if feasible, disabling default ADMIN$ accounts and communication to Admin$ shares.

While good advice, this could add up to a lot of work, which begs the question: is it worth going to all that trouble just because of one malware outbreak? The answer is yes because the abuse of legitimate tools by credential-stealing malware is likely to become a popular technique among bad actors. Success breeds success in malware design, and once a technique produces good results, it is typically copied.

Enterprises that have already standardized on Windows 10 and Windows 2016 Server will have less work to do, as both operating systems offer Credential Guard to protect domain credentials stored in the Windows Credential Store. It is possible that the trend toward a living off the land strategy for corporate network compromise may tip some IT departments in favor of upgrading from prior Windows versions.

Other defensive measures to consider in the wake of NotPetya ransomware are network segmentation to limit lateral movement and monitoring network behavior. The latter can be tuned to flag, for example, the unusual use of legitimate tools.

And do not underestimate the power of a good endpoint protection product. Not only was NotPetya itself rapidly identified and blocked by such products, they also blocked the EternalBlue exploit that it tried to use. Furthermore, they will typically flag attempts to download nonstandard tools that the malware authors have put in the mix, such as a credential stealer.

The bottom line is that corporate networks are a prime target of attackers, and once they are inside, they are likely to show considerable ingenuity in their efforts to stay stealthy, including living off the land.

Next Steps

Learn more about the impact of NotPetya ransomware

Find out why small- to medium-sized enterprises are showing signs of ransomware complacency

Discover how tax software enabled NotPetya ransomware attacks

This was last published in August 2017

Dig Deeper on Threats and vulnerabilities