[German]How to harden a network environment against the worm components of ransomware like NotPetya? A simple Active Directory settings may help with this approach.
The ransomware NotPetya infected in summer of 2017 thousands of Windows computer systems. The infection started in Ukraine and spread then thought production networks, using a worm component and the EternalBlue vulnerability. The ransomware NotPetya cyberattack has been attributed to Russia, only affected about 20,000 systems. But the damage was gigantic. How to limit the move of such malware over a network?
A security team builds a test computer worm
After the NotPetya attack, security researchers of the NCC Group began to develop a computer worm called EternalGlue for a large customer (100 billion dollar company). This software was used to study how this worm moves in the customer’s global computer network. It was also about understanding how to better protect the customer’s production network against destructive malware outbreaks.
Since 2017, the security researchers of the NCC Group have been publishing their findings in blog posts. In September 2017 the first article EternalGlue part one: Rebuilding NotPetya to assess real-world resilience with some datails about the NotPetya replica EternalGlue has been published. And in February 2018, in the article EternalGlue part two: A rebuilt NotPetya gets its first execution outside of the lab, the specialists described how the replica of the worm was first prepared for a practical test in a production network. And now the NCC people have published the third article about the experiences with the worm in a production network, see the tweet below.
We designed it, we built it, and we successfully deployed it. EternalGlue part three: Releasing a worm into an enterprise network of a 100 billion dollar company: https://t.co/SaHXG2VYNt#EternalGlue #Series #Malware pic.twitter.com/246AQKere1
— NCC Group plc (@NCCGroupplc) 3. Dezember 2018
Since November 8, 2018, security reasearcher from NCC Groups have been successfully operating the EternalGlue worm for the first time in a global production environment of an unnamed customer.
This modular computer worm, developed by the NCC Group, was used to analyze production networks. It could not only be shown to the customer how malware would have affected his production networks. It was also possible to check whether certain design decisions and the resulting assumptions about resistance and responsiveness affects the simulated malware attacks. The test worm allowed such events to be measured and provided a quantifiable understanding of internal risk, security and operational functions.
Hardening a network is possible
The modular test worm was implemented in such a way that it did not cause any damage and could be configured, to stay away from certain network areas. During tests, there were no surprises and it was confirmed that controlling the worm worked. From the point of view of the testers, everything happened as expected. But during the tests, there was a wow moment at some point when an effective protection against the spread of the worm was discovered.
The Ransomware NotPetya used the EternalBlue vulnerability to propagate (a patch for Windows to close this vulnerability is available). A second distribution method used by NotPetya was based on token imitation for the network. It means that NotPetya used the execution rights it obtained on a machine to access other resources on the network.
The test worm then proved, that there is an Active Directory setting in Windows that can prevent lateral movement within a network. In May 2015, Microsoft published the article Security Focus: Analysing ‘Account is sensitive and cannot be delegated’ for Privileged Accounts in the Technet. Within this article, Microsoft’s Ian Farr describes that there are a number of configuration options that are recommended for securing highly privileged accounts. One of these options is called ‘Account is sensitive and cannot be delegated’.
Enabling this option ensures that an account’s credentials cannot be passed from a trusted application to other computers or services on the network. The NCC Group’s customer had configured the flag “Account is sensitive and cannot be delegated” for his domain administrator accounts within his Active Directory. The security researchers now found that this settings would have significantly impeded the spread of NotPetya Ransomware infection via the token imersonation route for domain administration accounts. In other words: with a simple option of Active Directory administrator accounts, a network environment can at least be hardened against attacks such as NotPetya. Further details can be found in the article here. (via)