This week’s massive “Petya” cyber-attack has brought some organizations to a standstill while they work out how to recover tens of thousands of devices that have been infected. The spread of this malware and similar future attacks could be significantly reduced using defenses that Microsoft built into Windows 10 Enterprise. Let’s take a look at how.
This attack is based on a variant of the Petya ransomware first identified in March 2016. Ransomware is a cyber-crime tool that encrypts data on an infected device, holding your data to ransom until you make a payment to the perpetrators. In this case, as with WannaCry last month, payment was demanded in an electronic, untraceable BitCoin transfer, after which you might be sent instructions on how to unencrypt your data. An infected device will often need to have the operating system completely reinstalled to recover.
It appears that at least some initial infections have been traced to the compromised auto-update process of a legitimate Ukrainian software company M.E.Doc. Microsoft has published a great, detailed write-up of the anatomy of this particular attack, but essentially two methods were used to spread the malware. The first method exploited a vulnerability in the Server Messaging Block (SMB) protocol in Windows used for file sharing. This is the same exploit that WannaCry used and in light of the publicity that got, most organizations plugged that hole by ensuring the Windows MS17-10 patch (released in March) had been applied. Many disabled SMB v1 entirely.
The second method involved stealing credentials from the infected device and using these to attempt to connect to other devices. If a successful connection is made and the supplied credentials have sufficient privileges, the malware can copy itself and repeat the process of stealing and reusing more credentials from that device to spread laterally through your network. This ‘Pass-the-hash’ technique is explained in the video below.
When a user logs on to a Windows device, their credentials (username and a hash of their password) are stored in memory, so the user doesn’t have to enter their username and password every time they want to connect to another system on the network. Any user that has admin rights on their device has access to these cached credentials, so if the malware is installed when a user with admin rights is logged on, it can get busy propagating itself across your network.
Windows 10 Enterprise comes with Credential Guard, which protects the memory used to store the cached credentials using virtualization-based security. Even if malware has admin rights on the device, it cannot access the cached credentials, thereby shutting down this particular method of lateral movement. I covered how Credential Guard prevents Pass-the-hash in a webinar last year.
Never be complacent! In this instance, Windows 10 devices still required the SMB patch (or have SMB v1 disabled). Whatever operating system you are running, keeping up to date with patches is essential to prevent known exploitation, but alone wouldn’t have stopped the spread of Petya. Credential Guard is only available in Windows 10 Enterprise Edition. It is easy to enable but does have some system requirements. You must be running a 64-bit OS on hardware that supports virtualization. Credential Guard also requires UEFI firmware and depending on how you deployed Windows 10, your devices may still be running in legacy BIOS emulation mode. It’s become pretty easy to automate this conversion during the OS deployment process, as covered in my blog last month.
Cover the basics – stay current with patches and remove admin rights from users wherever possible. Many organizations are planning to start their Windows 10 migration next year, but given the enhanced security of Windows 10 with features such as Credential Guard, Device Guard and Windows Defender Advanced Threat Protection, coupled with the recent high-profile cyber attacks (and there will be more), can you still justify holding back on migrating to Windows 10? 1E can help you accelerate your migration with our Windows Servicing Suite, and perhaps keep your company out of the news next month.