Monthly Cyber Threat Briefing - HITRUST€¦ · management includes the software vendor, version...

1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net © 2017 HITRUST Alliance

Monthly Cyber Threat Briefing July 2017


US-CERT: Majed Oweis, CISCP Analyst HITRUST: Elie Nasrallah, Director – Cyber Security Strategy HITRUST: Eric Moriak, Manager – Assurance Services

Presenters


NCCIC/US-CERT REPORT


US-CERT TA17-181A – Petya Ransomware


US-CERT TA17-181A – Petya Ransomware • TA-17-181A:

– is a TLP: WHITE Technical Alert (TA) that highlights the Petya ransomware events occurring in multiple countries and affecting multiple sectors.

– summarizes that the Petya Ransomware has reportedly impacted systems in the financial, transportation, energy, commercial facilities, and healthcare sectors.

– is based on the Petya variant identified on June 27, 2017.

– describes the Petya campaign, which involves multiple methods of initial infection and propagation. These include exploitation of vulnerabilities in server message block (SMB). Microsoft released security update MS17-010 on March 14, 2017 to patch a critical vulnerability in SMB.

– describes the noted Petya variant as using the SMB exploit described in MS-17-010 to steal the victim’s Windows credentials. This variant is known to install a modified version of Mimikatz in order to gain additional credentials. Once additional credentials are obtained, it may be possible to access other systems on the network. Once access is obtained, the Petya variant will try to identify other systems vulnerable to SMB exploitation.


US-CERT TA17-181A – Petya Ransomware - continued • TA-17-181A:

– summarizes that compromised system files are encrypted with a 128 AES algorithm during runtime, writes a text file on the “C:\” drive with the Bitcoin wallet information and RSA keys for the ransom payment. The variant modifies the MBR to enable encryption of the MFT and the MBR. This process makes it appear unlikely that the victim’s files can be restored.

– provides references to the NCCIC Code Analysis Team’s Malware Initial Findings Report (MIFR) MIFR-10130295 that provides a detailed analysis of the Petya Variant (PDF and STIX).

– provides network signatures for CND efforts.

– provides recommended courses of action for infection response and preventive measures.

– is available for review at https://www.us-cert.gov/ncas/alerts/TA17-181A.


Questions? Comments? Contact CISCP at: [email protected] Contact US-CERT at: • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov • Additional NCCIC/US-CERT and CISCP reporting is available on the Homeland Security

Information Network (HSIN) at https://hsin.dhs.gov/


HITRUST Ransomware Update



Merck says it is the target of a global ransomware cyber attack





Petya Strikes • New Petya Variant

– First reports Tuesday, June 27, 2017

• Leverages EternalBlue Exploit

– Disable SMB, Patch systems with MS17-010

• Early visibility is key to detect and contain

– HITRUST CTX to share indicators in early stages


Petya Mitigation • Disable PSEXEC/WMIC.

• Create a dummy file “C:\Windows\perfc” on all the machines via your management tools (e.g. SCCM), or block the creation of that file using your endpoint agents.

• DON'T PAY A RANSOM.

– You won’t get your files back – The email address used by the threat agent (wowsmith123456{at}posteo{dot}net) has been suspended by the hosting provider Posteo.

• Proactively monitor and validate traffic going in and out of the network.


HITRUST HITRUST CSF Controls Related to Threats


HITRUST CSF Controls Related to Threats CSF Control for Petya Ransomware Attack (HITRUST) • Control Reference: *09.j Controls Against Malicious Code

– Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

– Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.


HITRUST CSF Controls Related to Threats CSF Control for Petya Ransomware Attack (HITRUST) • Control Reference: *10.h Control of Operational Software

– Control Text: There shall be procedures in place to control the installation of software on operational systems.

– Implementation Requirement: The organization shall maintain information systems according to a current baseline configuration and configure system security parameters to prevent misuse. The operating system shall have in place supporting technical controls such as antivirus, file integrity monitoring, host-based (personal) firewalls or port filtering tools, and logging as part of their baseline.


HITRUST CSF Controls Related to Threats CSF Control for Petya Ransomware Attack (HITRUST) • Control Reference: *10.m Control of Technical Vulnerabilities

– Control Text: Timely information about technical vulnerabilities of information systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk.

– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.


Questions?


Visit www.HITRUSTAlliance.net for more information.

To view our latest documents, visit the Content Spotlight.

Date post:	10-Aug-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Monthly Cyber Threat Briefing - HITRUST€¦ · management includes the software vendor, version...

Documents