NotPetya attack - three years on, what have we learned?

(Image credit: Shutterstock)

Why was this particular trojan so successful - what was so special about it? 

The attack was well prepared by its authors. NotPetya initially spread via the M.E.Doc accounting software when cybercriminals hacked the software’s update mechanism to spread NotPetya to systems when the software was updated. This was a bitter paradox, as users are always advised to update their software, but in this particular case, a trojanized updater of this software started the infection chain.This type of supply chain attack was not common at that time, causing a delay in figuring out the root cause of the attack. The speed at which it spread  through the infected networks was fascinating.  

The trojan was allegedly taking advantage of a long known vulnerability: (what) have companies/organizations learned from this? 

For its lateral movement, NotPetya employed three different spreading methods: exploiting EternalBlue (known from WannaCry), exploiting EternalRomance, and via Windows network shares by using victim’s stolen credentials (this was done via a bundled Mimikatz-like tool, which extracts passwords) and legitimate tools like PsExec and WMIC. These additional techniques, which included exploiting known vulnerabilities for which patches were long available for, were probably the reason why it succeeded, despite EternalBlue gaining attention after the WannaCry attack less than two months before the NotPetya attack. I can only hope that companies learned to update their operating systems and applications as soon as an update becomes available, despite NotPetya, unfortunately, spreading via a product update. 

Could the spread happen again in this form at any time? 

It's only a matter of time before there will be another major malware outbreak, when and how widespread the attack will be depends on multiple factors, including the availability of a high-quality exploit like EternalBlue, the malware actor, and their motivation. 

Microsoft did a good job of patching EternalBlue, and the vulnerability is now mainly only present in older systems like Windows 7 and Windows XP. Of the PCs Avast scanned from May 23 - June 22, 2020, only 4% around the world are running with EternalBlue, in the UK it’s 0.82%.

How can organizations protect themselves?

There are many steps businesses can take to protect themselves from hackers. Businesses should make sure they have multiple layers of defense, including antivirus, firewall, intrusion detection, update their firmware and software on a regular basis, and implement proper usage access rights for their employees. Furthermore, businesses should assess the software they use, making sure the software they are using continues to receive security updates. 

It is also extremely important for businesses to keep the human factor in mind when considering how to best secure their business. Humans make mistakes and hackers like to exploit human mistakes, so it is vital that businesses discuss security best practices with their employees.  

Penetration testing is a great way for companies to see where their weaknesses lie, and what hackers could potentially exploit on and offline. Penetration testing should be done a few times a year, as hackers are always looking for and finding new ways to hack their way into businesses. 

Finally, but equally as important, businesses should keep backups of their data. There are a range of different potential backup solutions from cloud storage to external hard drives, network device storage to USBs or flash drives. How many backups a business has is just as important as where they back up. Saving information to two locations, in the cloud and on a physical external hard drive, can help to keep information more secure. When using an external hard drive, it is important to disconnect and store them somewhere safe after the backing up process to keep the information protected from malware like ransomware, which can spread from computers to attached devices. Lastly, one of the most important working best practices is to enable any automatic backup option offered by most cloud storage services. This ensures that data is automatically backed up and secured removing any temptation to hit the ‘Remind me later’ button. 

Jakub Kroustek is Threat Lab Team Lead at Avast 

Jakub Kroustek

Jakub Kroustek is Head of Threat Intelligence Systems at Avast. He is a malware analyst with a love of reverse engineering. His expertise lies in ransomware, botnets, IoT hacking, the darknet, and cryptocurrencies.