BF-SIRT Newsletter 2018-07
NCCGroup rebuilt NotPetya, replacing its destructive payload with telemetry and safeguards to see what the impact could have been. They found the following:
- The customer ran it on one machine in their engineering network with no privileges.
- It found three machines unpatched.
- It exploited those three machines to obtain kernel level access.
- It infected those three machines.
- Within ten minutes it had gone through the entire engineering network using recovered/stolen credentials.
- It then took the domain about two minutes later.
- 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.
Top 5 Security links
A rebuilt NotPetya gets its first execution outside of the lab
Cryptomining script poisons government websites – What to do
Hackers Exploit ’Telegram Messenger’ Zero-Day Flaw to Spread Malware
Winter Olympics network outages blamed on unexplained cyberhack
UK names Russia as source of NotPetya, USA follows suit