BF-SIRT Newsletter 2018-07

NCCGroup rebuilt NotPetya, replacing its destructive payload with telemetry and safeguards to see what the impact could have been. They found the following:

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel level access.
  • It infected those three machines.
  • Within ten minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Top 5 Security links
A rebuilt NotPetya gets its first execution outside of the lab
Cryptomining script poisons government websites – What to do
Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware
Winter Olympics network outages blamed on unexplained cyberhack
UK names Russia as source of NotPetya, USA follows suit