How to protect against Petya with Palo Alto Networks (déjà vu)

Join our EDU-210: Configuration- and Cyberthreat Management training to learn more on how to protect your network effectively
or let us know if we can help you.

It took longer than I thought but here it is, another ransomware outbreak making it into the prime time news as it utilises the EternalBlue exploit (CVE-2017-0143 to 0148) to spread blazing fast through enterprise networks. From a security protection point of view its feels like a déjà vu, so here are again all the things you need, to protect against this nasty ransomware using Palo Alto Networks Security platform.

Stage 1 - initial infection of the first device
In the first stage a device gets infected with malware. In case of Petya, there is no proof yet on how the initial infection exactly happend. There are numerous possibilities like for instance a malicious Word document distributed in phishing e-mails which is the classical threat vector for ransomware these days. However based on what we have seen so far, with so many attacks happening at the same time, it is hard to believe that users in so many companies opened a malicious e-mail attachment and nobody has evidence of these e-mails. My personal theory is that the threat actor behind Petya simply bought access to devices which were already infected with malware and with this was able to check if the Microsoft patch was already deployed in its victims network. This wouldn't be unusual as today's cybercrime is very well organise with hackers specialising on specific attacks like infecting devices, deploying a remote access Trojan and then selling the access to others. What is clear in any case, is that you have to protect your network from the initial infection. So let's explore the most common possibility.

1. Victim: A user receives a phishing e-mail with a malicious Word attachment
   1. FireWall Protection:
      1. Apply AntiVirus to inbound SMTP traffic and make sure your Wildfire signatures are checked and installed every minute - If the SMTP traffic passes through the FireWall and Wildfire already knows about the malicious attachment then the FireWall would block the e-mail. Tip: Make sure the SMTP traffic isn't encrypted and the FireWall is able to detect files. You can check this in the data filtering log. The filter "( app eq smtp )" should show Email Links and other attachments on SMTP traffic coming from the Internet.
      2. Apply a Wildfire security profile to inbound SMTP traffic - If Palo Alto Networks didn't know yet about the file then the FireWall will upload it to Wildfire for analysis.
      3. Enable a Log Forwarding profile with Wildfire E-Mail Alerts to inbound SMTP traffic - Wildfire will issue a report after five minutes in case the attachment was malicious and the FireWall will send an immediate alert via E-Mail.
   2. Other Protection: If you have one of the better E-Mail Security Solution like Proofpoint then it should block the delivery of the e-mail in the first place. Tip: If you have a Wildfire subscription then you can integrate it with Proofpoint free of charge.
2. Victim: The User gets tricked to open the malicious Word attachment and clicks "Enable Content". The Word document includes a malicious macro which, in the background and without the users knowledge, downloads the real Petya malware executable (PE) from the Internet, installs it on the device and starts to encrypt files.
   1. FireWall Protection:
      1. Apply URL Filtering to Internet Outbound traffic and block the URL Categories  "malware" and "phishing" - The FireWall not only uploads files to Wildfire but also the information from where they were downloaded from. With this Wildfire will update Palo Alto Networks PAN-DB URL Filtering every half an hour with malicious URLs which makes it very effective blocking access to bad URLs.
      2. Apply URL Filtering to Internet Outbound traffic and block the URL Categories "unknown" - While Wildfire updates PAN-DB very quickly, it still means that it would have had received at least one malicious sample. Therefore unknown URLs should also be blocked. Tip: PAN-DB is very quick at picking up and categorising unknown URLs. So blocking unknown URLs isn't as big of a risk as you might think it is. In any case you should still do a quick check in your URL Filtering log to see if there are any legitimate unknown URLs that you need to categorise beforehand.
      3. Apply a File blocking profile to Internet Outbound traffic and block the Download of Executable Files "PE" as well as "Multi-Level-Encoding" - Most attacks including Petya depend on the download of an portable executable "PE" because the initial exploit or Office macro doesn't provide enough capabilities to do whatever the hacker wants to do like encrypting files and ask for a Ransom. Blocking the download of executables is therefore highly effective. Tip: You will need to setup additional rules to allow the download of executables from trusted sources like various update application. Although it's rare, please be aware that there are evasion techniques which prevent the FireWall from identifying files in a traffic stream.  
      4. Enable SSL Decryption - SSL is very commonly used by hackers to evade detection and therefore SSL Decryption is essential. Tip: Always apply a SSL Decryption profile blocking all the bad staff from day one to make SSL Decryption effective but use User-ID to apply SSL Decryption only to a small test group which you expand over time to check for any applications that are broken by SSL Decryption and need to be excluded.
   2. Traps Advanced Endpoint Protection:
      1. Wildfire Office file protection (New default policy in Traps v4.0) - Traps local analysis engine detects and blocks suspicious office documents that include macros which are commonly used by ransomware like Petya. Traps will still upload the suspicious office documents to Wildfire to confirm the verdict and should it have been a false positive then the verdict will be overwritten so that the user can open the document again after about 10min.
      2. Child Process Protection (New default policy in Traps v4.0) - Traps is blocking Office to launch child processed like powershell which is used by malicious office documents to instruct the PC to download and run the Petya ransomware from the Internet
      3. Setup E-Mail Alerts - Office documents which are not detected as malware by the local analysis but include a macro (and only if they have a macro) are still uploaded to Wildfire for analysis, should the file turn out to be malicious then Traps will log a post detection event and send an alert via E-Mail
      4. Wildfire Malware Protection - Traps blocks any executable files / applications that are already known to Wildfire as malware. Traps local analysis detects and blocks suspicious executable files / applications that are not yet known to Wildfire. Executables which are not detected as malware by the local analysis are still uploaded to Wildfire for analysis, should the file turn out to be malicious then Traps will log a post detection event and send an alert via E-Mail
      5. Setup a Wildfire policy to Block Unknown PEs - Any executables which are not yet known to Wildfire should be blocked. Tip: You can setup a custom message under Agent settings informing the user that the file is under investigation and he can try again to launch it in 10min at which point a verdict from Wildfire would be available. The Wildfire Unknown Verdicts Recheck Interval should be reduced to one minute to make sure the verdict is available on the ESM
   3. Other Protections: Don't feel safe with your old AntiVirus as it only stops known malware signatures. Hackers use Crypters to generate self-decrypting executables and with this malware always has a new signature at time of download which evades your AntiVirus. Even the big guys like McAfee and Symantec openly admit that they would only block about 40-45% of malware and guess what, the remaining 60% is what really causes the big damage so AntiVirus is effectively useless and a waste of money.
3. Command and Control: Unlike the WannaCrypt Ransomware which used Tor to communicate with the hackers command and control server to upload the encryption key, Petya does not seem to include any Command and Control mechanism. The following safeguard is still recommend.
   1. FireWall Protection: Setup a "Block Known Bad" rule at the top of your rulebase blocking any applications which you never ever want to allow in your network like tor any other Anonymizer.

Stage 2 - distribution of the malware inside the network
The real problem starts at stage two. Once the first device in your network is infected or an already compromised machine connects to your network, then it will scan the entire network for devices which a vulnerable to the EternalBlue exploit (CVE-2017-0143 to 0148). Once it has found new victims, which is effectively every Windows machine not patched with MS17-010, it implants the DoublePulsar backdoor to install the Petya ransomware and this time the user on the new victims machine doesn't have to do anything which means the domino effect starts and it is spreading everywhere bringing your company's IT operation to a hold.

1. FireWall Protection:
   1. Implement a Zero Trust Architecture - The FireWall can only protect communication which is transferred over the FireWall. This means that your Next-Generation FireWall cannot do anything from Petya spreading in your network if it is not in-between the initially infected users and any potential victim. This shows that it is no longer enough to just have a FireWall at the Internet Perimeter but also at least between your users and your datacentre
   2. Apply a Vulnerability Protection Profile to all internal communication with severity critical set to reset-both - Palo Alto Networks already released signatures to block exploits related to MS17-010 (CVE-2017-0143 to 0148) at the middle of April. Please make sure to install as well the latest content update as Palo Alto Networks might update signatures based on new variants that they have discovered.

1. Traps Protection:
   1. Update to the latest content update to make sure all recommended default policies are in place.
   1. Exploit prevention (default policy) - Traps Exploit Prevention Modules (EPMs) prevent against exploits of the Microsoft Windows Vulnerabilities patched in MS17-010 (CVE-2017-0143 to 0148) and with this also protects unpatched servers and workstations Tip: Make sure that all devices have been restarted after the installation of Traps as EPMs are only injected when a process is started.
   2. Malware Prevention - All the malware prevention techniques as described above will also prevent the infection of new victims with Petya as long as Traps is installed.
2. Other Mitigation:
   1. Keep patching all of your systems for MS17-010 as any unpatched system is a ticking time bomb from a security point of view. Please note that a hotfix has also been released for Windows Server 2003 and XP. I would also highly recommend you to run an internal vulnerability scan to detect devices which are not patched. It has been a while since I saw a worm like this but even today we still see devices being infected with Conficker, a worm from 2008 which released new variants every month until mid-2009. Conficker’s command and control infrastructure has long being destroyed but there are still lots of infected devices, mostly machines for special functions like cash tills and door opening systems that were not part of the active directory domain. Therefore it is very important to do such a scan to identify all potential victim machines in your network.

---

Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.