Icon_complyIcon_integrateIcon_reduceIcon_respondIcon_strengthLinkedInTwitterPage 1arrowicon-documentdotssearchtanium-iconZurich--black
Tech Blog

Petya (or not) malware: What Tanium customers need to know

Several high-profile organizations are already affected by a ransomware attack which began to spread in Europe on June 27. Tanium’s EDR and TAM teams are monitoring the situation closely. Here’s what we know so far.

petya malware outbreak (Image: Geralt / Pixabay)

A ransomware attack which began to spread in Europe on June 27 is showing potential to have a broader impact worldwide, with several high-profile organizations already infected. Some reports are tying this to a new variant of the “Petya” (or “Petrwrap”) malware, which was used in prior campaigns earlier this year. Others are saying it’s a completely new variant never seen before. The malware uses delivery and propagation methods which exploit recently patched vulnerabilities.

Please note: The findings and recommendations we’re sharing below are derived from community research shared on public and private forums. Aspects of this campaign still are not yet fully understood, and the situation may continue to evolve.

Based on early analysis of a few publicly available samples, the window of opportunity for response is extremely short. The malware automatically reboots systems after completing its encryption and propagation routines. Early research indicates this occurs within an hour post-infection.

  • Initial Infection: Early public research indicated the malware is initially delivered to a victim organization through email with a malicious Microsoft Word attachment that exploits CVE-2017-0199. This vulnerability was patched in Microsoft’s April 2017 roll-up update. However, researchers have not yet found evidence of emailed Office documents carrying this malware.
    Subsequent analysis suggests at least some of the victims were infected through a malicious update to accounting software provided by a Ukrainian firm, “MeDoc,” which was hacked. It remains possible this was not the sole initial vector.
  • Propagation: Preliminary research suggests the malware may have two methods of propagation. The first entails using the Windows credentials available on the infected endpoint to attempt to authenticate to other Windows hosts. The second, which may be a fallback mechanism, relies on the same ETERNALBLUE exploit used in WannaCry. There is some outstanding uncertainty over how and when this second method is used – and whether it applies to all variants.

Analysis of publicly available samples indicate the malware may use PsExec in conjunction with the native WMI Command-Line tool, ‘wmic’ to execute the malware on remote systems. Post-infection, the malware may use ‘schtasks’ to create a local task, which reboots the system within an hour (rendering it inoperable).

Guidance for Tanium customers

  • Tanium customers should ensure they are up-to-date using Tanium Patch. The April 2017 Security Roll-Up includes a fix for the Microsoft Office vulnerability thought to be used in the initial exploit. The March MS017-010 patch addresses the SMBv1 vulnerability exploited by EternalBlue, thought to be used as one of the campaign’s propagation techniques. Note that this patch may not mitigate other methods that the malware uses to spread.
  • Customers with Tanium Trace can search for historical execution of the ‘wmic’ and ‘schtasks’ commands to look for recent outlier activity matching the behavior of this malware. Both ‘wmic’ and ‘schtasks’ are legitimate but uncommonly used commands (especially on end-user workstations).
  • Tanium customers should work with their threat intelligence providers to ensure they have the latest up-to-date indicators of compromise related to this campaign. Tanium IOC Detect supports all of the endpoint indicator types that have been shared to-date. Further, Tanium Protect can be used to block specific hashes and network addresses associated with the malware.

(Editor’s note: This article was updated at 4:30 pm PT to reflect new information about the initial infection phase.)

Learn more:

Like what you see? Click here and sign up to receive the latest Tanium news and learn about our upcoming events.

About the author: In his role as Tanium’s Chief Security Architect, Ryan Kazanciyan brings more than 14 years of experience in incident response, forensic analysis, and penetration testing. Ryan oversees the design and roadmap for Tanium’s Threat Response offerings, and leads the Tanium Endpoint Detection and Response (EDR) team. Prior to joining Tanium, Ryan oversaw investigation and remediation efforts at Mandiant, partnering with dozens of Fortune 500 organizations affected by targeted attacks. Ryan has trained hundreds of incident responders as an instructor for Black Hat and the FBI’s cyber squad. He is a contributing author for “Incident Response and Computer Forensics 3rd Edition” (McGraw-Hill, 2014). Ryan also works as a technical consultant for the television series “Mr. Robot”, where he collaborates with the writers and production team to design the hacks depicted in the show.

Featured Webinars

Upcoming Events