Few attack incidents have been reported as widely as those involving ransomware NotPetya in 2017. The attack paralysed a number of companies, including the shipping giant Maersk, which temporarily lost control of its work in the port of Rotterdam and its global container network.
NotPetya was propelled by two powerful hacker exploits working in tandem:
1. EternalBlue
One was a penetration tool known as EternalBlue, created by the US National Security Agency but leaked in a disastrous breach of the agency’s ultrasecret files earlier in 2017. EternalBlue takes advantage of a vulnerability in a particular Windows protocol, allowing hackers free rein to remotely run their own code on any unpatched machine. The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network. EternalBlue was the centerpiece of the worldwide WannaCry ransomware attacks that were ultimately traced to North Korean government hackers. The NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen.
2. Mimikatz
NotPetya’s architects combined that digital skeleton key with an older invention known as Mimikatz, created as a proof of concept by French security researcher Benjamin Delpy in 2011. Delpy had originally released Mimikatz to demonstrate that Windows left users’ passwords lingering in computers’ memory. Once hackers gained initial access to a computer, Mimikatz could pull those passwords out of RAM and use them to hack into other machines accessible with the same credentials. On networks with multiuser computers, it could even allow an automated attack to hopscotch from one machine to the next.
Before NotPetya’s launch, Microsoft did release a patch for its EternalBlue vulnerability. But EternalBlue and Mimikatz together nonetheless made a virulent combination. When computers that aren’t patched are infected, the attacker can grab the passwords from those computers to infect other computers that had been patched.
In the case of Maersk, all their systems were already fully patched three months before the attack. That was, however, reversed when Mimikatz stole credentials. The weekend before, one of the the servers was going to be migrated to the cloud. One of the domain admins logged into that machine, took an inventory of everything on it, and was back again. The first thing that was stolen by the malware was a valid admin credential. On Tuesday June 27, 2017, the malware used the admin credential to move horizontally and vertically in the system. In just 7 minutes, 55,000 machines were infected.
Recovery
After the infection and a virtual shutdown of Maersk’ business, there came light at the horizon. There had been a power outage in Lagos at the time of the attack, which resulted in a full unencrypted copy of the Active Directory surviving the NotPetya incident. This was sheer luck. A 23-year-old IT worker was given a free trip on a Gulfstream G450 to physically transport the hard drive to head quarters and use it as the seed to grow the rest of the network again.
After 14 days, Maersk had his basic technology back. The company operated with a much lower volume, but was back on its feet. It took another 30 days to fully return to pre-attack levels, partly due to the challenges of adding 17,000 new devices.
Lessons Learned
One of the root causes of the widespread infection, other than the vulnerabilities and the existence of malware tooling, was the lack of widespread adoption of two-factor authentication for the system administrators.
The second cause of the impact was the lack of an off-line safeguarded back-up of essential components, such as Active Directory, to be brought up in an emergency.
Controlled AI services 