Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Connect Directly

3 Years After NotPetya, Many Organizations Still in Danger of Similar Attacks

The same gaps that enabled ransomware to spread remain in patching, network segmentation, backup practices, security experts say.

Three years after the NotPetya ransomware outbreak overwhelmed numerous businesses in Ukraine and more than 60 other countries, many enterprises remain as vulnerable as ever to similar attacks.

The lessons that the outbreak highlighted around the importance of network segmentation, patching, and robust backup practices appear to have already been forgotten or remain largely unlearned.

"NotPetya changed the world's perception of destructive cyberattacks and is one of the only cyber activities that is considered to be an act of war," Charles Carmakal, senior vice president and CTO at Mandiant said in an emailed statement. "Despite the broad awareness of NotPetya, the world is still susceptible to the same techniques employed in the attack."

The NotPetya attacks were noteworthy for their sheer destructiveness, the amazing speed at which they spread, and the widespread impact. The US and UK governments and numerous others have formally attributed the campaign to Russia's military intelligence apparatus, and described it as designed to destabilize the Ukrainian government.

In a February 2018 statement, the White House called the NotPetya outbreak the "most destructive and costliest cyber-attack in history" and promised international consequences for it.

The June 27, 2017 attacks were specifically targeted at organizations located in Ukraine or those with close business ties to the country. Eventually it ended up impacting organizations in some 65 countries including the United States, United Kingdom, Denmark, India, and Australia.

The attacks are believed to have caused multiple billions of dollars in damages. Though NotPetya was technically ransomware, it was almost entirely used in the attacks to destroy data and disrupt operations - and far less so to collect ransom payments from impacted organizations. 

Victims included Danish shipping company Maersk, which ended up spending more than $300 million on repair and recovery after NotPetya destroyed a staggering 49,000 computers and more than 1,000 applications. Other notable victims included FedEx, pharmaceutical giant Merck, and French firm Saint-Gobain. All of these organizations spent hundreds of millions of dollars to restore data and systems that NotPetya had encrypted beyond repair.

To distribute the malware, the attackers are believed to have first compromised an automatic software update server belonging to MeDoc, the provider of a tax-accounting software product used almost ubiquitously by Ukrainian organizations. They then distributed the malware — disguised as a legitimate security update — to MeDoc users. 

NotPetya exploited EternalBlue, a leaked NSA exploit targeting security issues in Microsoft's SMB protocoal in older Windows versions, to move laterally on enterprise networks and to spread from one vulnerable system to the next. Though Microsoft had issued a patch against the exploit, numerous organizations remained unpatched at the time of the NotPetya outbreak. The ransomware also used the publicly available Mimikatz penetration-testing tool to harvest credentials from victim networks in order to spread from system to system.

Persisting Problems

Amir Preminger, vice president of research at industrial cybersecurity firm Claroty, says three years after the attack, the conditions that allowed NotPetya to spread so quickly and damagingly still persist at many organizations.

Patching, for instance, remains a major concern as many organizations do not quickly do so. A ServiceNow study of 3,000 security professionals found that 60% of breaches in 2019 were tied to a security vulnerability for which a patch was already available. Organizations experienced 30% more downtime in 2019 compared to the year before because of delays in vulnerability patching.

Similarly, network segmentation still remains a work in progress at many organizations, Preminger says. Segmentation offers a way for organizations to isolate or segregate network segments and allows for better access control. With NotPetya, segmentation could have helped impacted organizations contain and limit damage.

Security researchers have long advocated the method as a best practice, yet surprisingly few organizations have implemented it. In a survey that Illumio conducted last year, less than one in five companies (19%) had implemented segmenting because of perceived complexities.

Poor network visibility and insufficient network monitoring are other major concerns. "The foundation of the next NotPetya is still being created, so discovering and patching vulnerabilities before threat actors have the chance to exploit them on a large scale is essential for preventing a similar attack," Preminger says.

Organizations need to know as quickly as possible which devices are vulnerable and, based on their patching capabilities, figure out how they want to prioritize patch deployment, he notes.

The NotPetya attacks were a prime example of an absolute worst-case scenario that can occur due to not applying patches to critical software vulnerabilities, says Alex Guirakhoo, threat research team lead at Digital Shadows. "Much like the WannaCry attacks a month earlier, NotPetya leveraged the infamous EternalBlue vulnerability, affecting many older Windows operating systems: all of which are now no longer officially supported by Microsoft."

As organizations become more reliant on Internet-connected technologies for business and personal use, the attack surface increases accordingly. Managing this attack surface has become even more critical now that COVID-19 has significantly broadened remote working. "It can be difficult for many organizations to find the time to apply patches without impacting business continuity. However, attackers are constantly scanning for vulnerable Internet-connected devices," he says.

According to Mandiant's Carmakal, a general misconception around NotPetya is how much EternalBlue enabled its spread. NotPetya spread so quickly because it used Mimikatz to harvest credentials from the systems it ran on to move laterally. "Stealing credentials from Windows using a tool like Mimikatz is still highly effective today," he said.

To this day, the group behind NotPetya remains one of the most advanced and active cyber threat groups. "They are one of the few groups that have demonstrated their willingness to orchestrate destructive cyberattacks with physical consequences," Carmakal said.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.