Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Connect Directly

3 Years After NotPetya, Many Organizations Still in Danger of Similar Attacks

The same gaps that enabled ransomware to spread remain in patching, network segmentation, backup practices, security experts say.

Three years after the NotPetya ransomware outbreak overwhelmed numerous businesses in Ukraine and more than 60 other countries, many enterprises remain as vulnerable as ever to similar attacks.

The lessons that the outbreak highlighted around the importance of network segmentation, patching, and robust backup practices appear to have already been forgotten or remain largely unlearned.

"NotPetya changed the world's perception of destructive cyberattacks and is one of the only cyber activities that is considered to be an act of war," Charles Carmakal, senior vice president and CTO at Mandiant said in an emailed statement. "Despite the broad awareness of NotPetya, the world is still susceptible to the same techniques employed in the attack."

The NotPetya attacks were noteworthy for their sheer destructiveness, the amazing speed at which they spread, and the widespread impact. The US and UK governments and numerous others have formally attributed the campaign to Russia's military intelligence apparatus, and described it as designed to destabilize the Ukrainian government.

In a February 2018 statement, the White House called the NotPetya outbreak the "most destructive and costliest cyber-attack in history" and promised international consequences for it.

The June 27, 2017 attacks were specifically targeted at organizations located in Ukraine or those with close business ties to the country. Eventually it ended up impacting organizations in some 65 countries including the United States, United Kingdom, Denmark, India, and Australia.

The attacks are believed to have caused multiple billions of dollars in damages. Though NotPetya was technically ransomware, it was almost entirely used in the attacks to destroy data and disrupt operations - and far less so to collect ransom payments from impacted organizations. 

Victims included Danish shipping company Maersk, which ended up spending more than $300 million on repair and recovery after NotPetya destroyed a staggering 49,000 computers and more than 1,000 applications. Other notable victims included FedEx, pharmaceutical giant Merck, and French firm Saint-Gobain. All of these organizations spent hundreds of millions of dollars to restore data and systems that NotPetya had encrypted beyond repair.

To distribute the malware, the attackers are believed to have first compromised an automatic software update server belonging to MeDoc, the provider of a tax-accounting software product used almost ubiquitously by Ukrainian organizations. They then distributed the malware — disguised as a legitimate security update — to MeDoc users. 

NotPetya exploited EternalBlue, a leaked NSA exploit targeting security issues in Microsoft's SMB protocoal in older Windows versions, to move laterally on enterprise networks and to spread from one vulnerable system to the next. Though Microsoft had issued a patch against the exploit, numerous organizations remained unpatched at the time of the NotPetya outbreak. The ransomware also used the publicly available Mimikatz penetration-testing tool to harvest credentials from victim networks in order to spread from system to system.

Persisting Problems

Amir Preminger, vice president of research at industrial cybersecurity firm Claroty, says three years after the attack, the conditions that allowed NotPetya to spread so quickly and damagingly still persist at many organizations.

Patching, for instance, remains a major concern as many organizations do not quickly do so. A ServiceNow study of 3,000 security professionals found that 60% of breaches in 2019 were tied to a security vulnerability for which a patch was already available. Organizations experienced 30% more downtime in 2019 compared to the year before because of delays in vulnerability patching.

Similarly, network segmentation still remains a work in progress at many organizations, Preminger says. Segmentation offers a way for organizations to isolate or segregate network segments and allows for better access control. With NotPetya, segmentation could have helped impacted organizations contain and limit damage.

Security researchers have long advocated the method as a best practice, yet surprisingly few organizations have implemented it. In a survey that Illumio conducted last year, less than one in five companies (19%) had implemented segmenting because of perceived complexities.

Poor network visibility and insufficient network monitoring are other major concerns. "The foundation of the next NotPetya is still being created, so discovering and patching vulnerabilities before threat actors have the chance to exploit them on a large scale is essential for preventing a similar attack," Preminger says.

Organizations need to know as quickly as possible which devices are vulnerable and, based on their patching capabilities, figure out how they want to prioritize patch deployment, he notes.

The NotPetya attacks were a prime example of an absolute worst-case scenario that can occur due to not applying patches to critical software vulnerabilities, says Alex Guirakhoo, threat research team lead at Digital Shadows. "Much like the WannaCry attacks a month earlier, NotPetya leveraged the infamous EternalBlue vulnerability, affecting many older Windows operating systems: all of which are now no longer officially supported by Microsoft."

As organizations become more reliant on Internet-connected technologies for business and personal use, the attack surface increases accordingly. Managing this attack surface has become even more critical now that COVID-19 has significantly broadened remote working. "It can be difficult for many organizations to find the time to apply patches without impacting business continuity. However, attackers are constantly scanning for vulnerable Internet-connected devices," he says.

According to Mandiant's Carmakal, a general misconception around NotPetya is how much EternalBlue enabled its spread. NotPetya spread so quickly because it used Mimikatz to harvest credentials from the systems it ran on to move laterally. "Stealing credentials from Windows using a tool like Mimikatz is still highly effective today," he said.

To this day, the group behind NotPetya remains one of the most advanced and active cyber threat groups. "They are one of the few groups that have demonstrated their willingness to orchestrate destructive cyberattacks with physical consequences," Carmakal said.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-18
RabbitMQ installers on Windows prior to version 3.8.16 do not harden plugin directory permissions, potentially allowing attackers with sufficient local filesystem permissions to add arbitrary plugins.
PUBLISHED: 2021-05-18
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
PUBLISHED: 2021-05-18
A flaw was found in the Red Hat Ceph Storage RGW in versions before 14.2.21. When processing a GET Request for a swift URL that ends with two slashes it can cause the rgw to crash, resulting in a denial of service. The greatest threat to the system is of availability.
PUBLISHED: 2021-05-18
TCP firewalls could be circumvented by sending a SYN Packets with other flags (like e.g. RST flag) set, which was not correctly discarded by the Linux TCP stack after firewalling.
PUBLISHED: 2021-05-18
A flaw was found in OpenLDAP. This flaw allows an attacker who can send a malicious packet to be processed by OpenLDAP’s slapd server, to trigger an assertion failure. The highest threat from this vulnerability is to system availability.