Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 AM
Connect Directly

3 Years After NotPetya, Many Organizations Still in Danger of Similar Attacks

The same gaps that enabled ransomware to spread remain in patching, network segmentation, backup practices, security experts say.

Three years after the NotPetya ransomware outbreak overwhelmed numerous businesses in Ukraine and more than 60 other countries, many enterprises remain as vulnerable as ever to similar attacks.

The lessons that the outbreak highlighted around the importance of network segmentation, patching, and robust backup practices appear to have already been forgotten or remain largely unlearned.

"NotPetya changed the world's perception of destructive cyberattacks and is one of the only cyber activities that is considered to be an act of war," Charles Carmakal, senior vice president and CTO at Mandiant said in an emailed statement. "Despite the broad awareness of NotPetya, the world is still susceptible to the same techniques employed in the attack."

The NotPetya attacks were noteworthy for their sheer destructiveness, the amazing speed at which they spread, and the widespread impact. The US and UK governments and numerous others have formally attributed the campaign to Russia's military intelligence apparatus, and described it as designed to destabilize the Ukrainian government.

In a February 2018 statement, the White House called the NotPetya outbreak the "most destructive and costliest cyber-attack in history" and promised international consequences for it.

The June 27, 2017 attacks were specifically targeted at organizations located in Ukraine or those with close business ties to the country. Eventually it ended up impacting organizations in some 65 countries including the United States, United Kingdom, Denmark, India, and Australia.

The attacks are believed to have caused multiple billions of dollars in damages. Though NotPetya was technically ransomware, it was almost entirely used in the attacks to destroy data and disrupt operations - and far less so to collect ransom payments from impacted organizations. 

Victims included Danish shipping company Maersk, which ended up spending more than $300 million on repair and recovery after NotPetya destroyed a staggering 49,000 computers and more than 1,000 applications. Other notable victims included FedEx, pharmaceutical giant Merck, and French firm Saint-Gobain. All of these organizations spent hundreds of millions of dollars to restore data and systems that NotPetya had encrypted beyond repair.

To distribute the malware, the attackers are believed to have first compromised an automatic software update server belonging to MeDoc, the provider of a tax-accounting software product used almost ubiquitously by Ukrainian organizations. They then distributed the malware — disguised as a legitimate security update — to MeDoc users. 

NotPetya exploited EternalBlue, a leaked NSA exploit targeting security issues in Microsoft's SMB protocoal in older Windows versions, to move laterally on enterprise networks and to spread from one vulnerable system to the next. Though Microsoft had issued a patch against the exploit, numerous organizations remained unpatched at the time of the NotPetya outbreak. The ransomware also used the publicly available Mimikatz penetration-testing tool to harvest credentials from victim networks in order to spread from system to system.

Persisting Problems

Amir Preminger, vice president of research at industrial cybersecurity firm Claroty, says three years after the attack, the conditions that allowed NotPetya to spread so quickly and damagingly still persist at many organizations.

Patching, for instance, remains a major concern as many organizations do not quickly do so. A ServiceNow study of 3,000 security professionals found that 60% of breaches in 2019 were tied to a security vulnerability for which a patch was already available. Organizations experienced 30% more downtime in 2019 compared to the year before because of delays in vulnerability patching.

Similarly, network segmentation still remains a work in progress at many organizations, Preminger says. Segmentation offers a way for organizations to isolate or segregate network segments and allows for better access control. With NotPetya, segmentation could have helped impacted organizations contain and limit damage.

Security researchers have long advocated the method as a best practice, yet surprisingly few organizations have implemented it. In a survey that Illumio conducted last year, less than one in five companies (19%) had implemented segmenting because of perceived complexities.

Poor network visibility and insufficient network monitoring are other major concerns. "The foundation of the next NotPetya is still being created, so discovering and patching vulnerabilities before threat actors have the chance to exploit them on a large scale is essential for preventing a similar attack," Preminger says.

Organizations need to know as quickly as possible which devices are vulnerable and, based on their patching capabilities, figure out how they want to prioritize patch deployment, he notes.

The NotPetya attacks were a prime example of an absolute worst-case scenario that can occur due to not applying patches to critical software vulnerabilities, says Alex Guirakhoo, threat research team lead at Digital Shadows. "Much like the WannaCry attacks a month earlier, NotPetya leveraged the infamous EternalBlue vulnerability, affecting many older Windows operating systems: all of which are now no longer officially supported by Microsoft."

As organizations become more reliant on Internet-connected technologies for business and personal use, the attack surface increases accordingly. Managing this attack surface has become even more critical now that COVID-19 has significantly broadened remote working. "It can be difficult for many organizations to find the time to apply patches without impacting business continuity. However, attackers are constantly scanning for vulnerable Internet-connected devices," he says.

According to Mandiant's Carmakal, a general misconception around NotPetya is how much EternalBlue enabled its spread. NotPetya spread so quickly because it used Mimikatz to harvest credentials from the systems it ran on to move laterally. "Stealing credentials from Windows using a tool like Mimikatz is still highly effective today," he said.

To this day, the group behind NotPetya remains one of the most advanced and active cyber threat groups. "They are one of the few groups that have demonstrated their willingness to orchestrate destructive cyberattacks with physical consequences," Carmakal said.

Related Content:

Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows upload and execution of a .php file by an admin.
PUBLISHED: 2020-08-09
flatCore before 1.5.7 allows XSS by an admin via the acp/acp.php?tn=pages&sub=edit&editpage=1 page_linkname, page_title, page_content, or page_extracontent parameter, or the acp/acp.php?tn=system&sub=sys_pref prefs_pagename, prefs_pagetitle, or prefs_pagesubtitle parameter.
PUBLISHED: 2020-08-09
MyBB before 1.8.24 allows XSS because the visual editor mishandles [align], [size], [quote], and [font] in MyCode.
PUBLISHED: 2020-08-09
** DISPUTED ** Prometheus Blackbox Exporter through 0.17.0 allows /probe?target= SSRF. NOTE: follow-on discussion suggests that this might plausibly be interpreted as both intended functionality and also a vulnerability.
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.