An infosec firm has unleashed a NotPetya-style worm onto a customer’s network – and discovered that a simple Windows Active Directory tweak has a surprising effect on self-spreading malware.
In the wake of the outbreak of NotPetya – so-called because it masquerades as Petya ransomware – one of NCC Group's customers asked the firm to create a safer version of the malware, which rampaged through half the world's computers in 2017, encrypting files and destroying Windows machines' master boot records.
Not only did the client want to observe a "less lethal" version of NotPetya, it wanted the not-quite-malware deployed on its own production network as a learning exercise to understand how better to harden itself against destructive malware outbreaks.
UK names Russia as source of NotPetya, USA follows suitREAD MORE
Thus was born NCC's Eternalglue worm, which differs from actual malware in being configurable not to touch defined network ranges or hosts; in the case of NCC's rather adventurous customer, the firm's industrial control systems.
When studying how Eternalglue spread through the target network, NCC made a rather surprising discovery: a simple Active Directory setting was enough to stop it in its tracks, even if a domain admin account was used to log into an infected device.
The unnamed NCC customer "had configured within Active Directory the 'Account is sensitive and cannot be delegated' flag prior to NotPetya for their domain administrator accounts. We found that this configuration would have hindered NotPetya propagation significantly using the token impersonation route for domain admin accounts," said the infosec firm.
As a Microsoft Technet post stated, the "account is sensitive" flag means that "an account’s credentials cannot be forwarded to other computers or services on the network by a trusted application," something NCC summed up as "this is now your favourite setting".
Two-hundred-and-sixteen hosts on the anonymous customer's network were infected with Eternalglue during the trials, with six different combinations of user accounts and privilege levels as starting scenarios. Of those hosts, 209 were "compromised by stealing non-domain admin tokens", of which 57 were done through the use of current user tokens and 152 through token impersonation techniques.
"What we have learnt from other firms looking to replicate the exercise in their own institutions is the craving for real-world data against these types of threat scenarios and the value it has to seniors in terms of measuring efficacy," mused NCC.
NotPetya itself was publicly attributed to Russian military hackers in early 2018 by the British government. One notable casualty of the full-strength malware was shipping line Maersk, which had the entirety of its internal networks KO'd, resulting in the forced rebuild of 4,000 servers across the world. ®