Tuesday, June 27, 2017

To Patchnya, or Not to Patchnya


Heads-up: there's another ransomware worm making the rounds. Initially thought to be a variant of the Petya ransomware family, it was later determined to be something entirely different, and has been dubbed "NotPetya" in many tweets and reports.

Like the WannaCry worm that made such a splash in May, it exploits a (now-patched) vulnerability in the Windows file sharing protocol known as SMB. Unlike WannaCry, it also harvests credentials from compromised systems, then uses standard Windows administration tools such as WMIC and psexec to spread within an organization.

The latter technique is troublesome because it uses the very same tools and accounts that legitimate system administrators would use to manage the same systems. Defenses designed to stop malicious exploits may not work against an attack that looks just like a normal system administrator doing his or her job.

More disturbing in my mind is the suspected initial attack vector: there are indications (disputed by the developer) that a financial software maker was compromised, and its update infrastructure used to force a malicious update to all its customers. Even if only a small handful of finance staff in each customer organization used this software, the "NotPetya" malware would infect those few, then turn around and spread throughout the organization.

This is guaranteed to incite patching debates in many companies and among many system administrators. A mechanism for installing software, can be abused to install malicious software. A mechanism for installing software automatically, can be abused to install malicious software automatically.

In twenty years of system administration and cyber defense, I have seen a handful of bad software updates. I've seen antivirus updates that would deem Windows itself to be malicious, and crash the operating system. I've seen updates that broke email, or broke printing, or conflicted with antivirus software, or broke terminal services.

Nonetheless, in over twenty years as a systems administrator and security professional - much of that time overseeing patching for a Fortune 100 company with a quarter million systems to update - I can count on one hand the number of catastrophic failures caused by patching, and still have fingers left over. Conversely, hardly a month goes by that I don't see malware and criminals exploit vulnerabilities in Windows, browsers, office productivity software, mobile apps, building automation systems, industrial control systems, and other computing software.

Given a choice between a possibly faulty software update, and a possibly exploitable software vulnerability, the odds overwhelmingly favor the organization that updates software regularly.

That does not necessarily mean installing updates indiscriminately and automatically in every case, but make sure your patching strategy is generally as quick as possible.

Update business productivity systems before updating critical business systems.

In larger organizations, stage deployment - but stage it over a period of days, not months.

In cases where you truly cannot patch - legacy systems more costly to replace than to support, embedded systems where the manufacturer does not provide an update, systems where contract or regulation mandate a known and unchanging state - mitigate the risk in other ways. Isolate the at-risk systems, and patch everything around them. Take advantage of "herd immunity" - protect the weak by ensuring everything surrounding them are resistant.

Weigh the cost of a self-inflicted outage from a faulty patch against the cost of an outage of breach caused by a cyber attack. But weigh it with data, and with a clear mind, not in the panicky state that follows a widely-publicized incident.

Exploitable flaws WILL be exploited. Exploitable flaws in Internet-facing software tend to show up in exploit kits within a week of the patch being released. If your patch management program takes a month to begin deploying patches, you'll be pwned before you are done.


What can you do?


This malware is designed to attack businesses and organizations more than individuals. While there is nothing to prevent it from infecting a personal system if it were to run on one, the real risk is that it will infect one system and then look around for others it can compromise on the same network.

From a business perspective, here are some mitigation options:
  • Install the latest updates from Microsoft, Adobe, Apple, Oracle, and any other software manufacturer. Read the discussion above, but then do it regularly, and quickly after each new update is released. Or better yet, configure your software to automatically install updates.
     
  • Disable SMBv1, if you can. A variety of older printers, network storage systems. and even some modern small office / home office network routers, are dependent on SMBv1, so it may not be possible to disable it on every system in every organization, but it may well be possible to disable it in most places.
     
  • Save admin accounts for admin activities; stick to an unprivileged account for routine activities such as web browsing, email, office documents, etc. Modern Windows operating systems are much more user-friendly with a standard user account than they used to be.
     
  • Deploy Microsoft's Local Admin Password Solution (LAPS). LAPS is a way to set and manage unique, random passwords for the local administrator account on every system in your organization. A very common technique used by malware and active adversaries is to compromise one computer, extract the "Administrator" account password from memory, and use it to compromise other computers. Just as I advise consumers to use unique passwords for every personal account (so that one compromised account doesn't give an attacker access to all your accounts), LAPS ensures one compromised PC doesn't give an attacker access to all your computers.
     
  • Backup your important data - and keep at least one backup copy offline and offsite. That prevents a compromised network or a physical disaster from destroying the backups. For home and small business, I am a fan of Code 42's Crashplan - it's not the cheapest cloud backup solution, but the price is reasonable for unlimited capacity and a modest number of devices.
     
  • Keep Office and Adobe documents in protected (macro-disabled) mode. While there is no evidence this malware spreads via email or office docs or macros, this is good advice in all cases. Macro-enabled documents are the single most common way malware spreads at present.


More reading