Symantec Embedded Security: Critical System Protection stops advanced variant of Petya

book

Article ID: 169754

calendar_today

Updated On:

Products

Embedded Security Critical System Protection

Issue/Introduction

Advanced variant of Petya update
On June 27, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving an advanced variant of the ransomware named Petya. These attacks are targeting and have affected users in various countries across the globe. For more information, visit Symantec’s Petya ransomware outbreak page

 

Environment

Windows-based systems

Resolution

Does SES: CSP protect against the Petya dropper?
The out-of-the-box capability of the Symantec Embedded Security: Critical System Protection (SES: CSP) Windows prevention policies to restrict software installation and executable modification protects your Windows-based systems from the Petya dropper that installs the boot loader. All three levels of the SES: CSP Windows prevention policy strategy—Basic, Hardening, and Whitelisting—prevent the Windows-based systems from the Petya dropper attack.
 

How does the advanced variant of Petya propagate from one system to another?
Even if the initial Petya dropper may not have been directed towards a protected system, the infection can still spread from one system to another. If two systems are on the same network domain, the primary mechanisms through which the Petya encrypting ransomware may laterally spread from a compromised system A (a system on which protection has not been set up against Petya) to a protected system B (a system on which SES: CSP has been installed) are as follows:

  • Eternal Blue exploit 
  • Privilege escalation with PSExec 
  • Privilege escalation with WMI
     

Does SES: CSP protect against the propagation of the advanced variant of Petya through privilege escalation with PSExec and WMI?
By default, the out-of-the-box SES: CSP Windows prevention policies protect against the propagation of the advanced variant of Petya through privilege escalation with PSExec and WMI on Windows-systems.
 

Does SES: CSP protect against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
Based on the Windows’ architecture (32-bit or 64-bit), SES: CSP protects your systems from propagating the advanced variant of Petya through the Eternal Blue exploit as follows:

​​What changes are required in a SES: CSP (version 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?
Perform the following actions in the applied Windows prevention policy (for Basic, Hardening, and Whitelisting Windows prevention policy strategies):

  1. Edit the Windows prevention policy by navigating to Global policy options > General Settings > Global Policy Lists.
  2. From List of processes that services should not start [gloval_svc_child_norun_list], export the entire list of rules.
  3. Navigate to Sandboxes > OS Sandbox Options > Local Security Authority Subsystem Service > General Settings > Sandbox Execution Options.
  4. Expand Programs the Local Security Authority Subsystem Service may not run, and import the entire list of rules that you have exported from List of processes that services should not start [gloval_svc_child_norun_list]
    Ensure that you use the Replace option while importing the rules.
  5. For the newly imported rules, edit the rundll32.exe option and remove the Q01 option.
    This ensures that rundll32.exe is not allowed to run as a service, and as an interactive program when executed from the Local Security Authority Subsystem Service sandbox.
  6. Save the policy changes and apply.

The above changes in the Windows prevention policy for SES: CSP version 7.1 ensures that your Windows-based systems are protected against the advanced variant of Petya that leverage rundll32.exe to execute the malicious DLL after the eternal blue exploit is triggered.
 

What changes are required in a SES: CSP (versions earlier than 7.1) Windows prevention policy to protect an unpatched 64-bit Windows-based system against the propagation of the advanced variant of Petya through the Eternal Blue exploit?

Perform the following actions in the Windows prevention policy (for Basic, Hardening, and Whitelisting Windows prevention policy strategies):

  1. Edit the Windows prevention policy by navigating to Sandboxes > OS Sandbox Options > Local Security Authority Subsystem Service > General Settings > Sandbox Execution Options.
  2. Expand Programs the Local Security Authority Subsystem Service may not run, and add a new rule—%systemroot%\system32\rundll32.exe.

    This ensures that rundll32.exe is not allowed to run as a service, and as an interactive program when executed from the Local Security Authority Subsystem Service sandbox.

 

 

Attachments