[Software] NotPetya attack - three years on, what have we learned?

[Naser DZ]

 

Why was this particular trojan so successful - what was so special about it? 
The attack was well prepared by its authors. NotPetya initially spread via the M.E.Doc accounting software when cybercriminals hacked the software’s update mechanism to spread NotPetya to systems when the software was updated. This was a bitter paradox, as users are always advised to update their software, but in this particular case, a trojanized updater of this software started the infection chain.This type of supply chain attack was not common at that time, causing a delay in figuring out the root cause of the attack. The speed at which it spread  through the infected networks was fascinating.  

The trojan was allegedly taking advantage of a long known vulnerability: (what) have companies/organizations learned from this? 
For its lateral movement, NotPetya employed three different spreading methods: exploiting EternalBlue (known from WannaCry), exploiting EternalRomance, and via Windows network shares by using victim’s stolen credentials (this was done via a bundled Mimikatz-like tool, which extracts passwords) and legitimate tools like PsExec and WMIC. These additional techniques, which included exploiting known vulnerabilities for which patches were long available for, were probably the reason why it succeeded, despite EternalBlue gaining attention after the WannaCry attack less than two months before the NotPetya attack. I can only hope that companies learned to update their operating systems and applications as soon as an update becomes available, despite NotPetya, unfortunately, spreading via a product update. 

Could the spread happen again in this form at any time? 
It's only a matter of time before there will be another major malware outbreak, when and how widespread the attack will be depends on multiple factors, including the availability of a high-quality exploit like EternalBlue, the malware actor, and their motivation.