LockerGoga: what exactly happened with Norsk Hydro

Photos, source - www.msspalert.com

On the night from Monday to Tuesday (at about 23:00 UTC on 03/18/2019), Norsk Hydro experts noticed a malfunction in the network and a number of systems. It soon became clear that the failures were caused by the massive infection of the systems by the cryptographer, which very quickly spread through the infrastructure objects. After identifying the threat, the security service began the isolation process, but the malware had spread so deeply across the infrastructure that it had to transfer part of the production to manual control ("rollback" to the procedures adopted before the computerization of the production processes). The investigation into the attack required the involvement of local authorities and law enforcement agencies (National Security Authority / NorCERT, Norwegian Police Security Service, National Criminal Investigation Service), as well as a number of commercial companies. Restoration of the infrastructure is not yet completed, and individual production (for example, extrusion of aluminum profiles) is still operating at half the capacity.

Despite the fact that the investigation of the incident is not over and it is difficult to predict the time of its completion, according to the facts, you can understand the mechanism of action of the attackers and analyze what Norsk Hydro did right and what did not, and how it was still possible to improve the defense.

State of the company after the attack

Norsk Hydro is a fairly large company: its facilities are located in 40 countries of the world, and the total number of employees exceeds 35,000 people. The volume of information systems and computers, which came under attack, is also large. From information from representatives of the company, voiced at a joint press conference with the authorities, and daily news on the investigation and recovery on the website (updated on 03/22/2019), it follows that:

no local incidents at work or human injuries;
as a result, all the plants were successfully isolated, the processes were transferred to manual control, where it is possible (in aluminum extrusion factories, it was possible to adjust the working capacity by only 50%);
mobile devices and some PCs function normally, cloud mail functions correctly;
there is no complete picture of the number of failed PCs and servers, varying degrees of destruction of infrastructure facilities;
there is no access to systems containing data on orders, but there is the necessary amount of information that is required for the production of orders;
there are no assumptions about intruders; the most likely hypothesis about the malware used for the attack is LockerGoga encryption;
The company has a well-established backup process, and rolling back to previously made backups is the main recovery strategy;
the company has cyber risk insurance that they plan to use to cover the damage from the attack.

It is important to note how Norsk Hydro behaved during the attack. The company acted as openly as possible: at the time of problems with the main site, it launched a temporary one, informed the public through an account on Facebook, notified representatives of the stock market about its situation and held a press conference on the first day of the attack.

Warning for Norsk Hydro employees that they should not connect any devices to the network due to cyber attacks. Photo, source - www.reuters.com

What is LockerGoga Malware?

About attacks using LockerGoga for the first time became known to the general public at the end of January 2019. Then the consulting company Altran suffered from it, but the technical details of the attack were published very little. Norsk Hydro was attacked with the help of several versions of the malware, which in their mechanics are similar (with the exception of certain features) to the samples used in the January attack.

Malware executables are signed by the same certificate issued by Sectigo (formerly Comodo CA) as the samples used in the attack on Altran (probably a fake company ALISA LTD with 2 owners and 2 shares of 1 GBP each). At the moment the certificate has been revoked, however during the attack it was valid.

Apparently, each malware sample was generated uniquely under the company under attack, which is noted in the sample analysis by researchers .

All identified samples do not have the ability to self-replicate (unlike WannaCry and NotPetya) and must be run on the attacked node. The most likely hypothesis of the spread of malware over the Norsk Hydro network is the use of AD group policies to create tasks or services with malicious content. With high probability, this means that at the stage of penetration, another VPO was used, with the help of which it was possible to obtain administrative privileges in the domain. One of the possible mechanisms may be phishing followed by theft of passwords or Kerberos tickets from the memory of a compromised host.

During the infection process, the executable file of the malware is copied to the %TEMP% directory and runs with elevated privileges. After that, it launches a large number of child processes, distributing file encryption to them according to the collected list. Judging by the behavior of the available samples, not only files with extensions of office documents, databases and other work files ( doc, dot, wbk, docx, dotx, docb, xlm, xlsx, xltx, xlsb, xlw, ppt, pot, pps, pptx, potx, ppsx, sldx, pdf ), but also other files on the C: \ drive (for example, dll libraries) with variations depending on the sample. The child process generates a key / iv pair using the RNG, then uses the AES algorithm to rewrite the file with encrypted data, encrypts the key / iv pair with the public key, adds the encrypted key pair to the file, and renames the file, adding .LOCKED to the extension. This behavior allows more utilization of the processor of the infected computer with encryption tasks and performing the entire process faster.

The parent process also creates a text file on the desktop requesting redemption (README_LOCKED.txt with variations in the name), changes the passwords of local users (this behavior probably depends on the version of the sample, i.e., only local administrators can encrypt the password) and forced exit from user session. In some versions, the ability to disable the network interface of the computer.

Thus, in some cases, the infected PC may simply not boot (if critical components of the OS kernel are encrypted) or the user will not be able to log in to view the ransom requirements, which is more typical for wipers.

The ransom demand (an example is shown below) does not contain the addresses of the wallets or the ransom amounts, but only postal addresses for interacting with intruders. In different versions of malicious samples, mailing addresses are different in the request.

 Greetings! There was a significant flaw in the security system of your company. You should be thankful that the flaw was exploited by serious people and not some rookies. They would have damaged all of your data by mistake or for fun. Your files are encrypted with the strongest military algorithms RSA4096 and AES-256. Without our special decoder it is impossible to restore the data. Attempts to restore your data with third party software as Photorec, RannohDecryptor etc. will lead to irreversible destruction of your data. To confirm our honest intentions. Send us 2-3 different random files and you will get them decrypted. It can be from different computers on your network to be sure that our decoder decrypts everything. Sample files we unlock for free (files should not be related to any kind of backups). We exclusively have decryption software for your situation DO NOT RESET OR SHUTDOWN – files may be damaged. DO NOT RENAME the encrypted files. DO NOT MOVE the encrypted files. This may lead to the impossibility of recovery of the certain files. To get information on the price of the decoder contact us at: AbbsChevis@protonmail.com IjuqodiSunovib98@o2.pl The payment has to be made in Bitcoins. The final price depends on how fast you contact us. As soon as we receive the payment you will get the decryption tool and instructions on how to improve your systems security

The malware does not use any C & C infrastructure, the only communication channel with the attacker is email. Also, the malware does not try to hide the traces of its activity. In connection with a similar implementation of the ransom mechanism, as well as the actual disabling of encrypted PCs, it can be assumed that the purpose of LockerGoga is similar to the WannaCry and NotPetya malware. However, this or not, at the moment it is impossible to say.

What was done right and what didn't

After disclosing information about high-profile cyber attacks, it is often possible to see articles and various materials telling about what the victims of the attack did wrong. In the case of Norsk Hydro, the situation is different, the company did not show noticeable failures in the organization of infrastructure (production did not stop) and is well in the process of responding to the attack, namely:

The company is as open as possible with investors and the public to inform about the progress in eliminating the attack. An indirect indicator of a positive reaction may be the stock price on the stock exchange: despite a slight drop (3.6%) of shares on March 23, there are prerequisites for their further stable growth.
It was possible to quickly isolate production facilities in order to ensure that production on them was not affected.
There are proven processes that allow production facilities to operate in manual mode (at least most of the production).
A backup process has been established, which will greatly facilitate the restoration of infrastructure nodes after the incident.
There are backup communication channels (cloud mail) that allow employees to interact even in case of problems on the basic infrastructure.
The company uses cyber risk insurance that will help repair some of the damage from the attack.

At the same time, Norsk Hydro unnecessarily relied on the antivirus solution installed on it. According to researchers, some of the malware samples were not detected by any antivirus solution at the beginning of March; at the time of the attack, the number of solutions that identified samples as malicious was also small. In addition, the certification authority revoked the malware certificate too late - after the attack began. Also, for some objects, the segmentation of the industrial infrastructure from the office infrastructure was probably not adequately performed.

To identify the attack in the early stages would help constant monitoring:

privileged account activity;
group policy changes;
creating new services and tasks of the scheduler;
password change events for privileged accounts, incl. and local administrators;
activities similar to Pass-the-Hash and Pass-the-Ticket attacks;

Such monitoring should be carried out by an internal monitoring service (using SIEM-like solutions and behavioral analysis systems) and / or an external SOC / CSIRT.

After all, early detection will help to save significant funds to eliminate the effects of the attack.

Upd. 03/26/2019

Researchers from the company Alert Logic found a bug in the malware. The attackers did not anticipate exception handling in the event that when collecting a list of files for encryption, the malware stumbles upon a link (* .lnk) that has errors (incorrect network path or no association with the RPC endpoint, according to the study). This can happen when collecting files from the folder "Recent Items". In this case, the main process is terminated by the operating system and it doesn't even get to encryption. Probably, this can partly explain the uneven degree of damage to the company's nodes.

Links

Source: https://habr.com/ru/post/445034/

All Articles