Wanna save yourself against NotPetya? Try this one little Windows tweak
An infosec firm has unleashed a NotPetya-style worm onto a customer’s network – and discovered that a simple Windows Active Directory tweak has a surprising effect on self-spreading malware.
In the wake of the outbreak of NotPetya – so-called because it masquerades as Petya ransomware – one of NCC Group’s customers asked the firm to create a safer version of the malware, which rampaged through half the world’s computers in 2017, encrypting files and destroying Windows machines’ master boot records.
Not only did the client want to observe a “less lethal” version of NotPetya, it wanted the not-quite-malware deployed on its own production network as a learning exercise to understand how better to harden itself against destructive malware outbreaks.
Thus was born NCC’s Eternalglue worm, which differs from actual malware in being configurable not to touch defined network ranges or hosts; in the case of NCC’s rather adventurous customer, the firm’s industrial control systems.
When studying how Eternalglue spread through the target network, NCC made a rather surprising discovery: a simple Active Directory setting was enough to stop it in its tracks, even if a domain admin account was used to log into an infected device.
The unnamed NCC customer “had configured within Active Directory the ‘Account is sensitive and cannot be delegated’ flag prior to NotPetya for their domain administrator accounts. We found that this configuration would have hindered NotPetya propagation significantly using the token impersonation route for domain admin accounts,” said the infosec firm. ..Read More..