Data Center Security Server Advanced Petya Update
Symantec Official Blog

Jun 29, 2017

Data Center Security Server Advanced Petya Update

Created 28 Jun 2017
 

Petya Situation Update

On June 27, 2017, there were multiple public reports of an ongoing large-scale cyberattack involving a variant of the ransomware named Petya. These attacks are targeting and have affected users in various countries across the globe.

Am I protected from the Petya ransomware?

Symantec Data Center Security: Server Advanced IPS provides protection against Petya Ransomware.  All three levels of Symantec DCS:SA policies Windows 6.0  Basic, Hardening and Whitelisting as well as all 5.2.9 policies (Limited Execution, Strict, and Core) prevents the initial infection into an environment however analysis is still ongoing to insure all methods of lateral movement are also blocked.  What is known is Eternal Blue and MimiKatz based approaches would be stopped however researchers are still investigating lateral movement approachs within the malware.  As more information is known this blog will be updated.

For more information about Petya, see Symantec's Petya Outbreak page.

What protections does Symantec provide for our endpoint customers?

There are two basic ways that customers can be protected against this threat:

DCS:SA provides a range of protection against this threat on computers:

  • IPS policies prevent the malware from being dropped or executed on the system
  • IPS policies prevent Mimikatz from attacking LSASS.
  • Ability to block inbound SMB traffic
  • If not using full IPS protection policy then apply a targeted IPS policy to block execution of the Petya malware

Additional Protection Details

For customer systems that are not using SMB or Windows Network File Sharing capabilities, and especially for externally facing servers, it is best practice to reduce the network attack surface by configuring  prevention policy rules to block SMB network traffic. This can be easily done by editing the Kernel and Global network rules

  • From the Java Console, edit a Windows 6.0 Policy
  • Click Advanced -> Sandboxes
  • Under Kernel Driver Options, click Edit
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445
  • Navigate back to Home in the Policy Editor
  • Click Advanced -> Global Policy Options
  • Under Network Controls
  • Add the following Inbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any, Program Path: *
  • Add the following Outbound network rules:
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138, Program Path: *
    • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139, Program Path: *
    • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445, Program Path: *
  • Save the Policy

For additional protection to what is delivered out of the box, the execution of all known variants of the Petya ransomware can be blocked by putting the executable hashes in the Global No-run List.  To add a hash to the list:

  • From the Java Console, edit a Windows 6.0 Basic or Hardened Policy
  • Click Advanced -> Global Policy Options
  • Under Global Policy Lists, Edit the “List of processes that services should not start [global_svc_child_norun_list]”
  • Click the Add button to add a parameter list entry
  • In the “Entry in parameter list” dialog
    • Enter ‘*’ for the Program Path
    • For File Hash, click the “…” button on the right hand side
    • In the File Hash Editor dialog, click Add
      • Enter either the MD5 or SHA256 hash of the file
      • Click Ok on the File Hash Editor dialog window
    • Click Ok on the Entry in parameter list window
  • Add a parameter list entry for each hash value
  • Save the policy




0 Comments





 

Copyright © 2019 Florida Technology Council - All rights reserved

Powered by