The latest outbreak of ransomware, Petya along with a varity of variants, has infected devices in 65 countries by leveraging the same vulnerability as the WannaCry malware, namely MS17-010 (EternalBlue). This version does not have a “back-door” fix that was inadvertently discovered in WannaCry.  Thus, the impacts from Petya are more acute where the vulnerability remains. In January 2017, InfoArmor’s operative intelligence team identified this potential for exploitation as part of the Shadow Brokers activity. By pre-emptively warning our clients and working with several to assist them in patching the open vulnerability, InfoArmor was successful in protecting customer assets from this devastating ransomware attack. Below is the operatively-sourced intelligence timeline:

  1. January 9 – ShadowBrokers releases a list of exploits, tools and implants from the NSA data.  This was the precursor to the malware release exploiting the MS17-010 vulnerability.  This notification was delivered by the InfoArmor Intelligence team.

  2. March 14 – Microsoft releases patch for the vulnerability for immediate application:

     https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  3. April 8 – InfoArmor notifies its clients regarding the results of the ShadowBrokers auction of content to Equation Group.  This was a pre-emptive notification regarding activity that was targeting the exploitation of the MS17-010 vulnerability.

  4. April 26 – InfoArmor notifies its clients regarding specific network hosts that contain the MS17-010 vulnerability and are susceptible to attack.  We define the patch through MSFT, provide the support to resolution.  This was 3 weeks before MS17-010 was exploited by Eternalblue/Doublepulsar malware (WannaCry ransomeware).

Below are the Advanced Intelligence notifications from InfoArmor’s VigilanteATI platform starting in January 2017:

screenshot of VigilanteATI

InfoArmor’s VigilanteATI Advance Intelligence provides a comprehensive and cost-effective solution that enables IT security teams to leverage our elite operative and research team. By delivering real threat intelligence, not threat information, InfoArmor provides unsurpassed, accurate and efficient advanced threat intelligence that could not be obtained internally or by other traditional threat intelligence methods.