PN1493 | Rockwell Automation Recommended Mitigations for the “Petya” Malware

Introduction

On June 27, 2017, a new malware variant named “Petya” (also known as “NotPetya” or “Nyetya”) began affecting Microsoft Windows personal computers (PCs) around the world. NotPetya is a Petya-inspired malware variant and behaves in a manner similar to how the “WannaCry” malware that surfaced in May 2017 did, specifically in that it is a self-propagating "worm" that infects any vulnerable host that has not patched the Windows SMBv1 vulnerability. Microsoft patched this vulnerability, named “MS17-010,” in March 2017.

However, it is worth noting that this malware has some key differences from WannaCry, including how it propagates to other machines and how it attacks the victim’s PC.

As of this writing, there is no known direct impact to Rockwell Automation products from this malware, though all files present on a machine (including files used by Rockwell Automation products) may be encrypted in the event of a successful attack. However, customers who use Rockwell Automation software products may be vulnerable to this attack since most of the Rockwell Automation software products run on Microsoft Windows platforms containing the underlying vulnerability which enables this attack.

Rockwell Automation decided to provide this advisory since customers running Rockwell Automation software on Microsoft Windows may be vulnerable to this attack. Information and links to Microsoft-provided resources are provided below, as well as our qualification report for MS17-010. We are continuing to monitor this situation, and we will update this advisory as we learn more.

Affected Products

According to Microsoft’s MS17-010 Security Bulletin, the following operating systems contain the vulnerability:

• Windows XP
• Windows 7
• Windows 8
• Windows 10
• Windows Server 2003
• Windows Server 2008 R1/R2
• Windows Server 2012
• Windows Server 2016

Note: Both 32-bit and 64-bit versions are vulnerable.

Note: At the time of this writing, and according to Microsoft, no versions of Windows CE are affected.

Vulnerability Details

This malware is similar in many ways to the WannaCry malware that surfaced in May 2017, but it also includes different methods for the encryption of files and propagation across the network to infect new machines. Reports suggest that if the Petya malware has administrative privileges, it does not encrypt files individually through a whitelist approach, but instead will encrypt the entire filesystem, rendering the machine completely in-accessible. Industrial control system (“ICS”) specific files, which may not have been specifically included in past whitelists, will now also be encrypted along with any other file on the filesystem.

The initial Petya infection comes from opening an infected file, attached to an email. Once a machine on a victim’s network is infected, Petya utilizes multiple mechanisms to propagate through the victim’s network without any type of user interaction, such as is common with the following social engineering-based attacks:

-     EternalBlue, the same SMB exploit which allowed WannaCry to propagate.
-     Microsoft Windows Management Instrumentation (WMI), using the user’s credentials.
-     Microsoft PSexec tool, using the user’s credentials.

Risk Mitigation & User Action

The risk from EternalBlue can be mitigated by applying updates from MS17-010. The other two attack vectors can be mitigated through blocking ports utilized by those protocols.

Rockwell Automation strongly recommends that customers review the Microsoft MS17-010 Security Bulletin, evaluate the potential risks, and implement a mitigation plan. Microsoft has provided patches for ALL affected operating systems, including XP and 2003. Rockwell Automation suggests that before implementing any Microsoft updates, the updates should be verified on a non-production system, or when the facility is non-active, to help ensure that there are no unexpected results or side effects.

The Rockwell Automation Microsoft Patch Qualification team has qualified versions of our products on Windows 7 and Windows Server 2008 R2 with MS17-010 installed. For detailed information on versions tested, visit the Rockwell Automation Microsoft Patch Qualification site: https://www.rockwellautomation.com/ms-patch-qualification/start.htm.

1. For any supported operating systems, use the “Windows Update” feature to download and apply updates
2. For unsupported operating systems, download English language security updates directly, these patches could be loaded onto existing Windows Server Update Services (WSUS) servers to ease large-scale deployments:
   o Windows Server 2003 SP2 x64
   o Windows Server 2003 SP2 x86
   o Windows XP SP2 x64
   o Windows XP SP3 x86
   o Windows XP Embedded SP3 x86
   o Windows 8 x86
   o Windows 8 x64
3. For non-English unsupported operating systems, download localized versions for  Windows XP, Windows 8 or Windows Server 2003: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
4. Alternatively, Microsoft recommends that you disable the SMB service following these instructions: https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
   o     Note: This may prevent file shares from working in some instances.
5. If possible, restrict SMB and WMI traffic from untrusted enterprise networks (with internet connectivity) outside the IDMZ.
   o     SMB and WMI utilize ports TCP/135, TCP/139, TCP/445, and TCP/1024-1035.
   o Note: Some FactoryTalk software products require port TCP/135 in order to function properly. Consult Knowledgebase Article 898270 for information on port usage by Rockwell Automation products.
6. Establish and execute a proper backup and disaster recovery plan for your organization's assets.

The Rockwell Automation MS Patch Qualification team has fully qualified MS17-010 on Windows 7 and Windows Server 2008 R2 SP1.

However, the Rockwell Automation Microsoft Patch Qualification team has NOT qualified versions of our products with MS17-010 installed on Microsoft operating systems that are End of Life.  We consider this patch to be a relatively 'low risk' in impacting Rockwell Automation products and should be applied at your discretion.

Lastly, we recommend customers continue to monitor the situation by monitoring this advisory, subscribing to Knowledgebase Article 35530 for updates to Microsoft Patch Qualifications Reports, and by monitoring MS17-010. Be aware that the attack strategies can change as defenses are built up, and further action may be required.

General Security Guidelines

1. Refer to Knowledgebase Article 546987 for Rockwell Automation recommended customer hardening guidelines, including information about compatibility between antivirus software and Rockwell Automation products. For a list of Rockwell Automation tested antivirus software, refer to Knowledgebase Article 35330.
2. Use of Microsoft AppLocker® or other similar Whitelisting application can help mitigate risk. Information on using AppLocker with Rockwell Automation products is available at https://rockwellautomation.custhelp.com/app/answers/detail/a_id/546989.
3. Run all software as User, not as Administrator.
4. Use trusted software and software patches that are obtained only from highly reputable sources.
5. Employ training and awareness programs to educate users on the warning signs of
   a phishing or social engineering attack.
6. Locate control system networks and devices behind firewalls, and isolate them from the business network, helping to make sure that messages with mismatched IP and interface origination do not reach the target system.
7. Help minimize network exposure for all control system devices and/or systems, and confirm that they are not accessible from the Internet.
8. When remote access is required, use secure methods, such as Virtual Private Networks (“VPNs”), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

For further information on the Vulnerability Handling Process for Rockwell Automation, please refer to our Product Security Incident Response FAQ document.

Refer to our Industrial Network Architectures Page for comprehensive information about implementing validated architectures designed to deliver these measures.

Refer to the Industrial Security Services website for information on security services from Rockwell Automation to assess, protect, detect, respond and recover from incidents. These services include assessments, designs, implementations, industrial anomaly detection, patch management, and remote infrastructure monitoring and administration.

We also recommend concerned customers continue to monitor this advisory by subscribing to updates on the Security Advisory Index for Rockwell Automation, located at 54102 - Industrial Security Advisory Index. Customers may also reference the public Security page for Rockwell Automation for new and relevant information relating to this matter.

If you have questions regarding this notice, please send an email to our product security inbox at: secure@ra.rockwell.com.