According to Yonhap News Agency, South Korea’s National Intelligence Service (NIS) accuses that North Korea launched a cyber-attack on Pfizer, using NotPetya ransomware, targeting information about the COVID-19 vaccine they developed in partnership with BioNTech. With a surge in the number of COVID-19 infections, there is increased pressure on drug-makers to develop the associated vaccine in large quantities. Employees of these firms have to work harder than before, and for longer hours, a factor that exposes the firms to cyber-attacks as cyber security measures falls to the bottom of priority lists among employees.
Technical Analysis of the NOTPETYA Ransomware Attack
Even though Pfizer has not released details of the attack, experts liken it to the notorious NotPetya, a malware associated with the 2017 Merck & Co attack. After invading a system, NotPetya ransomware launches a series of activities including dropping files, self-propagation, privilege checking, process hashing, credential theft, system shutdown, and anti-forensics processes. These activities enable attackers to perform their intended operations on the target without detection.
How NotPetya RANSOMWARE Compromises the Target
1: File Dropping
When NotPetya is launched, it drops various files including Ransomware DLL (located at C:\windows\perfc.dat), Ransomware splash and warning files, Credential theft module ( written as .temp file in the temp directory), and writes the contents of its resource to C:\Windows\dllhost.dat. The replacement makes it possible to execute processes on other systems.
2. Process hashing and Privilege Checks
After dropping the files, the malware is launched as DLL using rundll32.exe and starts a subroutine that hashes every process to check whether Kaspersky, Notion Security, or Symantec processes are running on the system while at the same time attempts to gain viable levels of privilege.
3. Credential Theft
The malware decompresses either 0x1 or 0x2 resource, depending on the OS, and writes the resulting content in a .temp file located in the %TEMP% folder. It sets up a CNG provider which looks for wdigest.dll and lsass.exe modules responsible for digesting authentication security package and component respectively. At this point, the Local Security Authority (LSA) responsible for managing security package and enforcing security policies is compromised. The file then extracts credentials and transmits them to NotPetya through the named pipe.
After execution, the malware deletes the file contents to ensure that they cannot be recovered through disk forensics. It then loads itself in the memory and deletes itself from the disk.
X-PHY Protection Method
Detecting the Malicious Activity
The first instruction of NotPetya ransomware involves dropping files and adjusting privileges. Guardian Pro-X and Security Scout features within the X-Guard Threat Lock use AI at the firmware level to monitor the instructions sent to the target. The module mirrors the instructions sent to the target addresses by the host as well as the content of all the LBAs.
The trained neural network uses the mirrored instructions and contents to determine whether the activity is malicious or not. This is achieved by comparing read/write/overwrite access requested by the stager against the average read/write/overwrite access indicated in the master boot records, master file tables, boot sectors, parameter blocks of file systems associated with the operating systems, or the secondary storage operations.
The first instruction by NotPetya is to drop various files and writes the contents of its resource to C:\Windows\dllhost.dat. Security Scout features will classify these activities as malicious since they intent to compromise the device. Upon detecting the malicious intent of file dropping and file replacement by the malware, the X-Factor Encryption lock feature will trigger data lockdown to prevent malicious access to data.
Prevention of Malicious Cloning
When it is determined that there is an attempt to illegally drop and replace files, the X-Factor Encryption lock feature responds by triggering data lockdown to prevent the attacker from accessing data and activates the Keycode2-factor immediately. X-PHY enters safe mode and asks for a password to complete the 2-factor authentication. At this point, multiple unique keys must be provided to gain access to data. Otherwise, data remains locked preventing malicious theft of credentials, keeping data safe.