SBU warns about possible new cyber-attack against networks of Ukrainian institutions and enterprises and asks to follow recommendations
The SBU warns about possible new cyber-attack against networks of Ukrainian institutions and enterprises and asks to follow the recommendations.
It is commonly known that on June 27 this year Ukraine became a victim of a mass cyber-attack with the use of malicious software identified as Petya computer virus.
The analysis of the consequences and backgrounds of the attack showed that before that information about Ukrainian enterprises (e-mails, passwords to accounts used by enterprises and their officials, login credentials to command servers and hash data of users’ accounts in stricken systems and other information that is not on open access) was gathered, hidden in cookies and sent to command server.
The SBU specialists assume that this information was the aim of the first wave of cyber-attacks and could be used by the real initiators to conduct cyber intelligence and destructive actions.
This fact is supported by Mimikatz utility (tool that carries out Windows Credentials Editor software and makes it possible to overtly receive highly privileged authentication data from the system) revealed by specialists during the analysis of Petya cyber-attack, which uses architectural peculiarities of Kerberos service in Microsoft Active Directory with the aim of covert keeping of privileged access to domain resources. The work of Kerberos service is based on sharing and verification of so-called access tickets (TGT-tickets).
The majority of institutions and organizations does not set out the change of krbtgt user password in their information security regulations.
Thus, the criminals who got unauthorized administrative information via Petya cyber-attack now have the opportunity to generate nominally permanent TGT-ticket registered at the identifier of integrated system administrator (SID 500). The peculiarity of the mentioned TGT-ticket is that in case if the compromised account is deactivated the authentication through Kerberos will be legitimate and available for the system. The loading of the TGT-ticket to the address space of the operating system can be conducted without root privileges.
In view of the foregoing, considering the fact that malicious software, which could serve as a platform for initiating the second wave of attacks by interception of access management credentials and security policies, stayed in compromised information and telecommunication systems for a long time system administrators or authorized persons dealing with information security of such systems are recommended to undertake the following actions as soon as possible:
- change the krbtgt user password;
- change access passwords to all the accounts of the controlled domain zone of information and telecommunication systems;
- change access passwords to server equipment and programs functioning within information and telecommunication systems;
- change all passwords in browser settings on compromised PCs;
- re-change the krbtgt user password;
- reboot KDC services.
We recommend not to keep authentic data overtly in information and telecommunication systems but use special software.
SBU Press Center
For the Attention of the SBU Head