Researchers determine one way Petya jumps between networks

Researchers determine one way Petya jumps between networks

Researchers at the Helsinki-based cybersecurity firm F-Secure believe they have figured one reason Tuesday's malware epidemic could have found its way to companies with no connections to its Ukranian target.

On Tuesday, computers throughout the world contracted malware similar to ransomware known as Petya. There is an ongoing debate over whether the malware is similar enough to Petya to call it Petya; some researchers have taken to calling it NotPetya in response. 

NotPetya infected networks primarily through a malware-infested update to the Ukrainian MEDoc accounting software, which is required there for tax records. After one computer contracted the malware, it used a variety of mechanisms to infect other computers connected to the same network. 


Those methods included harvesting credentials as well as two hacking tools believed to have been leaked from the National Security Agency.  

Global companies with offices in Ukraine could have been infected through MEDoc, including known victims like the law firm DLA Piper. According to Kaspersky Lab, around 60 percent of the computers struck by NotPetya were in Ukraine. 

Unlike WannaCry, the last sudden, global malware threat, NotPetya does not attempt to spread itself to random servers across the internet to find new victims. Without a method to victims outside its current network, malware should not have had a way to infect networks with no connection to Ukraine. Yet firms like F-Secure report that some did. 

F-Secure found that NotPetya harvested all of the internet addresses connected a computer using a networking protocol using TCP/IP. That protocol is used for both internal and external connections. Those internet addresses could provide the targets for external computers. 

"We asked a developer to create a small program that uses that particular [function] so that we can execute it in production and see the results. It gave me internal IPs [internet addresses] as well as IPs from facebook, google, twitter," said F-Secure's Andy Patel via electronic chat. 

"So that might be a possible mechanism for it to traverse out of a company's network," he said, later adding that "it was trying to laterally move to those IPs"

Patel was not convinced this was the only vector by which companies with no connection to Ukraine were infected. 

"I'm still open to the idea of there being some other vector," he said.