A maze of shadow network links company intranets
Yet Another Worm eveNt (YAWN) is spawning a flurry of infosec marketing blog posts. There’s the technical analysis, the “how to block the last attack” posts, the “why are we still failing?” self-flagellation, and the transparent “how our product would have blocked the last attack.” This analysis is not a technical deep dive, a basic security guide, or any of the other predictable post-incident blogs. I want to look at the bigger lesson that the last three big worms (WannaCry, NotPetya, BadRabbit) have vividly exposed, and yet has been essentially overlooked. The lesson is:
Compromise local, infect global — using only lateral traversal techniques — using the Shadow Internet
The Worms of the Age of Worms
The three autonomous malicious agents share one major significant feature — propagation via lateral traversal techniques — and a similar payload, however they differ in other aspects. Importantly, each worm appears to have been developed to different operational requirements and released with different intent, resulting in divergent implicit targeting scope. Despite having different targeting goals, they all managed to achieve the same result — global infection.
WannaCry: pure ransomware spread via the patched
MS17–010SMB bug, it targeted both internet and intranet systems and briefly spread at an astonishing rate. Leaping from “Patient Zero” across borders, continents, and oceans in hours.
NotPetya: a wiper masquerading as ransomware that propagated using multiple lateral traversal techniques including: stolen credentials, remote administration tools, and falling back to the (very patched)
MS17–010SMB bug. It was released in Ukraine and targeted only the subnets it was connected to plus whatever IPs were found in the
ARPcache. Although it appears to have been carefully designed to restrict it’s spread to just Ukraine, within hours it had spread globally.
- BadRabbit: apparently ransomware that spreads using lateral traversal tools extremely similar to NotPetya (mimikatz, WMIC, SMB bug, etc.), it also included a short hardcoded list of usernames and passwords to bruteforce credentials. The target enumeration was conservative, attacking only known reachable addresses. Detected initially in Russia, and targeting Turkey, Bulgaria and Japan, within a day infections where global.
The threat actors behind the worms appear to be different (WannaCry was linked to Lazarus group, NotPetya/BadRabbit to BlackEnergy), and the motivation for releasing the worms appear to differ:
- WannaCry was half baked and possibly escaped into the wild
- NotPetya appears to have been a deliberate targeted wiper attack
- BadRabbit appears to be a straightforward cybercrime cash grab (although the revenue generation is basically nil, and looks can be deceiving)
Critically though, each worm used only lateral traversal methods, and the latter two restricted themselves to only accessible targets. Despite these limitations on mobility, which objectively should seem to limit the victims to intranet targets within the confines of a network perimeter, these worms became global epidemics. This empirically demonstrates that there is a Shadow Internet of linked networks that provides pathways to compromise targets globally without targeting public facing Internet systems.
The artificial conceptual idea of a private bounded intranet, and a public Internet is mostly fantasy. Cold reality is that alongside the public Internet, there is a private Shadow Internet which connects intranets to each other in unpredictable ways. The Home Depot breach revealed deliberate exploitation of this Shadow Internet (attackers gained access to a trusted supplier and then used their private connection to reach Home Depot’s network).
The porous nature of perimeter defences is nothing new, nor is attacker abuse of trust relationships, these worms merely reveal the global reach of these problems. Aggressive autonomous malware has demonstrated, repeatedly, just how many private networks are connected to each other. A sort of infosec “six degrees of separation.”
The worms all used different initial entry vectors to gain a foothold compromise before beginning their autonomous sideways trek through the dark and twisty maze of the Shadow Internet.
- WannaCry: manually installed and executed on a small number of compromised systems, it quickly escaped the confines of the network perimeter and exploded across the Internet using only a single poorly implemented version of the ETERNALBLUE exploit.
- NotPetya: distributed via a backdoor embedded in compromised business software (used by almost every company operating in Ukraine) which was pushed via an auto-update mechanism. Once installed, the malware began hunting for systems on subnets that it infected using admin tools. Before the end of the day was already a global epidemic.
- BadRabbit: initially distributed via compromised websites (in Russia, Bulgaria, Ukraine, and Japan) as a false flash update. Once active, the malware targeted only hosts that were known accessible, and used an improved infection module from NotPetya, propagating via administration tools, simple brute forcing, and an exploit. Despite limited release, restricted targeting, and well known infection methods, infections were global within a day.
The worms have shown that threat actors are not only incorporating lessons learned from previous events (tactical diffusion), but are also innovating and trying out new techniques.
12 May 2017 — WannaCry
28 June 2017 — NotPetya
24 October 2017 — BadRabbit
BadRabbit target enumeration is the same as NotPetya including bugfixes such as below.
The connections traversed by these malicious agents reveal unmapped, poorly explored, and extremely dangerous portals link diverse organisations into a Shadow Internet. Not only are many networks one
0day away from total compromise, but they are just a few twisty dark passages away from a network that’s one
0lday away from compromise. The Shadow Internet is a serious problem — risk is transitive.