A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it then leverages the EternalBlue and DoublePulsar exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for WannaCry as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities.

For the latest updates on this ransomworm, please see Rapid7's recommended actions.

To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven't done so already, download a trial of InsightVM here.

Creating a Scan Template

The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows:

1.  Under the Administration tab, go to Templates > Manage Templates

2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description.

3. First uncheck "Policies". Click on Vulnerability Checks and then "By Individual Checks"

4. Add Check “MS17-010” and click Save:

This should return checks that are related to MS17-010. The related CVEs are:

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

5. Save the template and run a scan to identify all assets with MS17-010.

Creating a Dynamic Asset Group

Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button:

Now, use the "CVE ID" filter to specify the CVEs listed below:

This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.

Creating a Dashboard

Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.

Also, check out the new Threat Feed dashboard which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm.

If you want to build your own, here's how you can build a custom dashboard, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter:

asset.vulnerability.alternateIds <=> ( altId = "MS17-010" )

Creating a SQL Query Export

@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting.

Creating a Remediation Project

In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”:

Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS "MS17-010"

Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.

Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA or ServiceNow, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks.

Using these steps, you'll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don't hesitate to let us know!

For more information and resources on this ransomworm, please visit this page.