March 22, 2021 |
Amit Serper, Area VP of Security Research for North America at Guardicore, is a renowned hacker and reverse engineer who started using FreeBSD when he was just 13 years old, compiling custom kernels and running four servers from his bedroom while learning how TCP/IP works.
Serper’s 'official' career started when he turned 18 and joined the Israeli intelligence community where he worked for nearly a decade doing everything from vulnerability research and exploit development to designing the architecture of uniquely complicated, highly reliable, one-of-a-kind communications system, during which he received 4 certificates of excellence and two commendations.
During his career, Serper has been on both red and blue teams, joined Cybereason where he spent 6 years building EDR products from scratch, performed countless IR engagements, helped build a global research team, and stopped a few global attacks including NotPetya, BadRabbit, and Operation Soft Cell to name a few. He is a frequent public speaker at security conferences all over the world and proud to be sharing his research through blog posts, conference sessions, and in podcasts.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:All Posts by Malicious Life Podcast
Hi, and welcome to Cybereaons’ ML, I’m Ran Levi. This is part 2 of our mini series on NotPetya.
Amit Serper lives in Boston but, on June 27th, 2017, he was on a trip.
“[Amit] So at the day that NotPetya happened, I was actually at the Cybereason Tel Aviv office. I had some meetings and after the meetings I was driving back to my parents’ house which was about a 30, 25 – 30-minute drive away from the office.
And when I was as – as I was in the car, I was listening to the radio and the news was on. And in the news in Israel, they were reporting about a new cyber attack that basically shut down transportation in the Ukraine and it’s starting to spread to other countries and they’re seeing various systems being hit with it in other countries. So when I got to my parents’ house, I was sitting in their living room and I was talking to my dad. And my dad was watching the news, he was like, “Hey, did you see that new cyber attack? What do you have to stay on it?”
And obviously, my dad is in his 70s, he’s not a cyber guy. He doesn’t really know anything about computers, but he started asking me questions about it. And I told him, “You know what, dad? I don’t know. But I have my computer here and I have most but not all of my tools here so let me take a look.”
As the entire world’s cybersecurity community–and many outside of it–were rapt by the phenomenon of NotPetya, Amit Serper, on a trip to visit his family, decided to take a look at the code himself.
But this wasn’t one of those situations where, finally, the genius expert swoops in to save the day. Amit is, indeed, a cybersecurity analyst, but he was not in a position to do much with NotPetya.
“[Amit] my focus back then was actually macOS. I was I was working on building the Cybereason macOS product, wasn’t really looking into Windows malware or malware at all actually. And this was… NotPetya was one of the first pieces of Windows malware that I fully reverse engineered.”
Amit was not only new to Windows malware; he only had a Macbook at his disposal.
“[Amit] I didn’t have any way of running Windows code on it, but I did get my hands on a sample of NotPetya and I started analyzing it and I started reverse engineering it. The one thing everyone wanted to know, of course, was how to decrypt the files that NotPetya presumably had locked away. it was a lot of discussions about cryptography and about the decryption, the decryption functions in the malware itself.”
Amit, like everyone else, went looking for the program’s decryption logic–the function the attackers used to unlock victims’ files once they paid their ransoms. Nobody knew then what we know now: that NotPetya was devilishly designed without any decryption logic to speak of.
“[Amit] once I started looking into the functionality of NotPetya, I didn’t really find any decryption logic in the code. [. . .] So if you take that piece of data and combine it with the fact that I am pretty terrible at math and cryptography, I said, well, maybe there’s a way to stop it from spreading and I should probably look into that and I would leave the description task to people who actually know what they’re doing.”
Moving away from the decryption component, Amit took a look at how NotPetya moved between host machines. Even without a cure, perhaps, he could help slow the spread.
“[Amit] So I started looking at what happens in the code once the malware runs and what kind of edge cases there are in the code that I can sort of exploit to make the malware exit before it does anything. [. . .] since NotPetya was written for Windows, there is a Windows API function that’s called exit process which causes the program to exit, to quit. So I started looking at all of the reference – all the references in the code to that function to exit process and I found that one of the first things that NotPetya does when it loads, it is looking for a specific filename inside the Windows directory. And if that name exists if that file exists, the malware will quit. The malware will think that it had already encrypted the drive and that there is no reason to do it again, so it would quit.”
Ever since Robert Morris lost control over his creation in 1988, checking for a particular file on a target machine has been a common feature to fast-spreading viruses and worms. It can help prevent multiple infections of a single machine, or infections of unintended machines.
So this was a clue. But it also presented a problem. Amit was working on a Macbook, all he had was NotPetya’s source code, not the directory information which corresponded to them.
“[Amit] the name of that file was not written in the code and I had to guess what was that name of the file.”
To summarize: Amit found evidence, in the source code of NotPetya, that a particular file might prevent its infection. But even though he could read that file’s contents, he couldn’t tell what it was named. It’s confusing, because it’s such a random problem to have–kind of like having every page of a book, but not the cover. So you can read the entire book, and know everything it says, but when someone asks you “hey, what book are you reading” you have no idea how to reply.
“[Amit] I had no ability to validate my points because I did not have a Windows machine with me. All I had was my Mac and all of my Windows tools were back in Boston on a hard drive that I did not take with me. So I started asking frantically around Twitter and around all of these groups, “Can you tell me what was the original name of the file?” because I had a sample that I downloaded from somewhere and the name of the file that I had was just a random hash value. So after about two hours or maybe less even, I think it was about an hour of frantic tweeting and talking to people, I realized with the help of Ido Naor, an Israeli researcher who used to work at Kaspersky back then that the original name of the file was perfc, P-E-R-F-C.”
“perfc.dat”–the function which, possibly, could cause NotPetya to avoid infecting a machine.
“[Amit] And now, the next task was to verify it to see if it actually worked. So it was already pretty late in Israel, I think it was like 8:00 PM in Israel and I actually made plans. I had plans for that evening to go meet a bunch of my friends in a bar in Tel Aviv because the next day I was supposed to speak at this conference and then fly back home to Boston. So I was mostly occupied with getting to that bar and meeting my friends. So I tweeted, “This is what you need to do. This is the file that you need to put in this path and this will make the malware not to run. And I need help with verifying it. Please let me know.”
And I went on my way to the bar and I was trying to you know sit with my friends, have a nice evening but my phone would not stop ringing and vibrating from all of the messages that I got from people that were trying to verify it for some of them were able to verify it, some of them were not. A few people on Twitter started saying that I was actually lying and that thing didn’t work at all.”
From Twitter user ‘cryptopotato,’ quote: “coworker just confirmed this does not work.” Sad face.
From ‘Shlomi’: “It’s the name used in the current execution. it can be anything. Not much of a kill switch.”
‘Alan P. Stoddard’ wrote: “Is that just your opinion or are you a top tech if so tell someone important instead of just tweeting it.”
User Abuelo Jose, quote: “The enemy shall not outwit you…the wicked shall not humble you. Psalm 89:22.” End quote.
Okay, that last one wasn’t really criticizing Amit. I’m not really sure what Abuelo Jose was after there…
“[Amit] And after about a 2-hour long roller coaster of emotions, people started telling me, “OK. Your idea, your theory actually works and we have verified it on multiple machines. This is actually how you can stop the malware. [. . .] And from that point, I basically did not sleep that night. I was giving press interviews and I was talking to customers and I was talking to other researchers and I basically stayed awake for like two whole days after that happened.”
The NotPetya pandemic was still raging, and its effects would continue for days and weeks thereafter. But Amit Serper had just discovered a vaccine with a 100% efficacy rate.
you know the COVID vaccine, there was – there were months of research and development and clinical trials and very complicated and lengthy processes that that were expedited you know because we have a vaccine after a few months. But with the case of the NotPetya vaccine, this was just me. This was just me messing around with my laptop at my parents’ house and the whole thing was done in a matter of I want to say like three hours. So I don’t know and there were no clinical trials. We went straight to production with this thing.
Amit’s NotPetya vaccine was a breakthrough. Even though untold numbers of computers were already dead, it signalled that an end was in sight.
Still, it wasn’t a kill switch. It only worked one machine at a time.
“[Amit] Think about it like COVID. The vaccine would not work if you’re already sick and the virus is replicating within your body and you’re breathing out and you’re spreading it. If you got sick and you are now infectious and while you’re sick you’re getting the vaccine, it’s already too late. So it’s basically the same logic. Putting that file in that specific path would keep your machine from getting infected. But if you were already infected and your machine is already spreading NotPetya, then putting that file there would just not do anything. It’s already too late at this point.”
PURPOSE OF ‘PERFC’
“[Nate Nelson] do you think that your vaccine was something that the attackers might have been aware of that they could have say put on their own computers to prevent the malware from sort of hitting back at them or did you just outsmart them with something that they overlooked?
“[Amit] So originally, I thought that this was a way for the malware to basically signal itself, oh, OK. I was already executed on this machine. There is no point in encrypting the drive again. And this is what I said in every single interview back then that I was interviewed. To my surprise, about a year and a half ago I think, Andy Greenberg released his book that’s called, Sandworm that I was interviewed to about NotPetya. And it was only after I read the book, it was revealed in the book that that vaccine, that perfc.dat file was actually found on other machines that the perpetrators did not want to infect.”
Remember what we said earlier: a mechanism that checks for the existence of a specific file can help prevent multiple infections of a single machine, or infections of unintended machines. Amit had assumed for years that, in this case, it was the former, but it was actually the latter.
Maybe this distinction seems unclear, or even trivial, so let’s parse it out. If NotPetya, after infecting a machine once, created a file in the directory titled “perfc.dat,” the purpose would be to avoid redundancy. The next copy of NotPetya to visit the machine would see it, and quit, knowing it was late to the party.
But the “perfc.dat” file was found on machines that were not infected by NotPetya. How did they get there, then? The attackers preemptively wrote the file to those computers, to vaccinate them from the impending pandemic.
when the attackers wanted to basically maintain access to some of the machines that they wanted to access in the future, they would put this “vaccine” on these machines to keep those machines from being rendered useless. It’s like if the Chinese government intentionally created COVID-19 in a lab, but made sure to vaccinate Xi Jinping before it was released in Wuhan.
“[Amit] This completely, at least for me, changed the narrative of this attack.”
Think about what this says about the motives of the people behind NotPetya. That they would take the extra effort to develop a vaccine for their own computers might indicate that they knew just how viral their malware would be. That it could spread so fast and so unstoppably that even they would be at risk, in a boomerang kind of way, if not for these precautionary measures.
For his part, Amit is not so cynical.
“[Amit] I think that the amount of destruction, especially when you were looking at what was done to the – to Maersk, the shipping company where they could not work at all. [. . .] I think that it just got out of hand.”
When the dust finally settled, most security researchers, and a number of governments, tied the NotPetya attack to Russia. In particular, they blamed Sandworm–a unit of the GRU which, just a couple years earlier, had attacked Ukraine’s power grid.
That Russia was behind a Ukraine-centered cyber attack is, probably, the most boring fact of this whole story. Russia is behind most Ukraine cyber attacks. This wasn’t even Sandworm’s first Ukraine job–a year and a half earlier they breached multiple energy companies, temporarily shutting off electricity for over 200,000 Ukrainian citizens for periods of up to six hours. We’ve actually covered that story already on this podcast, years ago, back when I was a young man and Nate Nelson was still sucking at his mother’s teat.
[Nate] Ran, I was 22 years old when we did that episode.
As I said, sucking on his mother’s teat.
So the Russia thing is expected. But if that seems like the finishing touch to wrap up our story, it’s not. In fact, it introduces as many mysteries as it answers.
NotPetya was built to do two things: spread everywhere, and destroy everything. That Russia would target Ukraine’s economy for cyber destruction is understandable, but this malware was built to go far beyond Ukraine. If Ukraine were the only target, the original backdoor–delivered through the M.E.Doc software update–would have sufficed to breach every target. You wouldn’t need EternalBlue, and you wouldn’t need Mimikatz. You wouldn’t need the number one most unique feature of NotPetya–how it can, and inevitably will, jump from Kiev to Copenhagen to New Jersey in just a few minutes’ time. Ukraine was a target of this malware, but not the target.
So why do it? Why unleash NotPetya on the world, knowing how much damage it would cause? Some people, like Amit, attribute it to a mistake–creating a beast that proved too difficult to control. That’s certainly possible. But there are other theories, too. A Director at Cisco, Craig Williams, pointed out that, maybe, the only thing better than hacking Ukraine is hacking everyone around them, too. Quote: “Anyone who thinks this was accidental is engaged in wishful thinking. This was a piece of malware designed to send a political message: If you do business in Ukraine, bad things are going to happen to you.” End quote.
You’d think that such a malicious attack, from a state-level actor, would warrant significant punishment. But the consequences to Russia, relative to the destruction they’re purported to have caused, were relatively minor. In March, 2018, the U.S. Treasury imposed a series of sanctions on five groups and 19 individuals, but those sanctions weren’t for NotPetya so much as they included NotPetya. From then-Treasury Secretary Steve Mnuchin, quote:
“The Administration is confronting and countering malign Russian cyber activity, including their attempted interference in U.S. elections, destructive cyber-attacks, and intrusions targeting critical infrastructure. These targeted sanctions are a part of a broader effort to address the ongoing nefarious attacks emanating from Russia.”
The key words there are “broader effort.” This feels a little disappointing but, really, what do you expect? It’s probably tough to come up with a response for such a massive crime as NotPetya. It’s the same problem we face with China and COVID: how do you reprimand a country for failing to prevent, and suppressing early warnings about the worst pandemic in a century? What punishment fits that level of crime?
Indeed, like the “perfc.dat” file pre-loaded onto their computers, the perpetrators in this story came away mostly consequence-free. On the plus side, we don’t know of any victims that went out of business as a result of NotPetya losses–apparently everyone got over it, after a while. Even Linkos Group–the modest, family-owned business that served as ground zero for the world’s costliest cyber pandemic–managed to survive the most exciting period in their history. And it was exciting. Quote:
“One week after NotPetya’s outbreak, Ukrainian police dressed in full SWAT camo gear and armed with assault rifles poured out of vans and into the modest headquarters of Linkos Group, running up the stairs like SEAL Team Six invading the bin Laden compound.
They pointed rifles at perplexed employees and lined them up in the hallway, according to the company’s founder, Olesya Linnyk. On the second floor, next to her office, the armored cops even smashed open the door to one room with a metal baton, in spite of Linnyk’s offer of a key to unlock it. “It was an absurd situation,” Linnyk says after a deep breath of exasperation.
The militarized police squad finally found what it was looking for: the rack of servers that had played the role of patient zero in the NotPetya plague. They confiscated the offending machines and put them in plastic bags.”
The Linkos Group update servers had finally been secured. Just a little late.