Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
beanat50
New Contributor

Petya

Not sure where exactly to post this question, so this is as good a spot as any.  Listened to the webcast on petya - Alex stated that the worm has the ability to use password hashes to log into other workstations whose credentials are available on the infected computer.  Does anyone know which credentials (or all) are vulnerable to being hijacked.  I can think offhand of local login credentials, credentials used to connect to mapped drives, and credentials used for remote desktop.  There are probably more.  We have several contacts whitelisted in our fortimail, which could pose a direct threat to our system.  Our backups run continuously day and night, so disconnecting them is not feasible, and running separate full backups would take days.  I need to formulate a reasonable response to this threat so that our backups are protected, from what I see as a gross violation of security built into windows.  It would help if I knew which credentials can be used for spreading the attack to other computers on the network.

2 REPLIES 2
emnoc
Esteemed Contributor III

Are we talking Petya or notPetya? ( they are not the same )

 

The latter uses  the whole event of  "user credentials"  that where compromised and infection due to unpatched hosts and SMBver1 and psexec against windows host based on the user account that was compromised.

 

Thank about this, if some one could just  use  a  "password" hashes to compromised a machine by  just a hashes,  that  would make every system exposed & if a weak hash or unsalted hash was used.

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
beanat50
New Contributor

Well, technically I suppose I should call it Not-Petya - it's the worm that made its rounds earlier this week and was the subject of discussion on the Fortinet webcast yesterday.  During that webcast Alex Harvey stated that this particular worm was able to use password hashes for credentials found on a compromised machine to log into other machines.  I agree this is a gross violation of any concept of security - which is what has prompted my question.  Assuming I understood what he said properly, I would need to make adjustments in my network security, and my network layout in general.  So, the question remains - if this is correct, then which credentials on an infected machine can be compromised by this worm.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors