June 2017 hacker attack was aimed to collect info about Ukraine's enterprises
Ukraine's security service SBU is warning of a possible new hacker attack on the networks of Ukrainian state agencies and businesses and therefore, is calling to abide by specially designed recommendations, the SBU press center said.
"On June 27, 2017, Ukraine was subjected to a large-scale cyber-attack involving the malicious software identified as the computer virus Petya. In analyzing the attack's effects and preconditions, it was determined that it was preceded by a collection of data regarding Ukrainian enterprises [...], the data's subsequent concealment in the files called cookies and dispatch to a command server. SBU experts assume that the information was exactly the target of the cyber-attack's first wave and might be used by the attack's actual initiators in terms of both cyber intelligence and further destructive actions," the SBU said on Friday.
According to the SBU, what evidences that is the Mimikatz utility application found by the experts that looked into the Petya cyber-attack. Mimikatz exploits architectural particularities of the Kerberos service in Microsoft Active Directory for the purposes of covertly preserving an access with privilege over the domain's resources. The operation of the Kerberos service is based on the exchange and verification of the so-called ticket-granting tickets (TGT). In most agencies and organizations, information security rules do not require changing the krbtgt password for user access, the SBU said.
Thus the perpetrators, who obtained an unauthorized access to some administrative data as a result of the Petya hacker attack, gained an opportunity to generate a provisionally open-ended TGT ticket issued to the built-in administrator's identity (SID 500), it said.
In this regard, the SBU recommends that system administrators perform a number of actions as soon as possible and first and foremost, exercise mandatory modification of the krbtgt password for user access.