Tuesday, July 4, 2017

ICS-CERT Updates Petya Advisory (#1)

Yesterday the DHS ICS-CERT updated the control system security alert for the ‘Petya Variant’ last Friday. That alert was originally published on June 30th. The updated provides links to three new vendor (two of which I mentioned last week) publications concerning Petya:

Dragger (the ICS-CERT link is to an intermediate page); and

Interestingly the Honeywell page also provides a brief mention of the CrashOverride malware (see the Dragos paper) which ICS-CERT has still not mentioned even though that malware is specifically directed at control systems instead of the Microsoft OS like Petya and WannaCrypt.

The Dragger alert mentions a ‘vaccination’ method that apparently can prevent Petya; adding a read only file called perfc (perfc.dll, or perfc.dat also appear to work) to the C:\Windows directory. This has been reported in a number of locations (see for example here), but it has not been reported by ICS-CERT or US-CERT.

This update did not include mention of either the US-CERT report (a much more technically detailed report than any of the previously mentioned reports) or the Schneider report that I mentioned last week. Obviously, more updates are in the offing.

No comments:

/* Use this with templates/template-twocol.html */