On Friday, May 12th our digital lives were disrupted by the latest cyberattack WannaCrypt a.k.a WannaCry, and was a reminder to everyone that Security continues to be a paramount agenda with every business and technology leader as they look to Digitally Transform their organizations. This new ransomware spreads like a worm and first surfaced in UK and Spain, and the quickly spread globally, blocking hospitals, businesses, governments, and computers at homes from their data unless they paid a ransom using Bitcoin. This malicious software exploits used in the attack were drawn from the exploits stolen from the National Security Agency (NSA) in the United States – which were publicly reported earlier this year.

 

This attack brought forward the importance of running a well secured infrastructure to protect against these zero day exploit situations which leveraged vulnerabilities that was FIXED by Microsoft one month prior i.e. on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. We understand organizations needs time to test their systems and applications before deploying the latest patches and updates, however we now have tools like System Center Configuration Manager (SCCM) and Microsoft Intune which provides the right solutions to manage these deployment lifecycle. Aboutxtreme offers fixed cost consulting offerings for SCCM, EMS and Optimized Desktops to help you get started and optimized on the solutions quickly.

 

Generally ransomware do not spread rapidly and leverage social engineering techniques to target customers, however, in this unique case, the ransomware attack vecotor perpetrators used well-known public SMB exploits for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems and does not affect Windows 10 operating systems.

 

The threat arrives as a dropper Trojan that has the following two components:

  1. A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers
  2. The ransomware known as WannaCrypt

 

The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”, and with the following message:

 

image005

image011

 

The dropper tries to connect the following domains using the API InternetOpenUrlA():

  • www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

 

If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. In other words, unlike in most malware infections, IT Administrators should NOT block these domains. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.

 

wannacry-3

 

Call to Action: we recommend all customers take the following 8 steps to protect your organization from attacks like these.

 

  1. This recent WannaCrypt malware exploits a Service Message Block (SMB) vulnerability (CVE-2017-0145). Customers should immediately install MS17-010 to resolve this vulnerability.
  2. Review all endpoints, servers and Azure subscriptions that have SMB endpoints exposed to the internet, commonly associated with ports TCP 139, TCP 445, UDP 137, UDP 138. Microsoft recommends against opening any ports to the internet that are not essential to your operations.
  3. Disable SMBv1 – instructions located here: https://aka.ms/disablesmb1
  4. Utilize Windows Update to keep your machines up-to-date with the latest security updates. If you are running Azure Cloud Services (Platform as a Service Web Roles and Worker Roles or Infrastructure as a Service (IaaS)) automatic updates are enabled by default, so there is no further action required.  All Guest OS versions released after March 14th, 2017 contain the MS17-010 update. You can view the update status of your resources on an on-going basis in Azure Security Center.
  5. Use the Azure Security Center to continuously monitor your environment for threats. Collect and monitor event logs and network traffic to look for potential attacks using the Azure Security Center, and check for new security alerts and quickly investigate any threats detected.
  6. Use Network Security Groups (NSGs) to restrict network access. To reduce exposure to attacks, configure NSGs with in-bound rules that restrict access to only required ports. You can use network firewalls from a range of companies for additional security. Azure Security Center provides a view of the security for all your networks in Azure, and helps you identify those with internet accessible endpoints, insufficient NSG protections, and in some cases recommends a firewall solution.
  7. Confirm that anti-malware is deployed and updated. If you are using Microsoft anti-malware for Azure or Windows Defender, Microsoft released an update last week which detects this threat as Ransom:Win32/WannaCrypt. If you are running anti-malware software from any number of security companies, you should confirm with your provider that your are protected. You can also use Azure Security Center to verify that anti-malware, and other critical security controls, are configured for all of your Azure virtual machines.
  8. Configure backups with multifactor authentication. An important part of recovery from any compromise is having a strong backup solution in place. If you are already using Azure Backup, you can recover data if your servers are attacked by ransomware. Only users with valid Azure credentials can access the backups stored in Azure. We also recommend enabling Azure Multi-Factor Authentication to provide an additional layer of security to your backups in Azure.

 

Aboutxtreme has created a WannaCrypt: Health Check, our new Fixed Cost Services Offering to help professionals and organizations like yourself to better understand, protect. Contact our Business Development today on hello@aboutxtreme.com and we will be happy to discuss it in detail.

 

Stay Safe and Secure!