Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Microsoft Released Guidance for WannaCrypt - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Released Guidance for WannaCrypt

Microsoft released information what can be done to protect against WannaCry[1] which includes deploying MS17-010 if not already done (March patch release)[2], update Windows Defender (updated 12 May)[3] and if not using SMBv1 to disable it available here.

Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.

Note: If you are running Windows 10, you are not targeted by this attack.

A live map of the infection is available here.

Update 1: There is additional information including hashed, C&C sites as well as the file type it will encrypt and samples located here. US-CERT released the following information of Indicators Associated With WannaCry Ransomware here.

Update 2: There are reports that indicate that WannaCry VERSION 2 has been released and the kill switch that had been activated by a security researcher has been removed. If you haven't already applied MS17-010 and blocked inbound SMB traffic, you can still fall victim of this Ransomware.

[1] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
[2] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[3] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt
[4] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
[5] https://intel.malwaretech.com/WannaCrypt.html
[6] https://gist.github.com/pcostesi/87a04a3bbbdbc4aeb8b787f45eb21197
[7] https://www.us-cert.gov/ncas/alerts/TA17-132A
[8] http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html

 

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu

Guy

400 Posts
ISC Handler
The interesting part is: Microsoft published patches for Windows XP, Windows Server 2003 and Windows 8, versions gone out of support quite some time ago!
Anonymous

Posts
It's the least they can do after leaving the back door open for the NSA toolkits. It's only when exploits get released to the public that MS considers them dangerous and patch-worthy.
Anonymous

Posts
Can you provide the sources for Update 2, please? Do you have references describing the Version 2 of WannaCry?

Thank you in advance!
Anonymous

Posts
The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally.

Has anybody seen anything other than "self-inflicted victims doing stupid stuff"?

The real advice should have been short and direct: STOP PUTTING SERVERS DIRECTLY ON THE INTERNET!

https://www.shodan.io/host/213.4.198.40

inetnum: 213.4.198.0 - 213.4.198.255
netname: TelefonicaGlobalTechnology
descr: TELEFONICA GLOBAL TECHNOLOGY S.A.
descr: Internet Public Addresses

80

137 - NetBIOS

443 - Subject Alternative Name: DNS:sip.telefonica.com, DNS:ap.telefonica.com, DNS:extcsweb01.telefonica.com, DNS:extowaweb01.telefonica.com, DNS:lync.tap.telefonica.com, DNS:lync.telefonica.com, DNS:lyncdiscover.tap.telefonica.com, DNS:lyncdiscover.telefonica.com, DNS:sip.tap.telefonica.com, DNS:tap.telefonica.com, DNS:webcon.telefonica.com, DNS:extcsweb02.telefonica.com, DNS:telefonica.com

445 - SMB

1434 - Microsoft SQL ServerVersion: 12.0.2000.8 - ServerName;ESTGVCSP011;InstanceName;RTCLOCAL;IsClustered;No;Version;12.0.2000.8;tcp;49178;;

3389 - RDP CN=ESTGVCSP011.europe.telefonica.corp

4443 - CN=MADJCCSEDGE01.europe.telefonica.corp

5985

8081 - says "McAfee Product Logs"
Anonymous

Posts
Quoting Anonymous:The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally.


This is one possibility: all (not so) "smart" users who connect their unpatched Windows systems (patches were available for ALL versions except Windows Server 2003) to the Internet should have read not just Microsoft's advice "Block the ports for SMB at the perimeter".

The real initial infection vector are but emails with executable attachments.
Thanks to Microsoft's enormous fault made about 25 years ago all files created on Windows NT[FS] are executable.
To stop your unsuspecting users from executing arbitrary files, either add the NTFS ACE "(D;OIIO;WP;;;WD)" to the NTFS ACL of every "%USERPROFILE%".
Use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode this to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories".

Better use SAFER alias Software Restriction Policies and deny execution in every path unprivileged users can write.
See <https://skanthak.homepage.t-online.de/SAFER.html>, plus
<https://skanthak.homepage.t-online.de/appcert.html> and
<https://support.microsoft.com/en-us/kb/2532445> to patch the loopholes.
Anonymous

Posts
Does anyone know how reliable could be removing Wcry from a infected system?

According to Microsoft [1], Windows Defend or Windows Safety Scanner are able to detect and remove this threat from the system. We know that this isn't the best way, but for those dealing with thousands of infected machines, this could be a fastest way.

[1] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

Thanks.

Renato Marinho
Renato

1 Posts Posts
Guy

400 Posts Posts
ISC Handler
While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well...
dogbert2

18 Posts Posts
There are reports of users clicking on Email links or attachments but I can find no article/cert that gives one such example of an email or the attachment. It leaves me to think this is only spreadable by worm action. I'm happy to be proven wrong!
Anonymous

Posts
Quoting dogbert2:While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well...


OUCH!
If you don't need (to access) network shares on your Windows machines, just shutdown and DISABLE the server (a.k.a. LanManServer) service!
NET.exe STOP Server
SC.exe Server Start= Disabled

This is the vulnerable component the worm uses to propagate.
On Windows Vista and later, it's sufficient to only disable SMBv1 for the server service ... and restart it or reboot the machine:
REG.exe Add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /V "SMB1" /T REG_DWORD /D 0 /F

JFTR: this doesn't help if your users get the malware per mail and execute it! SAFER/SRP and AppLocker help then.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!