Microsoft Released Guidance for WannaCrypt - SANS Internet Storm Center

Microsoft Released Guidance for WannaCrypt
Microsoft released information what can be done to protect against WannaCry[1] which includes deploying MS17-010 if not already done (March patch release)[2], update Windows Defender (updated 12 May)[3] and if not using SMBv1 to disable it available here. Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Note: If you are running Windows 10, you are not targeted by this attack. A live map of the infection is available here. Update 1: There is additional information including hashed, C&C sites as well as the file type it will encrypt and samples located here. US-CERT released the following information of Indicators Associated With WannaCry Ransomware here. Update 2: There are reports that indicate that WannaCry VERSION 2 has been released and the kill switch that had been activated by a security researcher has been removed. If you haven't already applied MS17-010 and blocked inbound SMB traffic, you can still fall victim of this Ransomware. [1] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks [2] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [3] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt [4] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 [5] https://intel.malwaretech.com/WannaCrypt.html [6] https://gist.github.com/pcostesi/87a04a3bbbdbc4aeb8b787f45eb21197 [7] https://www.us-cert.gov/ncas/alerts/TA17-132A [8] http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html ----------- Guy Bruneau IPSS Inc. Twitter: GuyBrunea u gbruneau at isc dot sans dot edu	Guy 523 Posts ISC Handler May 13th 2017
Thread locked Subscribe	May 13th 2017 5 years ago
The interesting part is: Microsoft published patches for Windows XP, Windows Server 2003 and Windows 8, versions gone out of support quite some time ago!	Anonymous
Quote	May 13th 2017 5 years ago
It's the least they can do after leaving the back door open for the NSA toolkits. It's only when exploits get released to the public that MS considers them dangerous and patch-worthy.	Anonymous
Quote	May 13th 2017 5 years ago
Can you provide the sources for Update 2, please? Do you have references describing the Version 2 of WannaCry? Thank you in advance!	Anonymous
Quote	May 14th 2017 5 years ago
The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally. Has anybody seen anything other than "self-inflicted victims doing stupid stuff"? The real advice should have been short and direct: STOP PUTTING SERVERS DIRECTLY ON THE INTERNET! https://www.shodan.io/host/213.4.198.40 inetnum: 213.4.198.0 - 213.4.198.255 netname: TelefonicaGlobalTechnology descr: TELEFONICA GLOBAL TECHNOLOGY S.A. descr: Internet Public Addresses 80 137 - NetBIOS 443 - Subject Alternative Name: DNS:sip.telefonica.com, DNS:ap.telefonica.com, DNS:extcsweb01.telefonica.com, DNS:extowaweb01.telefonica.com, DNS:lync.tap.telefonica.com, DNS:lync.telefonica.com, DNS:lyncdiscover.tap.telefonica.com, DNS:lyncdiscover.telefonica.com, DNS:sip.tap.telefonica.com, DNS:tap.telefonica.com, DNS:webcon.telefonica.com, DNS:extcsweb02.telefonica.com, DNS:telefonica.com 445 - SMB 1434 - Microsoft SQL ServerVersion: 12.0.2000.8 - ServerName;ESTGVCSP011;InstanceName;RTCLOCAL;IsClustered;No;Version;12.0.2000.8;tcp;49178;; 3389 - RDP CN=ESTGVCSP011.europe.telefonica.corp 4443 - CN=MADJCCSEDGE01.europe.telefonica.corp 5985 8081 - says "McAfee Product Logs"	Anonymous
Quote	May 14th 2017 5 years ago
Quoting Anonymous:The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally. This is one possibility: all (not so) "smart" users who connect their unpatched Windows systems (patches were available for ALL versions except Windows Server 2003) to the Internet should have read not just Microsoft's advice "Block the ports for SMB at the perimeter". The real initial infection vector are but emails with executable attachments. Thanks to Microsoft's enormous fault made about 25 years ago all files created on Windows NT[FS] are executable. To stop your unsuspecting users from executing arbitrary files, either add the NTFS ACE "(D;OIIO;WP;;;WD)" to the NTFS ACL of every "%USERPROFILE%". Use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode this to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". Better use SAFER alias Software Restriction Policies and deny execution in every path unprivileged users can write. See <https://skanthak.homepage.t-online.de/SAFER.html>, plus <https://skanthak.homepage.t-online.de/appcert.html> and <https://support.microsoft.com/en-us/kb/2532445> to patch the loopholes.	Anonymous
Quote	May 14th 2017 5 years ago
Does anyone know how reliable could be removing Wcry from a infected system? According to Microsoft [1], Windows Defend or Windows Safety Scanner are able to detect and remove this threat from the system. We know that this isn't the best way, but for those dealing with thousands of infected machines, this could be a fastest way. [1] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt Thanks. Renato Marinho	Renato 1 Posts
Quote	May 14th 2017 5 years ago
Here is the link thehackernews.com/2017/05/…	Guy 523 Posts ISC Handler
Quote	May 14th 2017 5 years ago
While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well...	dogbert2 21 Posts
Quote	May 14th 2017 5 years ago
There are reports of users clicking on Email links or attachments but I can find no article/cert that gives one such example of an email or the attachment. It leaves me to think this is only spreadable by worm action. I'm happy to be proven wrong!	Anonymous
Quote	May 15th 2017 5 years ago
Quoting dogbert2:While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well... OUCH! If you don't need (to access) network shares on your Windows machines, just shutdown and DISABLE the server (a.k.a. LanManServer) service! NET.exe STOP Server SC.exe Server Start= Disabled This is the vulnerable component the worm uses to propagate. On Windows Vista and later, it's sufficient to only disable SMBv1 for the server service ... and restart it or reboot the machine: REG.exe Add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /V "SMB1" /T REG_DWORD /D 0 /F JFTR: this doesn't help if your users get the malware per mail and execute it! SAFER/SRP and AppLocker help then.	Anonymous
Quote	May 15th 2017 5 years ago

Microsoft released information what can be done to protect against WannaCry[1] which includes deploying MS17-010 if not already done (March patch release)[2], update Windows Defender (updated 12 May)[3] and if not using SMBv1 to disable it available here.

Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003.

Note: If you are running Windows 10, you are not targeted by this attack.

A live map of the infection is available here.

Update 1: There is additional information including hashed, C&C sites as well as the file type it will encrypt and samples located here. US-CERT released the following information of Indicators Associated With WannaCry Ransomware here.

Update 2: There are reports that indicate that WannaCry VERSION 2 has been released and the kill switch that had been activated by a security researcher has been removed. If you haven't already applied MS17-010 and blocked inbound SMB traffic, you can still fall victim of this Ransomware.

[1] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
[2] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[3] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt
[4] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
[5] https://intel.malwaretech.com/WannaCrypt.html
[6] https://gist.github.com/pcostesi/87a04a3bbbdbc4aeb8b787f45eb21197
[7] https://www.us-cert.gov/ncas/alerts/TA17-132A
[8] http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html

-----------
Guy Bruneau IPSS Inc.
Twitter: GuyBrunea u
gbruneau at isc dot sans dot edu

Guy

523 Posts
ISC Handler

May 13th 2017

The interesting part is: Microsoft published patches for Windows XP, Windows Server 2003 and Windows 8, versions gone out of support quite some time ago!

Anonymous

It's the least they can do after leaving the back door open for the NSA toolkits. It's only when exploits get released to the public that MS considers them dangerous and patch-worthy.

Anonymous

Can you provide the sources for Update 2, please? Do you have references describing the Version 2 of WannaCry?

Thank you in advance!

Anonymous

The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally.

Has anybody seen anything other than "self-inflicted victims doing stupid stuff"?

The real advice should have been short and direct: STOP PUTTING SERVERS DIRECTLY ON THE INTERNET!

https://www.shodan.io/host/213.4.198.40

inetnum: 213.4.198.0 - 213.4.198.255
netname: TelefonicaGlobalTechnology
descr: TELEFONICA GLOBAL TECHNOLOGY S.A.
descr: Internet Public Addresses

80

137 - NetBIOS

443 - Subject Alternative Name: DNS:sip.telefonica.com, DNS:ap.telefonica.com, DNS:extcsweb01.telefonica.com, DNS:extowaweb01.telefonica.com, DNS:lync.tap.telefonica.com, DNS:lync.telefonica.com, DNS:lyncdiscover.tap.telefonica.com, DNS:lyncdiscover.telefonica.com, DNS:sip.tap.telefonica.com, DNS:tap.telefonica.com, DNS:webcon.telefonica.com, DNS:extcsweb02.telefonica.com, DNS:telefonica.com

445 - SMB

1434 - Microsoft SQL ServerVersion: 12.0.2000.8 - ServerName;ESTGVCSP011;InstanceName;RTCLOCAL;IsClustered;No;Version;12.0.2000.8;tcp;49178;;

3389 - RDP CN=ESTGVCSP011.europe.telefonica.corp

4443 - CN=MADJCCSEDGE01.europe.telefonica.corp

5985

8081 - says "McAfee Product Logs"

Anonymous

Quoting Anonymous:The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally.

This is one possibility: all (not so) "smart" users who connect their unpatched Windows systems (patches were available for ALL versions except Windows Server 2003) to the Internet should have read not just Microsoft's advice "Block the ports for SMB at the perimeter".

The real initial infection vector are but emails with executable attachments.
Thanks to Microsoft's enormous fault made about 25 years ago all files created on Windows NT[FS] are executable.
To stop your unsuspecting users from executing arbitrary files, either add the NTFS ACE "(D;OIIO;WP;;;WD)" to the NTFS ACL of every "%USERPROFILE%".
Use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode this to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories".

Better use SAFER alias Software Restriction Policies and deny execution in every path unprivileged users can write.
See <https://skanthak.homepage.t-online.de/SAFER.html>, plus
<https://skanthak.homepage.t-online.de/appcert.html> and
<https://support.microsoft.com/en-us/kb/2532445> to patch the loopholes.

Anonymous

Does anyone know how reliable could be removing Wcry from a infected system?

According to Microsoft [1], Windows Defend or Windows Safety Scanner are able to detect and remove this threat from the system. We know that this isn't the best way, but for those dealing with thousands of infected machines, this could be a fastest way.

[1] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt

Thanks.

Renato Marinho

Renato

1 Posts

Here is the link thehackernews.com/2017/05/…

Guy

523 Posts
ISC Handler

While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well...

dogbert2

21 Posts

There are reports of users clicking on Email links or attachments but I can find no article/cert that gives one such example of an email or the attachment. It leaves me to think this is only spreadable by worm action. I'm happy to be proven wrong!

Anonymous

Quoting dogbert2:While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well...

OUCH!
If you don't need (to access) network shares on your Windows machines, just shutdown and DISABLE the server (a.k.a. LanManServer) service!
NET.exe STOP Server
SC.exe Server Start= Disabled

This is the vulnerable component the worm uses to propagate.
On Windows Vista and later, it's sufficient to only disable SMBv1 for the server service ... and restart it or reboot the machine:
REG.exe Add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /V "SMB1" /T REG_DWORD /D 0 /F

JFTR: this doesn't help if your users get the malware per mail and execute it! SAFER/SRP and AppLocker help then.

Anonymous