On May 12, computer networks in more than 150 countries around the world were infected with a malware called WannaCry in the largest single ransomware attack to date. Governments and private enterprise alike were affected by the attack with everyone from the UK’s National Health Service to the Russian Interior Ministry to global shipping company FedEx reporting disrupted operations on account of the ransomware. While countries like the UK and Russia seem to be the hardest hit, there have been reports of the malware appearing on computers in the GCC as well.
Since the release in April by the Shadow Brokers of various NSA-developed malware, the UAE-based cyber security firm DarkMatter’s cyber services researchers have been analysing the impact of the potential spread of these programmes.
WannaCry is a new ransomware threat, which was identified by various security researchers. The ransomware utilises an exploit called ETERNALBLUE as well as leveraging a persistent backdoor known as DOUBLEPULSAR. Both components of this ransomware are part of the Shadow Brokers leak of NSA tools. ETERNALBLUE exploits a vulnerability in the Microsoft SMBv1 protocol. Exploiting this vulnerability allows an attacker to execute code on the vulnerable host.
Microsoft patched this vulnerability, known as MS17-010, in March 2017 shortly after the Shadow Brokers’ leak. Subsequently Microsoft have also issued a patch on May 13, 2017 for legacy systems that are no longer supported for security updates including Windows XP, Windows Server 2003 and Windows 8. Systems that are vulnerable to ETERNALBLUE, have SMBv1 enabled, and are accessible over the internet are at risk and must be patched immediately. Systems that cannot be patched should have SMBv1 disabled to mitigate the risk of compromise.
The initial infections are believed to have been delivered via phishing emails, highlighting the importance of employee security awareness. The malware encrypts all of a user’s files until the user pays a fee (in bitcoins) to an anonymous account. In this case, the criminals seem to be demanding around the equivalent of US$300 to unencrypt a user’s machine.
Security researcher @MalwareTechBlog found a ‘kill switch’ slowing the spread of the ransomware but users must understand that this is just a temporary fix, and this threat will continue to evolve in other ways over the next few months. WannaCry ransomware was designed to make it trivial to swap out the ransomware payload component and replace it with an alternative piece of malware.
This means that it is only a matter of time until new threats are active that utilise the ETERNALBLUE exploit and DOUBLEPULSAR backdoor to spread. It is of the utmost importance that patches be deployed immediately and mitigation procedures outlined below are implemented.
Here are useful tips from DarkMatter to avert threats from WannaCry and similar ones in future:
I haven’t been infected yet—how do I stay safe?
What’s important to note about this attack is that it’s exploiting a vulnerability patched by Microsoft in March. So if you haven’t yet, take a look at Microsoft Security Bulletin MS17-010 and download the associated updates. The patch covers both supported and non-supported versions of Microsoft products dating back to Windows Vista. Expect more to come so look out for them and follow the instructions. The following steps comprise a more detailed list of mitigation options:
* Apply MS17-010 patches immediately for all systems within corporate environments.
* Ensure robust patch management processes are in place to apply patches in a timely manner.
* All internet exposed systems running versions of Microsoft Windows that are vulnerable to MS17-010 to have TCP ports 139 (NetBIOS), 445 (SMB) and 3389 (RDP) blocked or filtered.
* For systems that cannot be patched, disable SMBv1.
* Scan all incoming and outgoing e-mails and block executable file delivery.
* Sinkholing of the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
* Update anti-virus solutions and ensure they are set to automatically conduct regular scans.
* Manage the use of privileged accounts. Administrative privileges should only be provided to end users on an as needed basis for a limited time period via an organisational change management process.
* A script has been released on GitHub by Countercept Security to detect the presence of systems affected by DOUBLEPULSAR.
* A script has been released by the CCN-CERT limiting the ransomware encryption to pursue its execution following the initial checks.
* Disable macro scripts from Microsoft Office files transmitted via e-mail.
* Ensure a robust security awareness programme is conducted to educate employees about the dangers of ransomware and phishing attacks.
* Ensure regular penetration testing is conducted within your environment to identify your organisation’s overall attack surface.
* Organisation-wide backup policies must be implemented and tested to ensure effectiveness.
The following network detection signatures can identify traffic related to this threat:
CISCO Snort rules: 42329-42332, 42340, 41978
Emerging Threats IDS Rule: 2024218 “ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”
This attack highlights just how critical it is for organisations to have a holistic approach to cyber security including staying on top of security patches, threat intelligence, incident response, and rock solid backups of all data. Cyber threats are constantly evolving, and without a defined strategy, your organisation is vulnerable.