WannaCry FAQ: What you need to know today!
WannaCry FAQ: What you need to know today
Friday May 12th will be the day we remember the start of the mayhem caused by ‘WannaCry’, the most successful ransomware infection in history. Since Friday, Security teams have been running around with their heads on fire trying to get ahead of the infection and to understand the malware’s capabilities. In the process, a lot new sales lead ransomware experts seem to have risen from the depths and have confused the situation further.
Ok before we go any further, have you run the latest patches? If not please do so before reading further!!
Was there an e-mail attack vector? WannaCry Phishing link?
To date, an e-mail attack vector for Wannacry has not been determined. We are still investigating sources that suggest compromised websites were used to target some network endpoints. So far, what we can confirm is that systems are being targeted using an implementation of the well known EternalBlue exploit leaked by the Shadowbrokers in April. This exploit installs the DoublePulsar backdoor, which is further leveraged to infect a system. Even if the EternalBlue exploit fails in the first place, the attack code still tries to leverage the DoublePulsar backdoor which might have been installed in a previous attack.
So potentially the main reason why Wannacry was so successful is the fact that the EternalBlue exploit works over the internet without requiring any user interaction. It works on top of TCP port 445. Researchers are yet to discover how the payload was delivered.
Why did the attackers add a kill switch to WannaCry?
This is a question we have been asked many times and is of course confusing to most. However it is important to understand how an IDS/IPS system works and how to circumnavigate their rules of access. With this understanding (which we will not cover here) there are possible explanations why the attackers added a kill switch. These could be:
- The attackers were afraid the attack might get out of control and wanted a way to stop propagation.
- Attackers coded it as an anti-sandbox check (IDS/IPS sandboxes emulate all internet connections and make them appear to work even if they do not exist).
- The killswitch enables the payload to enter the industrial system networks through secure layers undetected.
Has this WannaCry attack been contained?
Researchers at Proofpoint began tracing the attack early. Spambrella have remained in contact to follow and educate engineers on progress. Since 06.00 UTC/GMT Monday 15th May, it is reported accurately that there has been a sixfold decrease in attacks than during the first hours on Friday May 12th. This clearly indicates infections based on current variants (3x variants) are reducing. This is of course largely due to Microsoft making the patch available to all and patches being deployed.
How does the WannaCry worm spread within a network?
The malware includes a worm functionality that tries to infect any other unpatched Windows machines inside the local network, generating large SMB traffic. In simple terms WannaCry scans LAN IPS for SMB/445 port open. Where it finds any, it delivers the EternalBlue exploit.
Is WannaCry targeting SMBv1 or SMBv2?
The vulnerability exploited by the EternalBlue tool lies in the SMBv1 implementation. However, to exploit it, the tool also uses SMBv2. This means that it uses both SMBv1 and SMBv2 packets during the attack. Disabling SMBv1 or SMBv2 prevents the infection; however, while disabling SMBv1 (an old protocol) has no significant impact on modern systems, disabling SMBv2 can cause problems. This is why it is highly recommended to disable SMBv1 for the current attack and for the future.
What should we do to make sure the organization is protected?
- Install the Microsoft Security Bulletin patches for MS17-010. Please note that Microsoft also released an emergency patch for Windows XP, which is no longer supported by Microsoft.
- Disable SMBv1.
- Backup your data on a regular basis and be sure to store the backups in more than a singular location. If you backup online, be sure to also backup offline.
- Limit administrative privileges in the network.
- Segment your network.
- Make sure all nodes have endpoint security software installed and updated.
- Spambrella users: make sure users are unable to release emails suspected of being phish. If you need advice – firstname.lastname@example.org – Admins, setup alerts for such emails for immediate action/prevention. Reduce your email threat vector with GeoBlocking to minimise exposure.
- For those who do not use Spambrella services, we suggest you contact your ISP/MSP for guidance to increase email security protection measures or to further user education.
- WannaCry is also targeting embedded systems. We recommend ensuring that dedicated security solutions for embedded systems are installed, and that they have both anti-malware protection and Default Deny functionality enabled.