Conclusion
- Windows – patch management for EOF is vital.
- Antivirus – as always didn’t detect anything. Not sure they can by design.
- Hots with open SMB to the internet by the millions
- Internal networks are very vulnerable.
Security product failing at money time
deatils:
• Few month ago - Microsoft identifyee MS17-010 – affecting ALL
MS versions
• March 2017 - Patch was publicly released
• April 2017 – Shadow Broker leak MS17-010
• 12 May 2017 ~ (two month later) a massive ransomware attack was identified – WannaCry
• The ransomware apparently utilize few know weakness
including MS17-010
• Microsoft also update to unsupported versions. Also published
work around
Impact
•
Telefonica – Spain
•
Sever damage according
to ww cert’s
•
Fedex –USA
•
NHS – UK
•
Prime minister called
the public to not arrive at the hospitals
•
World wide news
publications
•
Very bad publicity to
NSA and Microsoft
•
Microsoft had to issue a
fix for un supported versions - XP and Windows server 2003
Vulnerability
•
Ransom ware – files are
encrypted unless bitcoin payment is done
•
Attack apparently start
with spear phishing emails contains attachments
•
The exploit was
installed in the windows OS as the results of user opening the attachments
(activating it)
•
Then the exploit code
start looking for random internet IP’s and try to infect them.
•
It is then looks at the
internal IP range and trying to infect the local PC’s
•
Attack vector was SMB v1 – used for internal file sharing
services thus targeting the internal networks
•
The ransom ware is then
encrypt files of various types (list in the following pages)
•
Kill switch was
discovered:
•
The ransom ware is trying
to access a unique domain name in the internet.
•
if it doesn’t exists it
start encrypting the files.
•
If the domain exists the
encryption doesn't start. A new versions without kill switch released
Prevention recommendation
•
Recommendation to not
block port 80 access to the following sites:
www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
*Note the this is outbound connection.
•
If proxied browser then
allow this traffic out
•
Firewall should block
any traffic from the internet on TCP445, TCP139, UDP137, UDP138
•
Patch ASAP
•
Is not a zero day – was
know 3 month ago
•
Any un patched MS box is
at risk
•
NSA can hack almost
anything but also can cause damage if they leak tools and vulnerabilities
•
Ransomware was 300 600-
$ with bit coins
•
TechNet notification by Microsoft
•
Patching old systems /
versions is critical
•
Ignoring patching even
when challenging cost money
•
Security incident on
massive scales happens
•
Internal networks are
expose to exploit (not just web sites)
•
Any system should have
emergency plan to patch unsupported versions