WannaCry - Executive summary

Conclusion

1. Windows – patch management for EOF is vital.
2. Antivirus – as always didn’t detect anything. Not sure they can by design.
3. Hots with open SMB to the internet by the millions  
4. Internal networks are very vulnerable.

Security product failing at money time 

deatils: 

•       Few month ago - Microsoft identifyee MS17-010 – affecting ALL MS versions

•       March 2017 - Patch was publicly released

•       April 2017 – Shadow Broker leak MS17-010

•       12 May 2017 ~ (two month later) a massive ransomware  attack was identified – WannaCry

•       The ransomware apparently utilize few know weakness including  MS17-010

•       Microsoft also update to unsupported versions. Also published work around 

Impact 

•       Telefonica – Spain

•       Sever damage according to ww cert’s

•       Fedex –USA

•       NHS – UK

•       Prime minister called the public to not arrive at the hospitals

•       World wide news publications

•       Very bad publicity to NSA and Microsoft

•       Microsoft had to issue a fix for un supported versions - XP and Windows server 2003

Vulnerability

•       Ransom ware – files are encrypted unless bitcoin payment is done

•       Attack apparently start with spear phishing emails contains attachments

•       The exploit was installed in the windows OS as the results of user opening the attachments (activating it)

•       Then the exploit code start looking for random internet IP’s and try to infect them.

•       It is then looks at the internal IP range and trying to infect the local PC’s

•       Attack vector  was SMB v1 – used for internal file sharing services thus targeting the internal networks

•       The ransom ware is then encrypt files of various types (list in the following pages)   

•       Kill switch was discovered:

•       The ransom ware is trying to access a unique domain name in the internet.

•       if it doesn’t exists it start encrypting the files.

•       If the domain exists the encryption doesn't start. A new versions without kill switch released 

Prevention recommendation

•       Recommendation to not block port 80 access to the following sites:

                www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com                  www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

*Note the this is outbound connection.

•       If proxied browser then allow this traffic out

•       Firewall should block any traffic from the internet on TCP445, TCP139, UDP137, UDP138

•       Patch ASAP 

•       Is not a zero day – was know 3 month ago

•       Any un patched MS box is at risk

•       NSA can hack almost anything but also can cause damage if they leak tools and vulnerabilities

•       Ransomware was 300 600- $ with bit coins

•       TechNet notification by Microsoft

•       Patching old systems / versions is critical

•       Ignoring patching even when challenging cost money

•       Security incident on massive scales happens

•       Internal networks are expose to exploit (not just web sites)

•       Any system should have emergency plan to patch unsupported versions