May 18, 2017

Things to know about WannaCry

The goal of this notification is to try to give meaningful and concise answers for the popular #WannaCry attack


1-) What is WannaCry (WCRY)? How does it possibly harm my infrastructure?


In April 2017, a hacker group called “TheShadowBrokers” leaked National Security Agency’s (NSA) hacking toolkit FUZZBUNCH, which included many working exploit techniques one of which is called EternalBlue. 

When EnternalBlue is used with DOUBLEPULSAR payload, which is also included in the toolkit, against a target system, it resulted complete ownage by running commands on the target system with Administrator rights through the SMB service. The Microsoft Windows operating system weakness that EternalBlue abuses was patched with MS17-010 (CVE-2017-0144), however, it was also started to be used by a ransomware called WannaCry.

In short, when WannaCry ransom-ware spreads on an internal network, it scans the whole network to find machines that hasn’t been MS17-010 patched. When it finds one, it infects that machine, encrypts the files, asks for money to decrypt and moves on infecting other machines; rinse and repeat.

2-) How does the ransomware spread?


Wannacry ransomware worm spreads using the Microsoft Windows SMB protocol implementation. The exploit technique allegedly once used by NSA in order to penetrate to systems now is started to be used by attackers in order to ask for ransom on the machines that are infected.

3-) How can I understand whether my systems are infected or not?


  • If you are using a SIEM solution with Cyber Threat Intelligence support, then by adding the IoC (Indicator of Compromise) listed under [1], you can list the domains/IPs that were accessed historically. 
  • If there are no systems infected, you can scan your IP addresses from outside of your internal network against existence of the MS17-010 weakness.

4-) I found out that some of my machines are infected. Now what?


  • The infected machine should be taken offline immediately and isolated from the network. That way any further infections can possibly be prevented.
  • Actions should be taken about the infected machine (searching the hostname, IP address in the SIEM logs) to find out the source of the infection.

5-) What should a corporate employee do to prevent any infection?


  • Microsoft Windows systems that are used should be patched immediately with MS17-010 fix that was released on 14 March 2017.
  • Inbound access to 445/TCP port should be closed from the outside of the internal network if any is open.
  • If any, harden the Anti-SPAM service against phishing attacks, specifically enforcing SPF, DMARC, DKIM controls
  • Review end-user operating system rights and enforce minimum rights principle. Refrain from using shared accounts.
  • Review any shared network files or directories and revoke the WRITE privilege when unnecessary.
  • Develop periodical awareness security training sessions that will increase the corporate security awareness.
  • Employ periodical penetration testing sessions for uncovering any vulnerabilities as early as possible.
  • Don’t forget to backup periodically.

6-) Which operating systems are effected?


Nearly all of the actively used Microsoft Windows operating systems are effected of WannaCry worm.
  • Windows XP
  • Microsoft Windows Vista SP2
  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10
  • Windows Server 2008 SP2 and R2 SP1
  • Windows Server 2012 and R2
  • Windows Server 2016
The extensive list can be checked out from the MS17-010 knowledge base document that Microsoft produced [2].

7-) I use Windows XP and lately Microsoft announced that the support for Windows XP will no longer exist. What can I do for these machined?


Microsoft made an extraordinary move about no longer supported Windows XP operating system for the mitigation of the serious weakness. The security windows update that is published also included Windows XP machines.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

8-) According to certain news portals, WannaCry also spreads using e-mails. Is this true?


  • WannaCry mainly and actively spreads by using the Windows SMB port, however, according to some companies such as FireEye, variations also spreads by using corporate specific phishing emails.
  • The method used by the phishing emails consists of opening a link in the email content, downloading a malicious file and opening it.
  • E-mail gateway services should be updated to include such malicious links for preventing those phishing emails to arrive end-users inboxes.

9-) How can I test systems against threats via e-mails?


Cyber threats stemming through e-mails abuse the insecure configuration the mail servers and low security awareness of the inbox owners.

10-) What are my options to get early warnings Wannacry and alike malwares and get long-term protection?


You can use open source or commercial cyber threat intelligence services in order to get early notifications about the possible cyber threats.
  • Develop periodical awareness security training sessions that will increase the corporate security awareness.
  • You can use the free NormShield ThretIntel service [3] for early notifications about WannaCry and alike malicious activities.
[1] US-CERT: https://www.us-cert.gov/sites/default/files/ALERT_TA17-132A.xlsx
[2] Microsoft MS17-010: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[3] Normshield: https://reputation.normshield.com