Arraya Insights | May 16, 2017
This weekend saw one of the largest global cyber attacks in history, WannaCry, reportedly impacting FedEx, the National Health Service in the UK, and Telefonica in Spain among others.
As we’re certain this has been a common topic of conversation in the office, we wanted to arm you with some great information via the blog from the Cisco Security Intelligence group, Talos: http://blog.talosintelligence.com/2017/05/wannacry.html
|Summary for WannaCry Ransomware Campaign|
|Overview:||A major ransomware attack has affected many organizations across the world reportedly including Telfonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as “WannaCry.”The malware has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them and then demanding a ransom payment in the form of Bitcoin.|
|Killswitch for WannaCry||Cisco Umbrella researchers first observed requests for one of WannaCry’s killswitch domains (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, then rising to a peak of just over 1,400 nearly 10 hours later. This domain has been registered by a UK Security Researcher and helped mitigate threats.|
|Actions:||Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.|
|More Analysis:||Talos Intelligence: Wannacry|
|How Cisco Customers are Already Protected:||Snort Rule: 42329-42332, 42340, 41978 (Meraki MX)
Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors.
CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.
The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.
AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.
Umbrella prevents DNS resolution of the domains associated with malicious activity.
One of the main points to capture relating to WannaCry is that basic block and tackling IT responsibilities will protect you. Windows patching and good network security prevent this variant. The other security tools come into play after that has failed.
- Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
- In accordance with known best practices, any organization who has SMB publicly accessible via the internet (ports 139, 445) should immediately block inbound traffic.
- Disable SMBv1.
- Segment and filter your network.
- Have reliable offline backups available when all else fails.
The elephant in the room is that a lot of organizations have struggled to implement those recommendations. If that’s you, Arraya can help.
If you have Cisco Security tools in your environment, here are some additional things to consider:
- Double check the settings for your OpenDNS Umbrella, AMP for Endpoints and NGFW Policies. If your policies are in monitor or audit mode consider changing them to blocking or protection mode.
- If you have not enabled the IP, DNS and URL Security Blacklists, consider enabling them. (Do not block the sinkhole / killswitch domain(s))
- For those with the Sourcefire based NGIPS, NGIPS or FTD solutions, consider setting the blacklist update timer to 30 minutes from the default of 2 hours.
- If your Cisco NGIPS, NGFW or FTD solutions are set to auto download rule updates every night your systems will automatically be updated with these rules. If they are not set to auto update, then you can force a manual rule update.
- Talos has also released, on their blog site, a list of the SHA 256 file hashes for the menacing malware and a list of the CnC (command and control) IP addresses which should be blocked via a blacklist. If you don’t currently have a Cisco solution, you can manually enter this list of IP addresses to block in your internet facing access control lists. If you have a Cisco solution, the blacklist has been auto updated.
This is a very dynamic and ongoing situation. Variants and other ransomware continue, in addition to the WannaCry ransomware garnering all the attention. There is a significant amount of confusion and misinformation in the media about WannaCry. We strongly recommend you rely on trusted security resources only for information. A great source of truth is the Talos forensics group via their blog site and their Twitter feeds: http://blog.talosintelligence.com/. To fully understand this ransomware, that blog is worth your time.
Arraya’s Cyber Security Practice is well versed in deploying ransomware defense technologies and strategies. Our Vulnerability Management Services and framework gap assessments are specifically targeted towards defending against the kinds of threats unveiled in the last week. Also, our Microsoft team can help you with your Windows management challenges. Additionally, Arraya’s security incident and event management solutions combined with advisory services like training and awareness, incident response planning, and disaster recovery options arm companies with the tools they need to combat advanced persistent threats and recover quickly in the event catastrophe does strike. To learn more about WannaCry or start a conversation about how to keep your business safe from this and other malware and ransomware variants, visit: https://www.arrayasolutions.com/contact-us/.