On Friday, May 12th, a flurry of activity was recorded in worldwide security operation centers (commonly referred to as SOCs) as cybersecurity specialists sprung into action across the globe. As you’ve probably heard, WannaCry was the reason the alarm bells started ringing, setting the stage for some very long weekends for IT and Security professionals around the world. WannaCry, a new ransomware variant, was sent out on a mission to exploit a vulnerability in the Windows operating system (MS17-010) that would allow it to encrypt infected computers’ data and hold them hostage until a ransom is paid. In addition, the vulnerability enables WannaCry to quickly spread to other machines in the same environment – all without any human intervention or assistance.
While Microsoft issued a patched to the vulnerability in March 2017, millions of computers have not been updated and remain susceptible to the attack. Microsoft even took the previously unprecedented action of releasing patches for widely used but out-of-support operating systems Windows XP and Server 2003, underscoring the criticality of the issue.
This widespread global ransomware attack is the result of a vulnerability called “EternalBlue” that came out of the NSA exploit dump by Shadow Brokers. It should be known that there were many other weaponized exploits also included in those dumps, which could be used next.
On Saturday, a National Health Service (NHS, UK) security analyst happened upon a ‘domain killswitch’ in the malware’s code. In layman’s terms, the malware is programmed to look to the Internet for the existence of an Internet domain. If that domain doesn’t exist, the malware executes and encrypts the computer’s files. If the domain exists, the malware does not execute. The security researcher (twitter:@malwaretech) registered the domain name and effectively killed the rapid spread of the infection, saving untold thousands of potential victims.
Worryingly, by today (Monday, May 15), the attackers have already released a new variant of WannaCry with no domain killswitch. So that was a one-time-use cure. The only real way to prevent becoming a victim to this is below.
Take Steps for Prevention
- Patch ALL Windows machines in your environment immediately. The EternalBlue vulnerability was patched by Microsoft back in March as part of MS17-010 (KB4012215). CRITICAL – all Windows systems MUST be patched to address this issue. Microsoft has also released patches for out-of-support operating systems XP and 2003.
- Immediately disable inbound Server Message Block (SMB) access from the Internet (Port 445).
- Immediately disable inbound NetBIOS access from the Internet (Port 139).
- Strongly recommend also disabling inbound Remote Desktop Protocol (RDP) from the Internet (Port 3389).
- Maintain up-to-date backups of files and regularly verify that the backups can be restored.
- Using the domain list below, update your firewalls, proxies, and IPS to block traffic to/from the listed domains.
- Ensure your AV signatures are up to date as major vendors are all working to deliver updated signatures to detect/prevent this.
- If you discover any machine on your network compromised by this attack, remove that machine from the network immediately and report the incident to your CISO or CTO.
- Inform your users to be EXTREMELY cautious with email over the next several days and inform clients to forward suspicious emails to their CTO or CISO for analysis (but please don’t click any of the links, folks).
The key infection vector for the worm is SMB open to the Internet on unpatched hosts. We recommend taking immediate action to scan your public IP space for port 445, 3389 and 139 listeners. Anything that is allowing an inbound connection is going to be a scan target, and any unpatched system will eventually be a scan target.
IT Systems Administrators can also use this free scanning tool to determine if your systems are vulnerable to the WannaCry attack.
Find out how TruShield can give you the leverage you need with threat intelligence for early detection of threats like WannaCry.
33 domains found to be linked to WannaCry
(Listed as Domain Name Creation Date and Registrar)
- agrdwrtj.us 2017-04-22 NAMECHEAP, INC.
- bctxawdt.us 2017-04-20 NAMECHEAP, INC.
- cokfqwjmferc.us 2017-04-26 NAMECHEAP, INC.
- cxbenjiikmhjcerbj.us 2017-04-26 NAMECHEAP, INC.
- depuisgef.us 2017-05-02 NAMECHEAP, INC.
- edoknehyvbl.us 2017-04-26 NAMECHEAP, INC.
- enyeikruptiukjorq.com 2017-04-27 NAMECHEAP INC.
- frullndjtkojlu.us 2017-05-10 NAMECHEAP, INC.
- gcidpiuvamynj.us 2017-04-26 NAMECHEAP, INC.
- gxrytjoclpvv.us 2017-05-10 NAMECHEAP, INC.
- hanoluexjqcf.us 2017-04-29 NAMECHEAP, INC.
- iarirjjrnuornts.us 2017-05-08 NAMECHEAP, INC.
- ifbjoosjqhaeqjjwaerri.us 2017-04-20 NAMECHEAP, INC.
- iouenviwrc.us 2017-05-02 NAMECHEAP, INC.
- kuuelejkfwk.us 2017-05-08 NAMECHEAP, INC.
- lkbsxkitgxttgaobxu.us 2017-04-22 NAMECHEAP, INC.
- nnnlafqfnrbynwor.us 2017-05-02 NAMECHEAP, INC.
- ns768.com 2017-04-29 NAMECHEAP INC.
- ofdwcjnko.us 2017-04-29 NAMECHEAP, INC.
- peuwdchnvn.us 2017-05-10 NAMECHEAP, INC.
- pvbeqjbqrslnkmashlsxb.us 2017-04-29 NAMECHEAP, INC.
- pxyhybnyv.us 2017-04-22 NAMECHEAP, INC.
- qkkftmpy.us 2017-05-08 NAMECHEAP, INC.
- rkhlkmpfpoqxmlqmkf.us 2017-04-22 NAMECHEAP, INC.
- ryitsfeogisr.us 2017-05-02 NAMECHEAP, INC.
- srwcjdfrtnhnjekjerl.us 2017-04-22 NAMECHEAP, INC.
- thstlufnunxaksr.us 2017-04-20 NAMECHEAP, INC.
- udrgtaxgdyv.us 2017-05-08 NAMECHEAP, INC.
- w5q7spejg96n.com 2017-04-14 NAMECHEAP INC.
- xmqlcikldft.us 2017-05-10 NAMECHEAP, INC.
- yobvyjmjbsgdfqnh.us 2017-04-20 NAMECHEAP, INC.
- yrwgugricfklb.us 2017-05-08 NAMECHEAP, INC.
- ywpvqhlqnssecpdemq.us 2017-05-10 NAMECHEAP, INC.