Embed Size (px)
Citation preview
WannaCry and Carbon Black
While organizations have been under threat from ransomware for years, the attack landscape has been very narrowly focused. Victims tended to have to
manually enable the attack through some method, such as opening email attachments or downloading unverified software. Much of that has changed with the large-scale WannaCry ransomware campaign that occurred Friday, May 12TH.
Hundreds of thousands of systems have already been compromised, and the attack is still ongoing. Along with our peers in the industry, Carbon Black’s
Threat Research Team has been actively analyzing the malware and its threats.
L E A R N M O R EC A R B O N B L AC K .CO M
TO L E A R N M O R E A B O U T H OW C A R B O N B L AC K C A N H E L P YO U, CO NTAC T YO U R R E P R E S E NTAT I V E AT 8 5 5 52 5 -24 8 9
CO PY R I G H T © 2 0 17. C A R B O N B L AC K . A L L R I G H T S R E S E RV E D.
What we learned was that the ransomware does not have any truly novel tricks up its sleeve. It is standard ransomware that, upon execution, creates dozens of files in its current location and starts infecting the system. It targets a specific set of file extensions, more than 150 of them, beginning with known Office documents, which is also in line with many other known ransomware families. What is truly unique about it is its method of delivery, which is believed to be through the now-known ETERNALBLUE exploit.
While the number of incidents is extremely high, many are believed to be the result of poor security posture. Protection against the ETERNALBLUE exploit is fairly basic. The exploit targets servers with SMB network sharing exposed to the Internet, a feature that should be immediately considered for deactivation. Servers are targeted over the standard network ports for the SMB service, all of which can be actively disabled in an organization’s firewalls.
More importantly, these exploits have been actively resolved by current, and ongoing, patches released by Microsoft. Patches should be considered for immediate testing and release within an environment. These suggestions follow the established SMB Security Best Practices.
Microsoft Bulletin MS 17-010
is a security update for the
Windows SMB server. It resolves
vulnerabilities in Microsoft
Windows, the most severe of
which could allow remote code
execution if an attacker sends
specially crafted messages to
a Microsoft Server Message
Block 1.0 (SMBv1) server. The
security bulletin, along with the
appropriate patches, can be
found here.
US-CERT recommends that users and administrators consider:
⬢ Disabling SMBv1
⬢ Blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
1Information taken from www.us-cert.gov
US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 and 2042791.
S E C U R I T Y B U L L E T I N
What Do We Know?
L E A R N M O R EC A R B O N B L AC K .CO M
TO L E A R N M O R E A B O U T H OW C A R B O N B L AC K C A N H E L P YO U, CO NTAC T YO U R R E P R E S E NTAT I V E AT 8 5 5 52 5 -24 8 9
CO PY R I G H T © 2 0 17. C A R B O N B L AC K . A L L R I G H T S R E S E RV E D.
WannaCry, in particular, creates a single command line call to pave the way for its destruction: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Aspects of this attack can be detected using standard, intuitive queries. The removal of volume shadow copies can be detected through the following query: ((cmdline:vssadmin cmdline:delete cmdline:shadows cmdline:quiet) OR (cmdline:wmic cmdline:shadowcopy cmdline:delete))
The ransomware then disables the Windows Startup Repair mode, a feature that would allow users to boot Windows into a safe recovery mode to delete ransomware. This activity can be queried by: (cmdline:bcdedit cmdline:default cmdline:recoveryenabled cmdline:no)
WannaCry takes the additional step of deleting existing backups using the Windows Backup command-line utility, wbadmin.exe. This action is not taken by many ransomware families and so many organizations do not have queries in place to search for it. This is easily performed with: (cmdline:wbadmin cmdline:delete cmdline:catalog cmdline:quiet)
Carbon Black customers have multiple defenses against
WannaCry ransomware
C B R E S P O N S E
Cb Response will detect this threat using a combination of both behavioral and intelligence-based indicators. Notably, Cb Response and Cb Threat Intelligence contain watchlists for applications attempting to remove Windows Volume Shadow Copies via vssadmin.exe. Specific queries can easily be written to search for this behavior, and others like it.
C B P R O T E C T I O N
Cb Protection running in Medium or High Enforcement mode will, by design, automatically prevent the ransomware from execution. This is due to Cb Protection’s strength in preventing execution of unknown binaries, especially those of very suspicious origins.
C B D E F E N S E
Cb Defense’s default policy will block WannaCry ransomware. Cb Defense is ever-evolving such that new features will detect malicious activity from ransomware such as WannaCry and disable the malware before damage is done, even as it morphs.
C B R E S P O N S E I N A C T I O N
L E A R N M O R EC A R B O N B L AC K .CO M
TO L E A R N M O R E A B O U T H OW C A R B O N B L AC K C A N H E L P YO U, CO NTAC T YO U R R E P R E S E NTAT I V E AT 8 5 5 52 5 -24 8 9
CO PY R I G H T © 2 0 17. C A R B O N B L AC K . A L L R I G H T S R E S E RV E D.
Back up data regularly. Verify the integrity of those backups and test the restoration process to ensure it’s working.
Secure your offline backups. Backups are essential: If you’re infected, a backup may be the only way to recover your data. Ensure backups are not connected permanently to the computers and networks they are backing up.
Configure firewalls to block access to known malicious IP addresses.
Logically separate networks. This will help prevent the spread of malware. If every user and server is on the same network, newer variants can spread.
Patch operating systems, software, and firmware on devices. Consider using a centralized patch-management system.
Implement an awareness and training program. End users are targets, so everyone in your organization needs to be aware of the threat of ransomware and how it’s delivered.
Scan all incoming and outgoing emails in order to detect threats and filter executable files from reaching end users.
Enable strong spam filters to prevent phishing emails from reaching end users and authenticate inbound email using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent spoofing.
Block ads. Ransomware is often distributed through malicious ads served when visiting certain sites. Blocking ads or preventing users from accessing certain sites can reduce that risk.
Use the principle of “least privilege” to manage accounts: No users should be assigned administrative access unless absolutely needed. If a user only needs to read specific files, the user should not have write access to them.
Leverage next-generation antivirus technology to inspect files and identify malicious behavior to block malware and malware-less attacks that exploit memory and scripting languages like PowerShell.
Use application whitelisting, which allows systems to only execute programs known and permitted by security policy.
Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.
Conduct an annual penetration test and vulnerability assessment.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Ransomware is on track to be a $1 billion crime in 2017, according to FBI data. That’s a substantial increase from 2015, when ransomware was a “mere” $24 million crime. Additionally, ransomware emerged as the fastest-growing malware across all industries in 2016. It appears that healthcare is now in the crosshairs. There are immediate steps your organization can take today to protect against WannaCry and other ransomware variants.
Every strategy should start with the
simplest, most immediate risk-mitigation
techniques available in order to limit
the attack surface. Concurrently, user
training and backup infrastructures
should be evaluated, implemented,
and practiced.
And please, patch, patch, patch!
