Please note that we have issued an updated advisory. (15/05/2017)
As most will be aware a large global malware attack took place yesterday affecting a large number of organisation around the world. Initially it was viewed in the media as a targeted attack against the UK’s National Health Service/Healthcare but as of this morning (13th May) at least 120, 000 hosts have been infected worldwide across 90+ countries, affecting organisations across all industries.
The malware in question is a new variant of the WannaCry or WCry ransomware that has been updated to take advantage of the recently disclosed Microsoft SMB vulnerabilities (MS17-010), exploited by the NSA through an internal tool known as “EternalBlue” and leaked online in April. This enables the malware to propagate rapidly through the network to any vulnerable hosts to repeat the process. This has been helped by the large number of unpatched hosts and, in many cases, use of unsupported Operating Systems such as Windows XP or Windows Server 2003 for which patches were not available.
In short:
- Ransomware is being delivered via a phishing campaign where the email contains a Word attachment with an encrypted archive.
- Upon opening and executing the attachment, additional malware is downloaded from the Internet (multiple executables)
- Observed & reported malware behaviour includes:
- On execution, makes an attempt to connect to a non-existent domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) as part of a kill switch, potentially as a sandbox evasion technique
- Makes use of Tor network for command & control connections, using various .onion addresses
- The malware embeds itself in the host as a Windows Service (mssecsvc2.0)
- Attempts to connect to all local machines on port 445 (SMB) to discover and infect vulnerable hosts (worm propagation)
- Evidence to show it attempts to connect to random internet IP addresses to discover and infect further vulnerable hosts
- Encrypts files stored on local, network & removable storage
- Displays ransom message on the desktop to request payment via BitCoin
- May deploy “DoublePulsar” to create a backdoor for remote access & code execution
These reports are initial and investigation is on-going. Variants of the malware may behave differently from the above.
Presently the malware has largely been halted due to the discovery of the hard coded kill switch that attempted a HTTP connection to a random un-registered domain. This domain has now been registered and sinkholed but this may only bring temporary respite as it would not take a great deal of effort to change the domain or make it randomly generated, as part of a new variant. New variants may already be active so immediate steps should be taken to mitigate the risk.
Current Recommended Actions:
- Microsoft released a set of patches a number of months ago that remediate vulnerabilities exploited by the worm element of this ransomware. Our advice is to apply the latest Windows patches to all servers and workstations. In particular, apply the patch MS17-010. This should prevent the infection spreading should one of your systems be infected.
- Microsoft has taken the unprecedented step of creating security patches for unsupported systems such as Windows Server 2003 and Windows XP. It is highly recommended you patch these systems - https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
- Where devices cannot be patched, disabling SMB version 1 on these hosts may provide a level of protection. Please note: disabling SMBv1 in general should be considered as a protective measure.
- Should you be unable to patch systems or disable SMBv1 it is recommended to either isolate or removed them from the network.
- As there is evidence the ransomware attempts to self-propagate via the internet as well as the local network, it is recommended to ensure inbound SMB connections are blocked on the firewall, if they are not already.
- Advise users to be extra vigilant when receiving emails. Any emails with suspicious links or attachments should not be opened and links should not be clicked. In the short term, it may be prudent to send any emails with attachments to quarantine and release on a manual case by case basis.
- Update all IPS signatures and monitor for new updates. The majority of major IPS vendors released signatures for the SMB vulnerabilities (CVE-2017-0143 to CVE-2017-0146 & CVE-2017-0148) back in March, please ensure these are set to Block/Prevent. Please note, these will only be effective at preventing the spread of any infection and where the LAN environment is segmented and internal traffic passes via an IPS
Please email info@integrity360.com if you would like further advice on protecting against this threat.
References:
- Malware Bytes: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/
- Check Point: https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0177.html
- Cisco Talos: http://blog.talosintelligence.com/2017/05/wannacry.html
- MalwareTech: https://intel.malwaretech.com/botnet/wcrypt/
We would like to acknowledge our partners, Check Point for their information, analysis and assistance in compiling this article.