Post by, Moshe Ben Simon, VP of Services and TrapX Labs.
Events at the end of last week brought to bear the points I made in a previous blog; that the Vault7 NSA tools archive released by WikiLeaks would prompt a new wave of innovation in cyber-crime. WannaCry was an innovation in the sheer scale and audacity of the attack
WannaCry absolutely changed the landscape for ransomware, from ‘point to point’ encryption to a ‘point to multi point’ model, with a single infected machine able to damage the entire infrastructure. In doing this, it demonstrated clearly that the adversary was able to work far faster than the defender and completely redefine the term ‘time to value’ in the context of securing large organisations at risk of a breach by such effective methods of attack. It also changed the economics of the attack, but making the challenge to the attacker to simply infect a single machine and let a single previously unknown vulnerability take care of the rest.
With hospitals having to move patients to other hospitals because of system availability issues caused by the ransomware, it’s not unthinkable that lives were lost because of a cyber infection, rather than a biological one.
WannaCry was interesting from another perspective. The scale of the ransoms were relatively small – just a few hundred dollars. But with dozens or hundreds of systems affected, over an estimate 45,000 target organisations in 75 countries (a number increasing every hour), the income for the criminals is potentially very lucrative indeed, particularly when one considers that the original vulnerability was researched and discovered by someone else!
Clearly Monday the 15th May 2017 will be a time for particular vigilance among all organisations with potentially vulnerable systems as employees tackle the weekend backlog which may include one of the phishing emails that was responsible for Friday’s attack.
The WannaCry attack raises several questions that should be addressed in a security architecture;
- Phishing is still a primary vector. How effective is my end user training program. Do I have a training program at all?
- Do my IT processes effectively allow me to deploy critical patches? How do I verify that I have deployed the right one?
- Do I have effective visibility of my network at the VLAN level? Do I have effective early breach detection beyond the deluge of calls hitting the helpdesk when it’s already too late?
- Does my incident response plan account for zero day events? Do my current tools effectively support the plan? Where are the gaps?
WannaCry used an exploit called ETERNALBLUE from the Equation Group. This was part of the Fuzzbunch toolkit released by Shadow Brokers at the end of April. The rest of the code could be described as ‘garden variety’ ransomware.
Trapx Labs spent the last 48 hours working closely with customers and other partners in the industry and will publish a full technical report in the next 48 hours with information that has not yet been made public. We have decided to release the parts of the threat intelligence research that counts as critical for the incident response team in order to take immediate action and mitigate the risk and chance of material damage. The following highlights should be considered immediate responses;
- We highly recommend checking mail servers for the following email addresses and the associated domains and clean phishing mails before they can be opened and the malware launched:
- Phishing Mail subjects :
- Aviso – depósito a Cuenta Interbancaria
- PAGO DE SERVICIO CIE
- RETIRO DE EFECTIVO EN ATM AJENO
- Alertas Bancomer Móvil
- FISCAL CREDIT TAX COLLECTION
- TRASPASO DE TERCEROS BANCOMER (TDC)
- TRASP CTAS BANCOMER(CON O SIN CHEQUERA)
- TRASPASO CUENTAS PROPIAS (TDC)
- TRASPASO INTERBANCARIO
- Activacion de TOKEN
- Alertas Bancomer.com
- Comprobante / Notificación – Retiro de Efectivo
- ULTIMOS DíAS PARA ACTUALIZAR TUS DATOS
- Transferencia Banca en Lnea
- ACTIVACION TDC
- ACTUALIZA TUS DATOS Y USA TU TARJETA
- ACTIVACION TDD
- BLOQUEO TDD
- RECEIVED TRANSACTION FILE
- Malicious Domains:
- Malicious IPs:
- Snort rules – Emerging threats:
- alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)
- alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)