The Verodin Behavior Research Team (BRT) has created and released an initial round of attack patterns for WannaCry. Verodin customers have been using these attack patterns to validate that their security controls are working.
By leveraging these attack patterns within the Verodin Security Instrumentation Platform (SIP) you can evaluate your endpoint security controls, network security controls, and security management solutions like SIEMs to determine if you are:
- Detecting WannaCry targeting, scanning, lateral movement and related activity
- Preventing WannaCry
- Logging, alerting the WannaCry activity to your SIEM and or log management solution
- Generating SIEM alerts (correlated, notable events) that your team can use to respond
Verodin has multiple variants of this malware. But because this is an ongoing attack the Verodin BRT will continue to release updated attack patterns over the coming days. Verodin customers and partners have access to these updates via their respective Verodin support portals.
Verodin BRT Tips
- Patch your vulnerable systems with Microsoft Security Bulletin MS17-010 – Critical
- Apply any necessary updates, signatures to your endpoint and or network security controls
- Tune your SIEM to better detect and alert on these attacks
- Use Verodin to validate that the above changes are working as desired
- Use Verodin continuously validate your security controls to ensure that defensive regression doesn’t make you less secure over time
- Disable SMBv1
- Validate SMB segmentation – SMB should not be allowed into our out of your network
- Understand how SMB is working across your network:
- Directly over TCP port 445
- UDP ports 137, 138 or TCP ports 137, 139
- NetBIOS API which can run on several transports
- On legacy protocols such as NBF, IPX/SPX
WannaCry ransomware is derived from EternalBlue, an exploit claimed to have been developed by the NSA. EternalBlue was leaked into the wild by The Shadow Brokers hacking group in April 2017 along with several hacking tools and zero-day exploits.
EternalBlue exploits a Microsoft vulnerability that Microsoft released a patch for (Microsoft Security Bulletin MS17-010 – Critical) in March 2017. The WannaCry ransomware attack known by many names such as Wcry and WanaCrypt0r hit the public on May 12th, 2017 and successfully crippled unpatched Microsoft systems worldwide.
WannaCry has been incredibly damaging to several organizations, especially healthcare organizations, that are operating these unpatched Microsoft systems thus allowing the successful exploitation of the Microsoft Windows Server Message Block (SMB).
Not only can WannaCry exploit a vulnerable system by encrypting data and requiring the owner to pay for a key to unencrypt, but WannaCry has additional worm capabilities to scan, target and propagate – thus maximizing damage through lateral movement within target organizations.
Note that researchers have been working diligently the thwart WannaCry by leveraging DNS issues inherent to WannaCry and other vulnerabilities specific to the exploit’s architecture. It is also important to note that these types of high profile attacks generally attract copycats and it’s highly possible that we’ll see further variants.