The WannaCry ransomware attack is one of the first large scale attacks that utilize a weaponized version of the system exploits leaked by the Shadow Brokers hacking group from the United States NSA in 2016.
The WannaCry attack utilizes one of the tools from the Shadow Broker’s fifth leak to the Internet named EternalBlue. This tool was reportedly designed by the NSA to exploit a vulnerability in most Microsoft operating systems that was unknown to security professionals and Microsoft.
The NSA presumably utilized EternalBlue as an offensive weapon to protect national security interests. The vulnerability that it targets was not disclosed to Microsoft or the public though the industry standard channels.
WannaCry Ransom Screenshot
Microsoft release a patch for all supported Windows operating systems in March 2017 through the normal channels. In May 2017, Microsoft release a patch for two unsupported Windows operating systems (Windows XP and 2003) due to the severity for the vulnerability and reach of the WannaCry attack.
Recommendation
In order to protect the network from the WannaCry attack, The LANAIR Group recommends the following:
- Ensure that all Microsoft patches form March and May have been applied
- Specifically those listed in MS17-010
- Disable the SMBv1 protocol if it not used on all servers and workstations
- Configure the internal firewalls or networking devices to block the SMBv1 protocol between physical sites and networking subnets if not required for business functions
- Ensure that the perimeter firewall is has the Intrusion Prevention System (IPS) and Gateway Antivirus (GAV) systems enabled
- Initiate a network wide system vulnerability scan such as Qualys
- Verify that the DOUBLE PULSAR backdoor is not present on the network
When Possible
- Configure the security polices of Microsoft system to best practices
- Segment the network to isolate critical systems and enforce access control lists on the network devices
- Install IPS devices between the end users and the critical servers/data
- Configure the perimeter firewall to scan within SSL encrypted traffic
- Configure the perimeter firewall to limit outbound Internet access to unknown locations and data types
- Upgrade or replace all Microsoft operating systems that are not in mainstream support
- For those that cannot be upgraded, consider installing an IPS device between the system and the network
Sign up to get more information about LANAIR Security Services.
---
Resources: