30 Jun 2017
Major security incidents
Wannacry ransomware incident
[For a short version of this alert, please read just the THREAT and RECOMMENDED ACTION sections below]
UPDATE 1:
Microsoft published a blog that will serve as their centralized resource for these attacks. [10], and have made patches available for previously unsupported systems. There is now no reason NOT to patch
“we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download” [10]
UPDATE 2:
see APPENDIX for scripts to find vulnerable systems in your network and also to also identify infected systems in your network
UPDATE 3:
See Introduction for update on affected organisations and information on the malware’s operational aspects. See the Recommended Actions section for additional information on applying IOCs.
UPDATE 4:
A Wannacry in-memory key recovery for WinXP document has been released. [17]
INTRODUCTION
An ongoing widespread ransomware worm attack has occurred against organisations in approximately 150 countries. AUSCERT has not received any local reports of such attacks at the moment. Confirmed reports of WannaCry infections have been received from countries in the APAC region. Indonesia is the closest such example with Healthcare organisations being targeted.
Attacks have been reported against the NHS, University of Waterloo, Nissan in the UK, the Interior Ministry, banks, railroads in Russia, Telefonica users in Spain, German Rail, a mall in Singapore and ATMs in China, among others. The attacks do not appear to target any particular industry sectors. [1, 14].
The worm part of the malware launches the EternalBlue exploit against Windows hosts vulnerable to CVE-2017-0144. This achieves privilege escalation and Remote code execution within the target host. The worm then proceeds to download the ransomware component.
The Double Pulsar exploit is launched to install a backdoor in infected hosts, thereby gaining persistent access.
Analyses flag encrypted files containing different extensions. Encrypted file extensions are renamed to “.wnry”, “.wcry”, “.wncry” and “.wncrypt”, likely due to variants of the ransomware.
The ransomware targets files with the following extensions:
.123,.3dm,.3ds,.3g2,.3gp,.602,.7z,.ARC,.PAQ,.accdb,.aes,.ai,.asc,.asf,.asm,.asp,.avi,.backup,.bak,
.bat,.bmp,.brd,.bz2,.cgm,.class,.cmd,.cpp,.crt,.cs,.csr,.csv,.db,.dbf,.dch,.der,.dif,.dip,.djvu,.doc,.docb,
.docm,.docx,.dot,.dotm,.dotx,.dwg,.edb,.eml,.fla,.flv,.frm,.gif,.gpg,.gz,.hwp,.ibd,.iso,.jar,.java,.jpeg,
.jpg,.js,.jsp,.key,.lay,.lay6,.ldf,.m3u,.m4u,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mp3,.mp4,
.mpeg,.mpg,.msg,.myd,.myi,.nef,.odb,.odg,.odp,.ods,.odt,.onetoc2,.ost,.otg,.otp,.ots,.ott,.p12,
.pas,.pdf,.pem,.pfx,.php,.pl,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.ps1,
.psd,.pst,.rar,.raw,.rb,.rtf,.sch,.sh,.sldm,.sldx,.slk,.sln,.snt,.sql,.sqlite3,.sqlitedb,.stc,.std,.sti,.stw,
.suo,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.vb,.vbs,.vcd,.vdi,.vmdk,
.vmx,.vob,.vsd,.vsdx,.wav,.wb2,.wk1,.wks,.wma,.wmv,.xlc,.xlm,.xls,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.zip
RECOMMENDED ACTIONS:
AlienVault’s Open Threat eXchange (OTX) has a number of threat indicators. [2]
(A zip file of the threat indicators is available for download at the end of this publication – wannacry_ioc.zip )
Members are strongly advised to apply these threat indicators, which include:
1. Domains
In general domains should be blocked outbound, as these represent C&C servers to which the ransomware attempts to connect. However, among these are two domains that are kill switches for the ransomware. If infected hosts can resolve these domains, the malware exits and propagation ceases. The domains are iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It is advisable to not block outbound traffic to these sinkholed domains because they can help identify infected hosts.
Caution: Updated malware is likely to omit the killswitch feature or amend it.
2. Remote IPs/ports
Apply blocks/checks in ACLs,IPS/IDS, network firewalls both inbound and outbound. The IPs represent C&C servers for the ransomware, additional resource download URLs and Bitcoin payment sites.
3. Hostnames
Same as above.
4. File paths
Applied to Host IDS and/or integrity checkers helps identify known dropped files for the ransomware.
5. Registry keys
Applied to Host IDS and/or integrity checks can help identify creation or modifications of registry keys by the ransomware.
6. Snort
Applied to IDS/IPS, helps detect EternalBlue exploit activity.
7. Yara
YARA signature(s) to detect the presence of ransomware in hosts. [15]
8. BTC
Known Bitcoin wallet addresses that are used to receive ransom payments. Outbound traffic to these URLs could help identify infected hosts attempting payment.
The accessed URLs will be of the form: https://blockchain.info/address/ + BTC Wallet
9. File Hashes (MD5, SHA1, SHA256)
Network security devices such IDS/IPS, SIEMS, Firewalls should be tuned to block these domains, IPs and Host names, both inbound and outbound.
Host IDSs should be tuned to monitor changes in Windows hosts for the indicated file paths, file hashes.
- The malware targets a remote code execution vulnerability in SMB (CVE-2017-0144). This vulnerability was addressed in Microsoft’s update MS17-010. [3]
- All Windows hosts should be patched immediately, to address this vulnerability if they already haven’t. (See the AUSCERT Security bulletin). [4]
- Organisations that are unable to patch certain systems, for example, hospitals operating specialised equipment, are advised to consider implementing Private VLANs to isolate such systems. This would help prevent lateral movement.
ADDITIONAL RECOMMENDATIONS
MS-ISAC issued an advisory addressing the remote code execution vulnerabilities in SMB server that is currently being used to propagate the WannaCry ransomware.
MS-ISAC has provided the following recommendations to mitigate the vulnerabilities:
- “Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
- Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.” [5]
AUSCERT recommends the following measures to mitigate risk of exposure:
- Anti-virus signatures should be updated immediately
- If patching is not possible, make a business decision to disable SMB. [6]
- Block SMB traffic from all but necessary and patched systems (Firewall ports 445/139 ). Segment your networks.
- Disable or restrict Remote Desktop Protocol (RDP) access – see http://support.eset.com/kb3433/#RDP
- A snort rule for ETERNALBLUE was released by Cisco as part of the “registered” rules set. Check for SID 41978. [7]
- Emerging threats has an IDS rule that catches the ransomware activity: (ID: 2024218). [8]
- AUSCERT has compiled a list of indicators of compromise based on analyses conducted by external parties [11-13].
AUSCERT will continue to issue additional alerts as and when new information becomes available.
POST-INFECTION
For ransomware, prevention is the best possible outcome. However, if a ransomware infection has occurred, consider the following measures:
1. Immediately isolate the infected host from the network to prevent lateral movement
2. Submit samples of infected files to Crpyto-sheriff. This might help identify a decryptor to recover encrypted files. [16]
REFERENCES:
[1] http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/
[2] https://otx.alienvault.com/pulse/5915db384da2585b4feaf2f6/
[3] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
[4] https://portal.auscert.org.au/bulletins/45238
[5] https://msisac.cisecurity.org/advisories/2017/2017-024.cfm
[6] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
[7] https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/
[8] https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
[9] https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/
[10] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
[11] https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
[12] https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
[13] https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/
[14] https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
[15] https://blog.malwarebytes.com/threat-analysis/2013/10/using-yara-to-attribute-malware/
[16] https://www.nomoreransom.org/crypto-sheriff.php
[17] https://github.com/aguinet/wannakey
APPENDIX
Please read the DISCLAIMER [17] before using these scripts.
IDENTIFICATION OF VULNERABLE SYSTEMS
To detect systems on a network (x.x.x.x/xx) that are vulnerable (i.e that are not patched to mitigate MS17-010) a python script is available https://github.com/RiskSense-Ops/MS17-010
This is a standalone version of a corresponding METASPLOIT detection module
– https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_ms17_010
UBUNTU installation/Usage
$ sudo apt-get install prips
$ wget https://github.com/RiskSense-Ops/MS17-010/raw/master/scanners/smb_ms17_010.py
$ prips x.x.x.x/xx | xargs -l1 python ./smb_ms17_010.py
# If the above script is too slow, then you can identify just the Windows servers in you network to pass to smb_ms17_010.py <ip> with the nbtscan tool.
$ sudo apt install nbtscan
$ nbtscan x.x.x.x/xx
IDENTIFICATION OF INFECTED SYSTEMS
To detect systems on a network (x.x.x.x/xx) that are already infected (by virtue of DOUBLEPULSAR malware also being installed as part of the worm), another detection script is available:
UBUNTU Installation/Usage
$ pip install netaddr –user
$ git clone git@github.com:countercept/doublepulsar-detection-script.git
$ cd doublepulsar-detection-script/
$ python detect_doublepulsar_smb.py –net x.x.x/xx
REVISION HISTORY
Version Published Changes
1.0 13th May 2017 Original version published
2.0 13th May 2017 Update 1 – Microsoft issues out of band patches
3.0 14th May 2017 Update 2 – Appendix added
4.0 15th May 2017 Update 3 – Additional campaign related information, Indicators of Compromise and reference resources. Post-infection section added
5.0 17th May 2017 Update4 – Wannacry in-memory key recovery for WinXP released
AUSCERT Team
[17] DISCLAIMER
AUSCERT has made every effort to ensure that the information provided is accurate and the advice is appropriate based on the information we have received. However, the decision to use or rely upon the information or advice is the responsibility of each organisation and should be considered in accordance with your organisation’s site policies and procedures. AUSCERT takes no responsibility for adverse consequences which may arise from following or acting on the information or advice provided.