It’s been a busy week in the security world. On Friday 12th May 2017 the world was hit by one of the biggest ransomware out breaks in recent times. It reached 74 countries and more than 45,000 systems. By Monday, this was more like 150 countries and 200,000 systems, according to Europol. When a kill-switch was found to disable the virus, it was a matter of hours until new variants were infecting systems at a rate of 3,600 per hour.
Protecting against ransomware is important, but we should not ignore the valuable lessons we can learn from this attack. A defence in depth security model that focuses on security foundation would have prevented this attack and many others. If we focus on the attack its self we are missing a huge opportunity to fix our systems.
So what can we learn?
In Avecto’s analysis we found that the initial infection requires local admin rights to install a payload into the Windows folder and begin spreading via the SMB worm (when entering the system via a phishing e-mail). In our analysis Defendpoint’s combination of Privilege Management and Application Allow listing was able to prevent the WannaCry ransomware from infecting systems and spreading.
Avecto has discovered several Bitcoin wallets valued at around $60k each linked to the WannaCry malware. Compared to Cerber ransomware which was estimated to be on track for about $2.4million this year this is a low yield and suggests either a lack of technical sophistication or possibly a greater desire to disrupt than profit.
The origin of the attack is still unconfirmed, there are reports of phishing, malvertising and firewall ports being used as the entry point. There is also the possibility that the machines have been previously compromised and the attackers have been waiting to deploy this attack on scale for maximum impact. No matter what the origin it is vital to implement least privilege and allow list to prevent attackers gaining a foothold on systems.
With this recent attack, it’s more important than ever to recognize the best practice security advice from SANS, GCHQ, and Government agencies.
Patch, Patch Patch, oh and Patch
The rapid spread of the WannaCry worm was made possible by the huge amount of unsupported and unpatched operating systems.
It is vitally important that the operating system and line of business are kept up to date with the latest patches and hotfixes. One statistic that puts this into context is that 99.9% of vulnerabilities were compromised a year after a CVE was published. Operating system hotfixes and updates can be managed using Microsoft’s Windows Server Update Services (WSUS) or System Centre Configuration Manager (SCCM).
Patching with MS17-010 will prevent WannaCry from spreading via the SMB worm but will not prevent users from being re-infected directly via phishing emails or downloads. It’s essential to deploy privilege management and allow listing to ensure these payloads cannot re-infect machines and cause another outbreak. Microsoft released a patch for this vulnerabilities in March, an interesting point here is that they actually developed a patch of XP back in February but did not release this until last week.
Many software vendors have their own automated patching systems, but many require users to manually install updates and require an administrative account. With privilege management solutions, it is no longer the case that you have to issue administrative rights to allow users to update applications as needed
Application allow listing
Although the initial attack vector is not clear, attackers will look for ways to introduce malicious applications to a system. By implementing application allow listing it’s possible to prevent the initial infections and cut off the attack before it can spread. As allow listing only allows the known good to run it is far more effective than antivirus, which tries to detect millions of possible bad applications.
Reducing admin users
Reducing local admin users is often seen as one of the most important steps to securing an organization. In this case, the initial payload was unable to execute successfully without access to admin rights stopping the attack at the earliest stage before it could spread.
The SMB flaw in the Windows operating system was so severe that the attackers were able to launch code in a privileged context. However, if the attackers did not have access to this vulnerability they would have had to exploit local admin rights in order to infect systems and spread in this way. Organizations who deploy the MS17-010 patch but still use local admin accounts could still be affected by a self-propagating attack using pass the hash techniques rather than vulnerabilities.
If the malware has access to admin rights it will successfully infect the machine and try to spread across the network.
Many vendors have been quick to claim that their product would stop WannaCry but the lesson here once again is that there is no silver bullet – best practice security foundations have to be in place to stand a chance against these types of attack. We must get back to basics and we can only hope that the high profile nature of WannaCry will at least bring these standard measures back on the priority list.