NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

WannaCry One Week On

October 20, 2017

  • Blog
  • Archive

It’s been a busy week in the security world. On Friday 12th May 2017 the world was hit by one of the biggest ransomware out breaks in recent times. It reached 74 countries and more than 45,000 systems. By Monday, this was more like 150 countries and 200,000 systems, according to Europol. When a kill-switch was found to disable the virus, it was a matter of hours until new variants were infecting systems at a rate of 3,600 per hour.

Protecting against ransomware is important, but we should not ignore the valuable lessons we can learn from this attack. A defence in depth security model that focuses on security foundation would have prevented this attack and many others. If we focus on the attack its self we are missing a huge opportunity to fix our systems.

So what can we learn?

In Avecto’s analysis we found that the initial infection requires local admin rights to install a payload into the Windows folder and begin spreading via the SMB worm (when entering the system via a phishing e-mail). In our analysis Defendpoint’s combination of Privilege Management and Application Allow listing was able to prevent the WannaCry ransomware from infecting systems and spreading.

Avecto has discovered several Bitcoin wallets valued at around $60k each linked to the WannaCry malware. Compared to Cerber ransomware which was estimated to be on track for about $2.4million this year this is a low yield and suggests either a lack of technical sophistication or possibly a greater desire to disrupt than profit.

The origin of the attack is still unconfirmed, there are reports of phishing, malvertising and firewall ports being used as the entry point. There is also the possibility that the machines have been previously compromised and the attackers have been waiting to deploy this attack on scale for maximum impact. No matter what the origin it is vital to implement least privilege and allow list to prevent attackers gaining a foothold on systems.

With this recent attack, it’s more important than ever to recognize the best practice security advice from SANS, GCHQ, and Government agencies.

Patch, Patch Patch, oh and Patch

The rapid spread of the WannaCry worm was made possible by the huge amount of unsupported and unpatched operating systems.

It is vitally important that the operating system and line of business are kept up to date with the latest patches and hotfixes. One statistic that puts this into context is that 99.9% of vulnerabilities were compromised a year after a CVE was published. Operating system hotfixes and updates can be managed using Microsoft’s Windows Server Update Services (WSUS) or System Centre Configuration Manager (SCCM).

Patching with MS17-010 will prevent WannaCry from spreading via the SMB worm but will not prevent users from being re-infected directly via phishing emails or downloads. It’s essential to deploy privilege management and allow listing to ensure these payloads cannot re-infect machines and cause another outbreak. Microsoft released a patch for this vulnerabilities in March, an interesting point here is that they actually developed a patch of XP back in February but did not release this until last week.

Many software vendors have their own automated patching systems, but many require users to manually install updates and require an administrative account. With privilege management solutions, it is no longer the case that you have to issue administrative rights to allow users to update applications as needed

Application allow listing

Although the initial attack vector is not clear, attackers will look for ways to introduce malicious applications to a system. By implementing application allow listing it’s possible to prevent the initial infections and cut off the attack before it can spread. As allow listing only allows the known good to run it is far more effective than antivirus, which tries to detect millions of possible bad applications.

Reducing admin users

Reducing local admin users is often seen as one of the most important steps to securing an organization. In this case, the initial payload was unable to execute successfully without access to admin rights stopping the attack at the earliest stage before it could spread.

The SMB flaw in the Windows operating system was so severe that the attackers were able to launch code in a privileged context. However, if the attackers did not have access to this vulnerability they would have had to exploit local admin rights in order to infect systems and spread in this way. Organizations who deploy the MS17-010 patch but still use local admin accounts could still be affected by a self-propagating attack using pass the hash techniques rather than vulnerabilities.

If the malware has access to admin rights it will successfully infect the machine and try to spread across the network.

Many vendors have been quick to claim that their product would stop WannaCry but the lesson here once again is that there is no silver bullet – best practice security foundations have to be in place to stand a chance against these types of attack. We must get back to basics and we can only hope that the high profile nature of WannaCry will at least bring these standard measures back on the priority list.

Andrew Avanessian,

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.