Threat Brief: WanaCrypt0r– What We Know

Situation Summary

This Unit 42 blog provides an update on the threat situation surrounding the WanaCrypt0r ransomware attacks and how the attack propagates.

Initial reports said that the WanaCrypt0r attack began as part of a spam/phishing campaign. Unit 42 and other researchers have concluded that these reports are not substantiated. While the initial attack vector for these attacks is unknown, it is certain that the spread of the ransomware occurs through active exploitation of the ETERNALBLUE vulnerability (CVE-2017-0144) in Microsoft Windows. Patches for this vulnerability for all supported versions of Windows have been available since March 2017. On Friday May 12, 2017, Microsoft took the extraordinary step of releasing patches for out-of-support versions of Windows to help protect against these attacks.

As the attack leverages this Microsoft vulnerability, the most appropriate first step to take against the attack is to apply the patches. Unit 42 researchers have confirmed that the patch is effective against the WanaCrypt0r Ransomware attacks.

In addition, Palo Alto Networks, and other vendors, including our fellow members of the Cyber Threat Alliance, have released additional protections that help prevent the spread of the WanaCrypt0r ransomware. For information on Palo Alto Networks protections, please see our posting Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks.

As with all ransomware attacks, Palo Alto Networks and Unit 42 recommends that anyone affected NOT pay the ransom. Unit 42 is not aware of any reports where paying the ransom to the WanaCrypt0r attackers has resulted in the recovery of data. In addition, Unit 42 research has shown that very few have attempted to pay the ransom.

Unit 42 is following this situation very closely and will update this blog with any new information as it becomes available.

Overview

WanaCrypt0r is a global ransomware attack that emerged on Friday, May 12, 2017. It immediately gained broad media attention, due to its destructive nature, how widespread it was, and multiple high profile victims. This attack uses the version 2.0 of this ransomware. WanaCrypt0r v 1.0 was first reported a few months ago but did not include the worm capability associated with this attack.

Reports quickly emerged that this attack was effective due to the presence of code exploiting a vulnerability (CVE-2017-0144) in Microsoft Windows (code named: ETERNALBLUE) that was released as part of the Equation Group dump by the Shadow Brokers in their fifth leak on April 14, 2017. Microsoft patched this vulnerability as part of the March 2017 Monthly Security Update Release by Microsoft Security Bulletin MS17-010. This is a SYSTEM-level remote code execution (RCE) in the handling of the Server Message Block (SMB) protocol in Microsoft Windows.

The attack uses this vulnerability to spread the WanaCrypt0r ransomware on the network. This is a classic network worm-class vulnerability like MS-Blaster and Conficker.

Early reports indicated that the initial attack vector was via spam and/or phishing email. However, this has not been confirmed and is unlikely to account for the global spread of the malware.

When the WanaCrypt0r ransomware executes successfully, it will encrypt key files on the system and display a ransom note as shown below (SOURCE: Microsoft).

Figure 1 Ransom note for WanaCrypt0r

One thing reports have indicated that make this attack unique is a “killswitch” capability built into the malware. This “killswitch” will prevent the WanaCrypt0r ransomware from executing. The “killswitch” is code which will attempt to connect to an extremely long domain that should not resolve. The initial variant of WanaCrypt0r uses hxxp://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, however, there are reports of newer variants using different domains. If it was successful in connecting to the domain, the ransomware would not execute. However, it was easily subverted to work against the malware. A security researcher in the United Kingdom initially registered this domain in order to track this threat, and soon discovered that in doing so, he had enabled this “killswitch”, causing a number of instances of WanaCrypt0r to not execute for a large number of infected systems.

On Friday, May 12, 2017, Microsoft announced that they were making an emergency patch available for out-of-support versions of Windows (Windows XP, Windows 8 and Windows Server 2003).

As of this writing attacks appear to have subsided. This is likely due to increased uptake of the patch MS17-010 in light of the WanaCrypt0r attacks, as well as efforts made within the security community.

Unit 42 research shows there is likely very little actual payment of ransom. We analyzed our known WanaCrypt0r samples and extract the following Bitcoin (BTC) addresses likely associated with the attackers and associated totals:

  1. 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 – 12.42466618
  2. 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 11.83101346
  3. 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 8.74393075
  4. 1DefE3HEeBaR4EBbAajjHatFzMuPe885Hf – 3.12308549

This results in a total of 36 BTC, or roughly $63k based on the current price of BTC. Given that WanaCrypt0r requests $300 per infected machine, we can infer that approximately 210 victims have made payments to the attackers.

Reconnaissance

This attack does not appear to be targeted. Therefore, there appears to be little recon as part of this attack. There are some reports that there may be scanning of TCP port 445, which is one of the ports associated with SMB. But these reports haven’t been conclusively verified.

Delivery

There is no consensus in the industry on what the delivery method/initial infection vector is. There have been several theories:

  1. Spam/Phishing: Initial theories suggested that delivery occurred through a spam or phishing email with a link in the body or in an attached Adobe .PDF file and the user could click the link and execute the attacker’s code in their security context to initiate the attack which would then spread on the network by attacking the ETERNALBLUE vulnerability.
  2. Direct attack against MS17-010: This theory suggests that the attack would establish a beachhead by attacking the ETERNALBLUE vulnerability on Internet-exposed systems and the attack would then spread on the network by attacking the ETERNALBLUE vulnerability from these compromised systems.
  3. RDP: This theory suggests that the initial attack comes by attacking systems using the Remote Desktop Protocol (RDP) and then the attack which would then spread on the network by attacking the ETERNALBLUE vulnerability from these compromised systems. This theory suggests an attack pattern similar to what Unit 42 outlined in the Shamoon 2 attacks followed by using RDP as the initial delivery method and then attacking the internal network from the compromised RDP system. There are theories suggesting this could be due to brute force attacks against the RDP system, while other theories suggest this could be due to a successful attack against a vulnerability on these RDP systems (theories do not state what vulnerability this could be or where the vulnerability might occur).

Unit 42 believes the most likely delivery method is method #2. However, this is not conclusively provenLateral Movement

Lateral Movement

The WanaCrypt0r ransomware spreads itself by heavily scanning over TCP port 445 (associated with SMB) and attempting to exploit the ETERNALBLUE vulnerability on systems. A successful attack against this vulnerability will infect the target system with the WanaCrypt0r ransomware, which will encrypt data on the target system and attempt to spread itself once again.
Multiple vendors report that the malware includes the ability to spread via port 445 scans and attacks against the ETERNALBLUE vulnerability not only on internal networks but also across the Internet. These reports indicate that in addition to the internal lateral movement already outlined, the WanaCrypt0r ransomware will scan for port 445 on random external IP addresses and if it finds an IP address with an open port 445, it will then scan all devices on the same /24 IP range (i.e. that share the first three octets as that IP address with the open port 445).

Command and Control (C2)

In general, WanaCrypt0r does not have C2 capabilities but it does utilize the TOR network to communicate encryption keys for decryption upon payment of ransom. It has been reported that the DOUBLEPULSAR backdoor (also from the Equation Group leak by Shadow Brokers) is installed and used to execute the malware after successful exploitation of a host via ETERNALBLUE, but this warrants further analysis.

Conclusion

Overall, WanaCrypt0r has been a notable incident within the security community, as the threat couples a wormable vulnerability/exploit with a ransomware family. Users are urged to apply the necessary Microsoft patch to protect themselves against this threat.

For protections, customers are advised to view this blog post that outlines the various ways the Palo Alto Networks platform prevents this threat.

[Palo Alto Networks Research Center]

How Japan Is Aiming to Close the Cybersecurity Skills Gap Before Tokyo 2020

With only three years left before the Tokyo Summer Olympic Games in 2020, Japan is facing a shortfall of cybersecurity manpower. According to the Ministry of Economy, Trade and Industry (METI), the current shortfall of IT professionals to available opportunities is 132,060, which will further increase to 193,010 in 2020. About half of end-user companies believe they are deficient in IT security employees, and only 26 percent think they have enough talent in these roles.

The Japanese government plans to issue a new national cybersecurity strategy for human resources development, the Program to Develop Cybersecurity Human Resources, in 2017. The draft released in March 2017 emphasizes that cybersecurity is not a cost center, but it provides opportunity to invest to create new business values and increase companies’ international competitiveness. Reflecting the Cybersecurity Guidelines for Business Leadership in December 2015, the draft encourages business executives to take cybersecurity measures as part of their social responsibility and raise cybersecurity awareness. This is crucial now, because the government learned 34 percent of Japanese business executives do not consider cybersecurity part of their business challenges.

In Japan, end-user companies tend to believe IT is a tool to increase efficiency and cut costs (not something to invest in), and outsource IT-related work to vendors and system integrators. Only 24.8 percent of IT engineers work in-house in Japan, compared to 71.5 percent in the United States.

The current business environment, however, demands end-user companies find a balance between outsourcing and insourcing IT or cybersecurity-related work. Business operations heavily rely on computers, hardware, software, cloud computing, cell phones, tablets and SaaS, and more adopt general purpose technologies for cost-saving and efficiency. Each technology requires specific security expertise. Moreover, business risk management, critical infrastructure operations, finance, legal, human resources and even national security touch upon cybersecurity. Business executives must take the lead to craft a business strategy to deal with a wide variety of risks – including cyber risks – and take advantage of innovative technologies for security and convenience.

METI and the Japanese Ministry of Internal Affairs and Communications (MIC) are tackling the aforementioned challenges to cultivate cybersecurity-driven C-level executives and next-generation professionals for end-user companies and critical infrastructure companies. Both ministries are launching separate cybersecurity training centers in 2017. While MIC focuses on IT research and development, METI covers both the operational and information technology sides of critical infrastructure protection, including industrial control system/supervisory control and data acquisition (ICS/SCADA).

As cyber risks against ICS/SCADA are growing, METI established the Industrial Cybersecurity Center of Excellence (COE) under the Information-Technology Promotion Agency (IPA) in April 2017. COE has three pillars for their mission: the development of human resources; the evaluation of the security and reliability of ICS/SCADA; and the research and analysis of cyberthreat intelligence.

COE will serve a total of up to 100 students per year, and provide two courses: one for mid-career people and one for C-level executives. Both courses will be a golden opportunity for professionals from different sectors to get connected, create a trusted community, and help each other later.

While the course for C-suites will consist of several classes over a short term, the course for mid-career people will run from July to June. It will aim to cultivate professionals able to propose cybersecurity strategy drafts and brief business executives about cyber risks, using business management and financial terms; who understand the current cyberthreat landscape and best practices overseas and in other sectors to apply to such cyberattacks, and can use the information to craft cybersecurity tactics and strategy; and who can evaluate the safety and reliability of cybersecurity solutions, technologies, and costs to employ and deploy the best one. The course starts at Primary level (July to September), and moves onto Basic (October to January), Advanced (February to April), and Graduation Project (May to June), though more advanced students do not need to participate in Primary classes. It covers IT/OT basics, such as corporate governance, business continuity, forensics, ICS/SCADA risks and cyber exercises; business management and ethics, such as leadership, accounting/finance, presentation skill, budgeting and relevant legislations; and global case studies.

COE began accepting applications for the mid-career course in late February, after more than 30 companies from the automobile, utility, railway and real estate industries had expressed interest in enrolling their employees.

IPA already runs the Cyber Rescue and Advice Team against targeted attack of Japan (J-CRAT) and supports a cyberthreat information-sharing framework, the Initiative for Cyber Security Information sharing Partnership of Japan (J-CSIP), to protect critical infrastructure companies. IPA also started monitoring the next-generation Government Security Operation Coordination Team for the central government and nine government-affiliated agencies in April 2017. The COE project for cyberthreat intelligence will be an additional means for IPA to bring in the intelligence and expertise of white hat hackers to eventually help with human resources development and the system evaluation project.

MIC released the IoT Cybersecurity Action Program 2017 in January 2017 to enhance IoT security and prepare for Tokyo 2020. One of the main pillars of the program is to accelerate the national effort to cultivate cybersecurity workforce by hosting cyber exercises and establishing a training center. The National Cyber Training Center was created under the National Institute of Information and Communications Technology (NICT) in Tokyo this April. NICT was chosen for its assets: NICTER (Network Incident analysis Center for Tactical Emergency Response) to watch cyberattacks and visualize them; and a cloud-based StarBED platform for cyber exercises.

The National Cyber Training Center offers the SecHack365 program to train 40 students under 25 years old each year; implement 100 Cyber Defense Exercise with Recurrence (CYDER) exercises for 3,000 central and local municipal government officials and critical infrastructure personnel all over Japan; and host the Cyber Colosseo exercises for the Tokyo Organising Committee of the Olympic and Paralympic Games. The center accepted 359 applications from young industry people and college and university students including teenagers in April. SecHack365 students can take classes remotely to develop computer programs and participate in cyber exercises and hackathons. Competent students will be sent overseas for additional education. The center also aims to build a community for next-generation engineers to lead IT-driven innovation in Japan and develop computer programs to resolve unsolved challenges, rather than relying only on existing technologies.

CYDER used to target only Tokyo. In Japanese Fiscal Year 2015 (April 2015 to March 2016), 200 people from the central government and critical infrastructure people participated in CYDER. In JFY 2016, however, CYDER was also provided in eleven places outside Tokyo, and 1,500 people attended. CYDER expanded to cover local municipal governments because they have residents’ My Number information (a new personal identification system for Social Security and taxation information), and more cybersecurity is required as cyberattacks and breaches are growing.

Cyber Colosseo exercises allow Tokyo 2020 cybersecurity personnel to simulate potential cyberattacks on Tokyo 2020 and review and enhance defensive capabilities with Blue and Red Teams. The exercises are expected to help team-building between security personnel and relevant organizations.

These METI- and MIC-led initiatives will allow IT and OT personnel to learn from each other, power mid-career professionals by business operation mindset to bridge between technical engineers and business executives, make C-level executives more mindful about the current cyberthreat landscape and cybersecurity, and cultivate next generation R&D engineers. They will also form tight bonds between professionals from different sectors and cultures. Of course, it will take at least one year for students to bring back what they learn to their organizations and make reforms for better IT/OT balance. Still, this is a positive step forward for Japan and the world’s cybersecurity. Unfortunately, almost all information about these projects is only available in Japanese, but this is definitely worthy of a global audience.

[Palo Alto Networks Research Center]

WannaCry: Is this a Watershed Cyber Security Moment?

As I watched the news, I was struck by the inaccuracy of much of the initial coverage of the massive wave of ransomware attacks that surfaced on 12 May. Even my partner thought that the National Health Service (NHS) computers, as well as other targets around the world, were being intentionally targeted by a coordinated global cyberattack.

The truth was far worse. This was no more than an infection designed to take advantage of environments that failed to have even the most basic of cyber security protection in place.

This malware, known by various names including WannaCry and Wanna Decrypt0r, is understood to have originated from a leak of the US NSA cyber tools. However, the leak and the malware tools were widely known about. There were plenty of fixes available to prevent the malware from working.

To prevent this particular malware from operating, all organizations had to do was be running on a supported operating system that had applied the latest software updates. (The patch to prevent this malware from working had been released by Microsoft to their supported operating systems back in March).

Even if your computers were not patched, or were running an unsupported operating system, if your organization had selected a more effective anti-malware solution, that also would have been enough to prevent the malware from working.

Where the malware entered an unprotected computer on a network, it had the ability to then seek out other undefended computers on the same network. Almost like a red team identifying vulnerabilities, the malware highlighted organizations and computers that were running with unsupported operating systems, unpatched operating systems, wide open network topologies and less effective, or completely absent, anti-malware protection. One-by-one, the worst configured and maintained environments that received the malware started to experience substantial disruption.

The consequences of this event are devastating. The interruption has affected services that included the provision of healthcare services, and some healthcare staff have already alleged that this event is likely to have led to several unnecessary deaths due to many clinical services becoming temporarily unavailable. In fact, the ISACA publication on healthcare IT governance I had just finished drafting had included some statistics about how faulty technology in healthcare environments leads to hundreds of deaths and thousands of serious injuries each year, based just on the UK figures from the UK regulator MHRA (Medicines and Healthcare products Regulatory Authority – the UK equivalent of the US Food and Drug Administration).

So, will this event finally help cyber security practitioners that have failed to get buy-in from their management to make the changes they need? I hope so.

This event should be a wake-up call. The Internet is a dangerous place IF your computers and networks are not taking at least basic precautions.

For those executives who thought that because this type of event never used to happen, it never will, it is time for a rapid rethink while you still have an organization to protect.

Editor’s note: Raef Meeuwisse, CISM, CISA, is author of several cyber security publications, including “How to Keep Your Stuff Safe Online,” available at iTunes: https://itunes.apple.com/gb/book/how-to-keep-your-stuff-safe-online/id1212130763?mt=11&ign-mpt=uo%3D4

Raef Meeuwisse, CISM, CISA, Author, “Cybersecurity Exposed”

[ISACA Now Blog]

Ransomware: Healthcare Organizations Cannot Afford to Be Unprepared

I had just typed the last word of a new ISACA publication on governance of enterprise information technology for healthcare environments when today’s news on the National Health Service (NHS) ransomware attack broke.

As we now know (as of the time of this writing):
•  At least 16 UK National Health Service (NHS) trusts are affected, as well as unspecified other UK government departments and agencies
•  The malware used has been identified as “Wanna Decryptor,” which is preventable by some forms of anti-malware.
•  The action of the malware is to encrypt desktop-based files and position a ransomware message on the desktop and as a readme file.

The interruption of basic services such as email and network-dependent telephony (VOIP) can be devastating in healthcare environments. Targeted healthcare providers are particularly vulnerable to ransomware attacks. This is especially concerning, because according to ISACA’s global State of Cyber Security 2017 study, just half (53 percent) of organizations have a process in place to deal with ransomware attacks.

Most cyber attacks rely on basic deficits, such as not locking out administrative access, running unpatched operating systems or running ineffective anti-malware products.

My takeaway is this:

  • Organizations cannot afford to be out of touch with basic cybersecurity requirements. It is reported that many of the impacted systems were running operating systems that were no longer supported by their manufacturer, but were still connected to networks and managing email with no compensating controls.
  • Underinvestment in basic cybersecurity is a massive false economy. There is a danger that if budgets are looked at in silos, it can appear cheaper to leave vulnerable technologies in place without considering the huge cost impact of the operational interruption.
  • Some newer forms of anti-malware are now over 99 percent effective. Newer forms of anti-malware, some of which can also run on top of or alongside older anti-virus solutions, can now identify and block over 99 percent of malware, including polymorphic forms they have never seen. They do this by using a basic form of artificial intelligence and machine learning. They can even be configured to completely block power shell scripts for desktop environments.

As I finish this post, the news is still breaking, and the impact of this cyberattack appears to be targeting a much larger number of international organizations.

If you are not getting the traction you need for investment in basic cyber security measures, please use this as a valuable moment in time to give your management a wake-up call.

Raef Meeuwisse, CISM, CISA, Author, Cyber Security

[ISACA Now Blog]

The Vendors of My Vendor’s Vendor … What? … Wait? … I’m Confused?!

It is no secret that vendor management is one of the top security challenges we face today. But what compounds the challenge is not knowing the relationships beyond our direct vendors. What are the vendors of my vendor doing?

I don’t know what I don’t know
The scenario: A recent project was initiated by the business group that would greatly improve our customers’ experience with us as well as streamline internal processes. Great! But, and I know this is common with any organization, the assigned managers involved on the project are not trained in project management and most certainly are not focused on security issues.

We have vendor management report into the risk department so we are fortunate to have security “eyes” on it but, in this case, the vendor did not disclose that additional relationships would be required. It turns out that the additional vendors would be involved in processing funds and documents containing sensitive data. Isn’t that interesting? Now the vendor’s vendor, the one processing funds, has a vendor for backups and is backing up the sensitive data. So, my data is three vendors away and the PMs are shrugging their shoulders.

We were fortunate because we did have time to do our due diligence on those additional third-parties, but we might not be so lucky the next time and could find ourselves in damage control.

Here are three actions that will help with the vendor management security struggle:

  1. Stay close to home. What I mean is focus and hold your direct vendor accountable for the other, now required, vendors. They most likely will resist and say, “You need to do your own due diligence.” I would suggest you respond that part of your due diligence is understanding how they selected that company to partner with and what vetting and security reviews were performed. If they didn’t review the vendor’s security controls, how confident are you in their controls?
  2. Tie due diligence to the money. Require that due diligence be complete before issuing the P.O. If you don’t have ownership over vendor management, this might be a challenge. But write in your vendor management policy the requirement that all due diligence be completed prior to finance issuing the P.O. Project managers will be more motivated to dot the Is and cross the Ts if they know that the project could be delayed.
  3. Follow the guidance. Whether or not you’re in a regulated industry, modeling your vendor management program off guidance from large agencies with a breadth of experience will make for a stronger structure. At the core of this guidance is governance. And make sure that whatever risk you assign to your vendors, you communicate it to management and the board.

Brian Nesgoda, CISSP, SVP Risk Management/CIO

[ISACA Now Blog]

English
Exit mobile version