How to protect yourself from WannaCry using CloudPassage Halo
Ransomware has been an issue since 2005, denying users access to their systems and files until a ransom is paid. Crypto-Ransomware that encrypts files on victim systems is the latest type. A new variant, called WannaCry, appeared starting on May 12th 2017. It is based on the vulnerability in Microsoft’s Server Messaging Block 1.0 (SMBv1) that was patched in March of 2017 as described in bulletin MS17-010. There are six CVEs that make up this vulnerability, CVE-2017-0143 through CVE-2017-0148.
The CloudPassage Halo SVA module has been alerting on this vulnerability since March for unpatched systems. If you have fixed the SVA alerts by patching your systems since the middle of March, you are protected against this vulnerability.
When Microsoft’s Server Messaging Block (SMB) is used properly it allows for file sharing or access to network resources such as printers or serial ports. Vulnerabilities in SMB have allowed malicious users to craft query or request strings that allow Remote Code Execution, which allows the attacker to gain access to a system remotely and execute code there, often as a privileged user. The Windows vulnerability used in the WannaCry ransomware was part of the data from the Shadowbrokers dump on April 14th, 2017, however it had already been patched by Microsoft in March with little fanfare. Many pieces of critical infrastructure have not been patched, and thus ransomware based on the vulnerability is affecting large numbers of systems around the world.
Vulnerable systems are those that do not have Microsoft KB file 4013389 from bulletin MS17-010 installed, and have SMBv1 enabled, and have no firewall preventing SMBv1 queries from infected systems.
Patch all affected systems. Do not allow unknown systems to connect to servers via SMB.
CloudPassage customers can use Halo to protect themselves by following these steps:
Use CloudPassage Halo’s SVA Module to find vulnerable servers and patch them.
Use CloudPassage Halo’s CSM Module to find evidence of compromise or the presence of the SMBv1 protocol being active and remediate.
Use CloudPassage Halo’s Firewall Module to craft rules allowing only permitted clients to connect to SMB ports: UDP 137 and 138, and TCP ports 137, 139, and 445.
You can build a Windows Firewall policy to address this by adding a new service (name it whatever you want (in my example, the first new service is called “SMBoverUDP”)) and choosing UDP for the protocol, 137,138 for the port. Then you add two rules, one to ACCEPT traffic from the internal network (however you define your internal network), and DROP all other traffic. You do the same for TCP ports 137, 139, and 145, as shown below.
A sample Firewall policy is available from your Customer Success representative or Sales Engineer that will block requests to SMB ports (both TCP and UDP) from anything other than Localhost. It will need to be edited to add the appropriate definition of the internal network before it is deployed on Active Directory servers which normally accept these requests.
It is possible to write a Windows CSM policy to detect that the vulnerable version of SMB (SMBv1) is enabled. It is also possible to detect files that have been shown to be indicators of WannaCry ransomware infection.
There is a stub Windows CSM policy policy available from your Customer Success representative or Sales Engineer if you want to import it into an account for testing. The policy contains the two types of checks: the first makes sure that SMBv1 is not Enabled, while the second checks for the presence of a file that has been shown to be an Indicator of Compromise (IOC).
Here is an example that checks whether SMBv1 is enabled in the Registry by checking the HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters key for the value of the SMB1 setting:
Here is an example check that looks for the presence of the file C:Windowsmssecsvc.exe, which is added by the ransomware:
CloudPassage Halo’s Software Vulnerability Assessment (SVA) module has been aware of this vulnerability since it was released by Microsoft in March of 2017. The Halo Agent should be updated to version 3.9.7 or newer if at all possible, to increase detection accuracy. Customers running SVA scans against their servers should notice this vulnerability in their reports, and can use the Filter and search functionality to see which servers need to be patched.
The Filter tool is accessed by going to the Servers tab in the Halo starting to type the name of the filter, which will then create a list of available filters. One can then either finish typing the name, or select from the list of available filters.
There are two ways to search for this vulnerability: looking for the presence of the CVE in SVA scans, and looking for the absence of the KB file that should be present if the server is patched.
You can use the ‘CVE Present’ filter on the Servers tab in Halo to search for each of the CVE’s listed below that are associated with MS17-010 (Security update for Windows SMB Server: March 14, 2017). These vulnerabilities make a Windows computer susceptible to WannaCry ransomware.
Windows SMB Remote Code Execution Vulnerability – CVE-2017-0143 (critical)
Windows SMB Remote Code Execution Vulnerability – CVE-2017-0144 (critical)
Windows SMB Remote Code Execution Vulnerability – CVE-2017-0145 (critical)
Windows SMB Remote Code Execution Vulnerability – CVE-2017-0146 (critical)
Windows SMB Information Disclosure Vulnerability – CVE-2017-0147 (important)
Windows SMB Remote Code Execution Vulnerability – CVE-2017-0148 (critical)
To detect the CVE on servers with up-to-date SVA scans, you should first go to the Servers tab (red arrow), and use the filter CVE Present, and the data CVE-2017-0143 (red oval). In this case, because this account has no unpatched servers, the number of servers detected is 0, and there are none in the list below.
To detect the absence of the KB file, you will want to search for the OS Type of Windows (rectangle in example below) and then for the Knowledge Base ID not Installed filter, put the KB Article from Microsoft: KB4013389 (red oval in example below). You will see that this account has 36 servers that do not have the KB installed.
For further information on using Filters to search for vulnerable systems, please see Appendix F in the Halo Documentation.
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.