Friday could not have come sooner for some last week. For the rest of us, we may have wished Friday never happened. What is now being considered the most “successful” and prolific ransomware campaign took off like a wildfire in a dry forest. We’ve all heard the name, WannaCry, hopefully it did not make anyone in your organization cry.
There has already been a tremendous amount of press about the WannaCry ransomware, also known as WanaCryptor 2.0, WannaCrypt, WCry, WCryp, and WCrypt. Many security vendors have rolled out measures to mitigate and protect against this threat. However, there are still plenty of users at risk especially once we saw new variants of the ransomware in the wild over the weekend.
The “success” of this malware campaign was due to the widespread vulnerability to the exploits in the recent “Lost In Translation” dump leaked by the Shadow Brokers, which included cyber-attack tools developed by the NSA. In this case, ETERNALBLUE and DOUBLEPULSAR were the exploits integrated into the ransomware binary.
These “weaponized” exploits were used against MS17-010, a vulnerability in Microsoft’s SMB protocol. Microsoft released a vulnerability patch for all currently supported operating systems on March 14, 2017, but as we all know not every organization is as good at keeping things up to date as they should be. This is presumably why the malware creators went with this attack vector, as the release of the toolkit was fairly recent, they were banking on many organizations not having patched against it.
As security researchers, our job is to sift through the mountains of data in hopes of finding that one golden nugget that will lead us back to the beginning. The issue here is that there SO MUCH data to sift through that there is much disparity in the information being given out. There have been many contradictory reports come out since we all went to DEFCON 1 and it has become increasingly more difficult, for us as researchers, to filter through the noise and find the truth.
What do we know so far?
As of the time of writing, there has not been any solid evidence that this campaign was kicked off through the use of malicious email attachments, as was assumed in the beginning and has been reported by a number of outlets.
The dropper (or stager) appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010). The ransomware can loop through every open RDP session on a system and run the ransomware as that user. Once launched, it installs a service called mssecsvc2.0 with display name Microsoft Security Center (2.0) Service, starts that service, drops the ransomware binary located in the resources of the worm, and runs it.
During the initial kickoff, the malware initializes networking and cryptographic functions. After initializing the functionality used by the worm, two threads are created. The first thread scans for other hosts on the target’s LAN. The second thread kicks off to scan other hosts on the wider Internet. The malware then queries functions to get a list of IP ranges on the local network, then creates a list of every IP in those ranges to scan with no more than 10 LAN IPs being scanned at one time.
The LAN scanner attempts connecting to port 445 and if successful, creates a new thread to try to exploit the system using MS17-010/EternalBlue. If the exploitation attempts take over 10 minutes, then the exploitation thread is stopped. The WAN scanner generates random IP addresses using either the OS’ crypto or pseudo-random number generators that were initialized earlier. If there is a successful connection on port 445, the entire associated /24 range is scanned, and if port 445 is open, exploit attempts are made that time out after one hour.
The exploitation makes several attempts to complete the exploit, with two different sets of buffers. It is presumed that one buffer is for 32-bit Windows and the other for 64-bit versions. If it detects the presence of DOUBLEPULSAR after any exploitation attempt, it uses DOUBLEPULSAR to load the relevant payload DLL.
This is a rinse and repeat action for every new host that is infected, coupled with the number of vulnerable systems available, this is why we saw such a rapid rate of infection.
The first version launched on Friday has a “kill-switch” or “anti-sandboxing” domain check that security researcher @MalwareTechBlog accidentally tripped (this was a happy accident). The malware would make an HTTP request to this hardcoded domain, if it was unable to reach the domain then the exploitation and wormy activity would carry on and the infection would spread. Once the kill-switch domain was registered, the malware could reach the domain through a HTTP request and would then terminate exploitation keeping it from propagating out of that specific host.
This does not mean that it is over or that internal networks are at all safe, even with a proxy. There is additional logic so the worm will still work on any system that requires a proxy to access the Internet, which is the case on the majority of corporate networks. If it is already in your network, it can still spread and encrypt.
Mitigating the Threat
First off, patch all the things. If you have not applied the Microsoft security patches from March, stop reading and go do it NOW!
- Info and patches for all currently supported Windows products
- This page has been having outage issues on off today, this is a patch released for Windows OS’ that are already EOL)
- Microsoft has a sister version of Windows XP called Windows POSReady 2009. It’s an operating system for point of sale machines such as credit card readers, and its core is based on Windows XP Service Pack 3. Admins can make a simple change to the Windows XP registry to make XP think it’s POSReady 2009, and it will continue to receive patches.
***This is an unofficial way to get updates for an EOL OS, do so at your own peril***
- The hack is simple:
Add a DWORD of <1> into the registry hive KEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady
Windows updates should start flowing again.
- Disable SMB .v1 (lateral movement mechanism)
- This is the current exploit mechanism being used for moving within enterprise. Movement has been detected from Cloud Sync file-share as well.
- Edge Protection and Firewall Configuration
- Ensure that port 445 is blocked for firewall communications with all exceptions scrutinized and verified before adding.
- Yara rules
- Emerging Threat Rule for ETERNALBLUE
Our previous blog posts have additional technical details including IOC’s.