SureCloud have covered ransomware and the risks associated with this type of malware infection extensively in a two part blog piece (Part 1, and Part 2) back in August 2016. We recommend that all organizations and consumers read these articles to gain a better understanding of modern ransomware threats. We’ve also covered operational mitigations that any organization should include within security awareness training.
This blog, instead, will look to provide further guidance for mitigations ahead of an infection, but also what organizations can do to react to an attack in the short-term whilst limiting the loss of data.
SureCloud’s analysis of the WannaCrypt attacks
The recent attacks on the NHS within England, and the similar attacks that affected Spanish ISP Telefonica appeared to utilise the exploits recently made public by the Shadow Brokers group. Specifically, the Samba vulnerabilities MS17-010 (and other CVEs) were exploited via the ‘EternalBlue’ tool. The infection looks to have initially gained a foothold through internet facing systems with exposed SMB/Samba services, which in turn spread through internal network systems.
Modern systems such as the more recent Windows Server 2016 and Windows 10 operating systems are known to be affected without the available security updates that were recently published by Microsoft. Systems supporting the SMB version 1 protocol should be patched immediately, with SureCloud recommending that SMBv1 is disabled entirely as this and other attacks have been shown to be trivially exploitable.
It is critical that organizations apply these patches and install any other outstanding security updates as soon as possible. SureCloud’s vulnerability scanning platform services are actively detecting where these security updates are missing for clients with an internal SureCloud Scanning Appliance whom are running privileged scans.
Organizational threats and prevention
As many organizations are aware, one of the more common methods of malware gaining a foothold on an internal network is through phishing attacks, whereby a malicious actor would either send an email to unsuspecting users containing the malicious files directly, or by linking to sites where users are prompted to download files that are initially not seemingly dangerous. Web and email filters provide an initial defense against malicious website content and incoming email threats respectively. SureCloud recommend that binary files are quarantined or outright blocked when sent as attachment, including executables and scripts.
The less common, but still ever-present risk is that services or applications on an organization’s perimeter network may be vulnerable to cyber-attacks. SureCloud regularly find web applications that provide file upload functionality that would allow an attacker to upload malicious files, or to cause remote-code execution on the host servers. Critically, services that provide direct access to a host system should not be exposed to the public internet, whether it is a service that is used for network-file sharing such as SMB/Samba, or remote desktop services such as Microsoft’s RDP or Xserver.
With the recent disclosure of the vulnerabilities and exploit tools that are now distributed throughout the public internet by the Shadow Brokers group, many organizations that operate systems affected by these vulnerabilities are prime targets for targeted or widespread ‘low-hanging-fruit’ attacks. Several of these exploitable vulnerabilities can provide attackers with direct access to these systems with high-level privileges, and depending upon the security posture of the organization it may be trivial to access internal networks along with corporate or consumer data.
The key point of this is that organisations with a larger attack surface (e.g. a large internet presence, high number of staff) or a minimal security posture may not be able to defend against ransomware attacks. As evidenced within many recent publications through BBC and other news resources, organisations that do not have a sufficient data backup or disaster recovery policy would face the greatest losses should a ransomware attack occur. Regular backups, including long-term data backups should be part of the operational security process within an organisation’s IT strategy. Backups, of course, would also require a defined disaster recovery process, which should be tested at least every 6-12 months for assurance purposes.
SureCloud regularly see business critical systems running Windows XP and Windows Server 2003, despite the discontinued support from Microsoft for security updates. Organisations that cannot patch should look to mitigate any risks associated with these systems by restricting services, hardening the remaining services through configuration changes, and by using industry-recognised anti-virus and anti-exploit solutions where possible.
In relation to the vulnerabilities and exploits described within this article, for systems that are no longer receiving security updates SureCloud recommended that initial controls are implemented by disabling SMBv1 support. Please note that disabling SMBv1 support on Windows XP and Windows Server 2003 will cause functionality issues, and an alternative control would be to heavily restrict traffic to associated ports through system-level firewalls and hardware firewall rules.
SMBv2 was introduced with Windows Vista and Windows Server 2008, with SMBv3 being introduced with Windows 8 and Windows Server 2012. It is highly recommended that organsiations migrate away from these legacy systems on to more recent versions of Windows, both for feature updates and security updates.
Further details on disabling the various versions of the SMB protocol can be found on the Microsoft Support website.
Update: 13th May 2017
Microsoft released updates for legacy systems (including Windows XP and Windows Server 2003) due to the severity of the vulnerabilities that we have detailed within this article. This update can be installed through patch KB4012598, with further details of this being available through the Microsoft Catalog for each operating system version. A Microsoft TechNet article is also now available, which provides guidance to customers for the WannaCrypt attacks. Microsoft also notes that they are continuing to monitor and update their systems for any Office 365 customers.
Mitigation following an infection
Within our ‘Reducing your exposure to ransomware – part 2’ article we offered the advice that organisations should never pay the ransom fees following a ransomware infection. Not only would this cost a considerable amount of money (depending upon the number and the roles of the affected systems), but this also rewards attackers unnecessarily when a well-designed disaster recovery process could recover the majority of any data that is lost.
If your organisation’s backups do not include up-to-the-minute copies of your data, then a consideration for risk acceptance would be to lose (at most) a day’s worth of data. This assumes that daily backups are performed, with longer-term backups being stored off-site and air-gapped from the corporate network.
For a short-term mitigation to limit the exposure of the malware, should it be worm-based or a manually-led attack, SureCloud recommend isolating affected systems immediately. The effects that may follow on from the temporary loss of service would be minimal for staff members or to the public for any internet-facing services when compared to the loss of actual data, or even for public relations of the organisation itself after the disclosure of the data breach.
Assurance and security testing
Regular security testing is highly recommended for organisations, both vulnerability scanning for known configuration weaknesses and vulnerabilities, alongside manually-led penetration testing for internet exposed systems and internal networks. SureCloud provide these services in the form of an experienced Security Services team for penetration testing and IT Health Checks, and for vulnerability scanning that can be managed by your organisation’s security teams directly.
One of SureCloud’s recent service packages is the Simulated Ransomware service. This security assessment is a red-team style package that offers CISOs and security managers both a high-level and detailed view of their present security posture. Further details are available within the linked datasheet.
For scoping queries or for quotations for services please contact sales@https://www.surecloud.com, or get in touch with our team via the contact form on the website.