Facebook Google Plus Twitter LinkedIn YouTube RSS 功能表 搜尋 資源 - 部落格資源 - 網路研討會資源 - 報告資源 - 活動icons_066 icons_067icons_068icons_069icons_070

WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware

By now everyone has heard about the ransomware called Wanna, WannaCry or WCry spreading across the globe and locking down the data of some of the world’s largest companies. The malware appears to exploit an SMB flaw that Microsoft provided a patch for in March 2017. You may have heard that the worm has been successfully stopped and you have nothing to worry about, but the vulnerability still exists on millions of systems and can be used again. Now is not the time for complacency; it is time for action. Tenable has several ways to help you know where your business is exposed so you can make informed decisions about what to do first to detect WannaCry and protect your business.

Take action now

If you are a Tenable SecurityCenter® customer, here are three things you can do now before the next variant of WCry appears and before it encrypts the files on your machines.

1. Hunt for infected machines: Check for DNS queries and Scan for Malware.

The first version of WCry that spread across the globe performs a DNS lookup when it initializes; luckily, the Passive Vulnerability Scanner® (PVS™) can record DNS queries on your network. You can apply the following filters in Event Analysis view to hunt for hosts that send queries to this domain:

Type: dns
Syslog Text: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea
Timeframe: Last 7 Days

Event Analysis filter

Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

After you apply the filter, change the view tools to Source IP Summary. If you have any host that sends queries to this domain, it has most likely been compromised. You should disconnect that machine from the network and take appropriate action.

Note: There are reports of some organizations attempting to block this domain at their firewalls, assuming this is a CnC domain. Don’t do that! The domain has been sinkholed and is actually a kill switch for the malware. If the malware can successfully reach that domain, it terminates - so don’t block access.

If you already have credentialed scans or Nessus Agents in place, detection is even easier; just use the Malware Scan Policy; machines infected with WCry will be reported under plugin 59275.

Malware Scan Policy

2. Hunt for infected machines by lateral movement.

The WannaCry ransomware spread so quickly because once it infects one machine, it scans for any other machine with port 445 open, and then infects that target. With SecurityCenter, you can search for any hosts that are scanning for port 445, by applying this filter:

Destination Port = 445
Timeframe = Last 7 Days

Event Analysis filters

Using the Connection Summary tool you can identify hosts that are connecting to other hosts using port 445. For example, in the image below, one host has 1650 events using port 445 with another host. You may need to investigate a situation when the same host is talking to several other hosts. You can enhance these results by using Assets or subnets as additional filters.

Event Connection Summary

3. Once your systems are clean, patch and scan.

If your environment is now clean, the best way to prevent a WCry infection is to apply patches and disable SMBv1. Tenable has several plugins that can detect if a machine is vulnerable to MS17-010:

Plugin ID

Plugin

Description

96982

Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

The system has been found to be vulnerable to SMBv1 attacks using uncredentialed checks. The Shadow Brokers group reportedly has an exploit that affects SMB, and the current WannaCry ransomware is using this exploit.

97086

Server Message Block (SMB) Protocol Version 1 Enabled

This plugin is similar to 96982, but the vulnerability is detected using credentials. The system has been confirmed vulnerable to SMBv1 attacks used by WannaCry and vulnerabilities described by Shadow Brokers. Credentialed checks are more accurate and provide mode details.

97737

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY)

Credentialed plugin to detect MS017-010 (detects the patch is missing)

97833

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (uncredentialed check)

Remote plugin to detect the MS017-010 vulnerability

700099

Ransomware Traffic Detected (WannaCry)

This plugin uses passive techniques to determine if the remote system may be affected by ransomware that encrypts most or all of the files on a user’s computer. This attack is related to the WannaCry ransomware.

We have developed a SecurityCenter dashboard tailored to identify hosts that may be susceptible to the WannaCry ransomware exploitation. The WannaCry Vulnerability Detection dashboard is available through the SecurityCenter Feed to provide insight into the vulnerability of your network and the progress made toward upgrading outdated hosts.

The dashboard takes all the methods of detection described in this blog and places them into an easy to use and understand location. The matrix in the upper left hand corner uses CVEs and DNS events to identify possible at-risk hosts, vs. confirmed vulnerable hosts. The dashboard also uses many of the same components used in the Shadow Brokers Vulnerability Detection dashboard, and provides an overview of patching across all operating systems, to help you understand the current progress in patch deployments.

WannaCry Dashboard

We also suggest patching other vulnerabilities disclosed by the Shadow Brokers group with the SecurityCenter Shadow Brokers Vulnerability Detection dashboard.

Tenable.io solutions

Tenable has also released an easy to use scan template for Tenable.io customers to quickly identify vulnerabilities targeted by the WannaCry malware or any derivatives that are sure to follow. The template scans for MS17-010 (CVE-2017-0144) both with and without credentials:

Tenable.io WannaCry scan template

Take a look at this video which walks you through a few simple steps to detect potentially vulnerable hosts. To scan internal hosts, download a Nessus scanner and link it to your Tenable.io account.

If you aren’t a Tenable.io customer, you can sign up for a free 60 day evaluation.

An ounce of prevention

Most ransomware attacks are caused by exploits of known vulnerabilities that remain unpatched on systems. This is especially true for systems running outdated and unsupported operating systems. By patching all your assets regularly and creating regular backups of your data, you can help prevent ransomware attacks.

For more information

We have the following ransomware-focused educational webinars available for you to attend in the coming weeks:

 

Many thanks to Gavin Millard, Anthony Bettini, Cris Thomas, Cody Dumont and the entire Tenable research team for their contributions to this blog.

Updated May 23, 2017.

訂閱 Tenable 部落格

訂閱
免費試用 立即購買

選擇 Tenable.io

免費試用 60 天

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即註冊並在 60 秒內進行第一次掃描。

立即購買 Tenable.io

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 資產
免費試用 立即購買

免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描器。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊互動。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描器。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊互動。

購買多年期授權,節省更多

免費試用 立即購買

試用 Tenable.io Web Application Scanning

免費試用 60 天

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊並在 60 秒內進行第一次掃描。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 FQDN
免費試用 聯絡業務人員

試用 Tenable.io Container Security

免費試用 60 天

享受整合至弱點管理平台中的唯一容器安全產品的完整功能。監控容器映像中是否有弱點、惡意軟體及政策違規的情形。與持續整合和持續部署 (CI/CD) 系統整合,以支援 DevOps 作法、加強安全性並支援企業政策合規性。

購買 Tenable.io Container Security

Tenable.io Container Security 整合了建置程序,能提供包含弱點、惡意軟體和政策違規等容器影像安全性的能見度,讓您無縫並安全地啟用 DevOps 流程。

深入瞭解 Industrial Security