For those of you looking for the latest, and trustworthy, advice on the WannaCrypt attack Microsoft have published guidance on the 12th May.

wannacrypt1

The two pages can be found here and here. The first piece is aimed at customers/end-users, and the second site is more of a technical analysis of the malware.

The quick takeaways from this advice are the following:

  • Microsoft say that if you have Windows 10 you are unaffected by this attack. Pervious operating systems are vulnerable.
  • If you run Windows Defender, and keep it up to date, it will detect it as Ransom:Win32/WannaCrypt .You will need to check with your anti-virus vendor as to what their product detects it as.
  • If you keep your security patches up to date, then the worm cannot spread within your network. Note that this is not the same as saying you will not be affected by clicking on an infected email but the security patches stop the worm from infecting other PCs/servers on your network.
  • The method that this attack has used to gain entry in the first place is not known but highly likely to be infected emails. Any network with ports 139 and 445 open to the internet are directly open to exploit. (although if you are doing this you need your internet licence taken away immediately…)

More generally our advice is that you need to have policies in place that (a) make sure updates and patches are allowed to download to client PCs and (b) end-users either shutdown at the end of a working day and allow updates to install or leave PCs on and configure your remote management software to install updates. Users need to be educated that any files/documents/applications left open at the end of a day will be forcibly closed by the updates. In the short term inconvenient to some, but not as inconvenient as losing your data to encrypting malware.

By now no email user should be unaware of the danger of links & attachments in emails but that is still the main way all these encrypting malwares get in.

Two vendors that we know of – Trend Micro and Microsoft – have software that can examine all your incoming email and test links and content for malcious content before they even reach your users. This isn’t just virus scanning; the links and content are actually run a in sandbox environment to test for exploits & threats before being released.

Final Note:
This doesn’t seems to be widely noticed in the press but this WannaCrypt attack is using two tools developed by the NSA; the “ETERNALBLUE” SMB exploit to spread over Windows networks and also “DOULBLEPULSAR“. This second NSA tool is used to remotely update a compromised PC. Handy if you are a spy agency and want to upload new exploits to your targets. Even more handy if you are a criminal gang and you want to upload new exploits to your victims.

Clearly also it is only a matter of hours before copycat attackers alter these tools and try new attacks so patching systems and educating users is the order of the day.

Useful links:
MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft Security Response Centre

Mark T

 

 

by Mr T on May 15, 2017 at 4:44 PM

Comments are closed.