Since the past few days, we heard a lot about WannaCry, a massive ransomware campaign hitting computer systems of hundreds of private companies and public organizations. Like everybody, company or simple citizen, at DenyAll we are actively following the cyberattack using the ransomware named WannaCrypt and affecting worldwide organizations.
What happened ?
The WannaCry ransomware is using the Windows Server Message Block (SMB) vulnerability that was exploited by NSA since many years through a payload (attack pattern) named EternalBlue from the Shadow Brockers leak. This exploit takes advantage of a remote code execution vulnerability in Windows Server Message Block (SMB) server found in almost all Windows operating systems (OS).
In just a few hours, the ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and it is just the beginning.
Common attacks vectors
The most common ways that a malware can reach an endpoint device are the following:
- Spam emails
- Infected removable drives
- Bundled with other software
- Hacked or compromised websites
- Other malware
On these vectors, traditional anti-virus, anti-spam and Web (outgoing) proxies would be the most appropriate protection.
Attacking your website
Malwares can also reach the internal network via uploads (or injections) in one of your websites. In this scenario, Web Application Firewalls (WAF) come in.
To avoid this type of attack, we recommend you set a WAF in front of your websites with the last (up to date) security patterns that block all kind of injections and attacks.
You may as well leverage the IP reputation feed (integrated from Webroot) that lets you reject any request coming from the TOR network, often used to anonymize the WannaCrypt attack.
Finally, you can avoid basic upload of infected files by having all uploaded files analyzed by your enterprise anti-virus engine (using the ICAP protocol from the WAF).
Securing your endpoint devices
In both cases, as the final target of the attack is the endpoint device, we recommend you protect your enterprise devices with a solution like Browser in the Box providing a shielded virtualized browser that may be used to access external Internet websites.
This solution will protect the host device from any malicious website affecting the virtualized browser, blocking any possible propagation. Furthermore, restarting Browser in the Box restores a clean environment.
Scanning your devices for vulnerabilities
Last but not least, we recommend you schedule scans through our product DenyAll Vulnerability Manager in order to check that all assets (desktops and servers) are patched.
Specifically, DenyAll Vulnerability Manager provides a couple of tests to identify that the MS17-010 patch (fixing the vulnerabilities that are exploited by WannaCrypt to spread over your infrastructure) is correctly installed.