Security Advisory: Microsoft Server Message Block 3 (SMBv3) Remote Code Execution Vulnerability

Security Advisory: Microsoft Server Message Block 3 (SMBv3) Remote Code Execution Vulnerability

Updated on March 12th, 2020: to reflect that Microsoft has now made a patch for the vulnerability available. As such, we’ve updated the advisory reflects updated mitigations.   

Summary 

On March 10tha critical Remote Code Execution (RCE) vulnerability in the Microsoft Server Message Block (SMBv3) protocol was inadvertently disclosed. The vulnerability, known as CVE-2020-0796, is caused by how newer Windows operating systems handle certain requests, specifically compressed SMBv3 packetsMicrosoft intended to release a patch for this vulnerability as part of March’s “Patch Tuesday”, however, the patch appears to have been pulled at the last minute. This led to the inadvertent disclosure of the issue before a patch is available. The flaw, considered critical, and could allow attackers to execute arbitrary code without user interaction and without authentication.  

This critical vulnerability is considered “wormable” as it leads to pre-authenticated remote code execution of the Windows server implementation of SMBv3To exploit the vulnerability on a Windows machine acting as an “SMB server”, unauthenticated attackers can simply send a maliciously crafted packet to a targeted SMBv3 Server. Once an attacker has successfully compromised one system, they can attempt to automatically exploit other reachable SMB servers. However, to exploit an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it 

The Windows implementation of the SMB protocol was recently exploited by WannaCry, NotPetya and other recent attacks, enabled by a leak of reliable equation group exploits in 2017. However, Due to the difficulty in successfully and reliably exploiting such vulnerabilities, the Cyber Fusion Center does not expect to see immediate mass exploitation attempts. There are currently no publicly available exploits targeting this vulnerability and there are several Microsoft Windows exploit mitigations that make building a successful and reliable exploit very difficult.  

While they are no current public exploits, the Cyber Fusion Center strongly recommends mitigating the vulnerability as soon as possible.  

Note: On March 12, 2020, Microsoft released an out-of-band patch for this vulnerability. The Cyber Fusion Center strongly recommends that organizations apply the patch as soon as possible, especially on SMB servers such as Active Directory domain controllers and file shares. If it’s not possible to patch in the very near future, the Cyber Fusion Center recommends disabling compression for the SMBv3 protocol with the commands in the “Temporary Mitigations” section of this advisory.  

Affected software 

  • Microsoft Windows 10 Version 1903 (May 2019 update) 
  • Microsoft Windows 10 Version 1909 (v1909)  
  • Microsoft Windows Server Version 1903 (Server Core Installation) 
  • Microsoft Windows Server Version 1909 (Server Core Installation) 

Impact 

Attackers who successfully exploit this vulnerability can execute arbitrary code within the context of the SMBv3 process. The vulnerability is considered “wormable” as it allows for pre-authenticated remote code execution without any user interaction.  

Mitigation 

On March 12th, 2020 (one day after “Patch Tuesday”) Microsoft released out-of-band patches for this severe vulnerability in Window’s implementation of SMBv3 compression. The Cyber Fusion Center strongly recommends organizations apply this patch rather than use the temporary mitigations outlined below.  

The patch is available via the traditional Microsoft Update delivery process and on the Microsoft Security Response Centers website. 

Temporary Mitigation 

While there is no patch for this vulnerability yet, it’s possible to mitigate the issue on SMB servers by disabling support for compression on the SMBv3 protocol 

Windows administrators can disable compression to prevent unauthenticated attackers from exploiting the vulnerability on SMBv3 Servers by using the PowerShell command below. 

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 1 -Force 

Important Information: 

  • No reboot Is required after making this change 
  • This workaround does not prevent exploitation of SMB clients 

If necessary, you can rollback this change with the Powershell command bellow: 

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” DisableCompression -Type DWORD -Value 0 -Force 

Additional Recommendations 

The Cyber Fusion Center also strongly recommends that organizations mitigate the potential of an attack on a Windows 10 client by blocking all outbound SMB (TCP port 445) on corporate firewalls.  

Additionally, Microsoft has published guidelines for preventing lateral SMB connections and preventing SMB traffic from entering or leaving the corporate network provides details on how to mitigate this vulnerability and other attackers in the future: 

https://support.microsoft.com/en-us/help/3185535/preventing-smb-traffic-from-lateral-connections 

Sources 

CurveBall: Microsoft Windows CryptoAPI Spoofing Vulnerability Webcast

CurveBall: Microsoft Windows CryptoAPI Spoofing Vulnerability Webcast


 

Kudelski Security’s Francisco Donoso, Director – Global Security Strategy, provides a brief webcast overview of CurveBall, the Microsoft Windows cryptographic API vulnerability. 

Today, we’ll be talking about CurveBall, a Microsoft Windows cryptographic API vulnerability. We’ll give you a brief overview of Curveball as the vulnerability is called, talk a little bit about the potential impact and what you can do to remediate and detect.

First things first CurveBall impacts, Windows 10, Windows Server 2016 and Windows Server 2019. The reason that these operating systems are impacted is because they support new versions of Elliptic Curve Cryptography. ECC, as it’s called, is just another signature algorithm similar to RSA that’s faster and more efficient than RSA. With ECC you can have smaller key sizes that are effectively as secure as larger RSA keys and thus they’re really valuable for fast, speedy encrypted communication.

The vulnerability exists because Microsoft now supports what are called non-standard curves, which allow attackers to spoof certificates that Microsoft Windows would consider valid even though they are not. Because of this, Curveball can allow attackers to spoof HTTPS certificates. That means that an attacker in a privileged network position who can capture your client’s traffic could potentially spoof a certificate using one of these non-standard curves and intercept that traffic, potentially modifies it and potentially introduce other traffic into that supposedly secure stream. Additionally, this allows attackers to spoof what are called code signing certificates, which are intended to protect machines by application whitelisting. Several application whitelisting solutions allow organizations to prevent non-signed binaries or code from running on their machines. Additionally, there are several cryptographic protections that Microsoft Windows requires for security purposes to be signed either by Microsoft itself or a trusted developer.

Leveraging this vulnerability, an attacker could potentially run malicious code on a system that should not have been run. Now Kudelski Security and our research team have released a proof of concept exploit. Here you can see that we’ve been able to spoof a certificate that’s considered valid for GitHub.com, even though this is hosted on a Kudelski Security site. This is a real-world example of the potential impact of the CurveBall vulnerability.

So again, this exists because Windows fails to properly validate elliptic curve cryptography certificates, allows an attacker to spoof those certificates to intercept HTTPS or TLS traffic or potentially run malicious code on a system that requires binaries to be run. Kudelski Security has released a proof of concept exploit and published a detailed blog on the topic, for those of you who are interested.

Now talking a little bit about detection and response, Microsoft, in coordination with the U.S. National Security Agency, released a patch for this vulnerability on January 14, 2020. Everyone should apply that patch as soon as possible. From a detection perspective, the new patch actually introduces a new application event logged by Windows computers with a source of Microsoft Windows Audit CVE. For those of you who are looking to detect potential exploitation of this vulnerability, once a system has been patched, you’ll be able to centrally collect these potential logs and identify an attempt to exploit this vulnerability. Just a quick note that this event will only be written once the patch has been applied to the impacted computer. Finally, it’s also possible to detect potential tampering or TLS certificates spoofing by monitoring TLS handshakes using a system like an intrusion detection system or other network monitoring solutions. There are several signatures that vendors have released and if you’re interested, our blog posts also cover some more additional details.

Finally, I just want to remind everyone that while this vulnerability is highly impactful, it’s not the end of the world. Windows updates, which are used to deliver secure code and patches to all of these windows machines are not impacted. They actually use a separate algorithm, RSA, and Microsoft has embedded the full certificate chain in Windows to validate that they’ve been properly signed by Microsoft. That limits the potential impact. Additionally, Microsoft released several critical severity vulnerabilities in remote desktop gateways that we recommend clients prioritize. Since those are much more likely to be exploited by unsophisticated attackers in the next few days.

Read the proof of concept here: https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

Read the security advisory here: https://modernciso.com/2020/01/16/security-advisory-multiple-critical-vulnerabilities-on-windows-systems/

SECURITY ADVISORY: Multiple Critical Vulnerabilities On Windows Systems

SECURITY ADVISORY: Multiple Critical Vulnerabilities On Windows Systems

On January 14th, 2020 (Patch Tuesday), Microsoft released patches for a severe vulnerability Window’s cryptographic subsystems and critical vulnerabilities in Windows Server Remote Desktop (RDP) Gateway. These Microsoft vulnerabilities are considered critical and the Cyber Fusion Center strongly recommends applying these patches as soon as possible. Kudelski Security expects active exploitation in the near future.

The U.S National Security Agency released an advisory regarding a vulnerability in a cryptographic library (Crypt32.dll) used in Microsoft Windows 10, Windows Server 2016, and Windows Server 2019 (CVE-2020-0601). This issue impacts the verification of elliptic curve cryptography (ECC) signatures in security certificates. The verification of such certificates has been discovered to be defective and may allow an attacker to incorrectly validate a forged certificate. Successful exploitation of this issue has been shown to allow for interception, modification, and decryption of TLS / HTTP(s) traffic by attackers in privileged network positions. Additionally, this may allow attackers to successfully bypass code-signing requirements on Windows systems or bypass Device Guard application whitelisting solutions.

Kudelski Security’s research team has been able to successfully exploit this vulnerability to issue spoofed HTTPs certificates considered valid by Windows 10, Windows Server 2016, and Windows Server 2019:

https://research.kudelskisecurity.com/2020/01/15/cve-2020-0601-the-chainoffools-attack-explained-with-poc/

Additionally, Kudelski Security has released a public POC available on our Github page:

https://github.com/kudelskisecurity/chainoffools

This “Patch Tuesday” also included patches for multiple critical vulnerabilities in Windows Remote Desktop (RDP) Gateways. These critical vulnerabilities lead to unauthenticated Remote Code Execution (RCE) with SYSTEM privileges. Such vulnerabilities could be leveraged by attackers to remotely compromise systems without authentication or user interaction. Remote Desktop Gateways allow organizations to centralize Remote Desktop services and provide remote access to Windows endpoints and servers without a VPN, provide web-based RDP user experiences, and more.

Description

Microsoft released patches for a severe vulnerability Window’s cryptographic subsystems and critical vulnerabilities in Windows Server Remote Desktop (RDP) Gateway. Kudelski Security expects active exploitation in the near future. As such, the Cyber Fusion Center strongly recommends mitigating these issues as soon as possible.

The Microsoft Windows cryptographic subsystem vulnerability was publicly disclosed jointly by Microsoft and the U.S National Security Agency (NSA) after being successfully patched by Microsoft. Microsoft and the NSA have publicly stated that that they’ve not observed any exploitation of this vulnerability. Additionally, Kudelski Security has been able to leverage this vulnerability to successfully to issue spoofed HTTPs certificates considered valid by Windows 10, Windows Server 2016, and Windows Server 2019 and has released public Proof Of Concept code (POC) on our github page. Please review the sources linked in this document for our blog post and links to the POC code.

The vulnerability is in a cryptographic library (Crypt32.dll) used in Microsoft Windows 10, Windows Server 2016, and Windows Server 2019 (CVE-2020-0601). This issue impacts the verification of elliptic curve cryptography (ECC) signatures in security certificates. The verification of such certificates has been discovered to be defective and may allow an attacker to incorrectly validate a forged certificate. Successful exploitation of this issue has been shown to allow for interception, modification, and decryption of TLS / HTTP(s) traffic by attackers in privileged network positions. Additionally, this may allow attackers to successfully bypass code-signing requirements on Windows systems or bypass Windows Device Guard or other application whitelisting solutions.

Additionally, Microsoft has released patches for multiple critical vulnerabilities in Windows Remote Desktop (RDP) Gateways. These critical vulnerabilities may lead to unauthenticated Remote Code Execution (RCE) with SYSTEM privileges. These vulnerabilities could be leveraged by attackers to remotely compromise systems without requiring to validate credentials or user interaction. Remote Desktop Gateways allow organizations to centralize Remote Desktop services and provide remote access to Windows endpoints and servers without a VPN, provide web-based RDP user experiences, and more.

It’s important to note that Remote Desktop (RD) Gateway is a separate application rather traditional Remote Desktop Protocol. Organizations looking to identify any potentially exposed RD gateways should look for systems exposing UDP port 3391 (not the traditional RDP Port on TCP 3389) along with Remote Desktop Web Services on HTTPs (TCP/443).

Kudelski Security expects to see attackers leveraging these Remote Desktop Gateway vulnerabilities to compromise unpatched systems in the near future due to the prevalence of the technology and the ability to compromise critical systems without authentication or user interaction. As such, we strongly recommend that clients apply these patches as quickly as possible.

Detection

Microsoft Windows Crypto Subsystem issue

Organizations who do not currently have Kudelski Security Cyber Fusion Center’s Threat Monitoring and Hunting services may want to ensure Windows Application Logs are being centrally collected and monitored. Microsoft has introduced a new Windows Event source named “Microsoft-Windows-Audit-CVE”. Microsoft Windows will now write events to the local Windows application logs with this source if there are attempts to exploit this vulnerability. Note that the Windows Event source will only be available after the latest patches have been applied.

Additionally, it’s possible to detect potentially invalid TLS certificates being used to exploit this vulnerability by intercepting TLS packets and checking certificate signature for uncommon elliptic curve parameters. By analyzing TLS traffic, the “ServerHello/Certificate/ServerHelloDone” packet contains the certificate which should be checked for possible forgery.

Additionally, the Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of this vulnerability. For customers with the Cyber Fusion Center’s Endpoint Detection and Response service will be proactive notified if potential exploitation is detected.

Microsoft Remote Desktop Gateway issues

Organizations who do not currently have Kudelski Security Cyber Fusion Center’s Threat Monitoring and Hunting services or our vulnerability scanning services may want to identify exposed versions of Web Services for remote desktop or systems that respond to UDP port 3391. Several vendors have released IDS or IPS detection signatures.

Additionally, the Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of these vulnerabilities. For customers with the Cyber Fusion Center’s Endpoint Detection and Response service will be proactive notified if potential exploitation is detected.

Mitigation and Response

The Cyber Fusion Center is actively working with our vendor partners to ensure we can actively detect attempted exploitation of these vulnerabilities. For customers with the Cyber Fusion Center’s Endpoint Detection and Response or Threat Monitoring services will be proactive notified if potential exploitation is detected.

For customers with the Cyber Fusion Center’s vulnerability scanning service will be proactively notified if any vulnerable Remote Desktop gateway systems are detected.

Sources

 

 

Security Advisory: WCry2 Ransomware Outbreak (updated)

wCry2 Ransomware spreading via EternalBlue (MS17-010)

Update May 15

Attribution attempts

 

Mid-morning (U.S time) Neel Mehta, a security researcher at Google, posted a cryptic tweet with the hashtag “#WannaCryptAttribution”:

 

The tweet referenced hashes of two examples, one of the current WannaCrypt ransomware campaign, and a sample linked to the Lazarus ATP group from February 2015. Breaches and operations conducted by the Lazarus group, including the Sony wiper attack, had previously been attributed to the government of North Korea (DPRK).

Researchers have reviewed the locations in the binaries mentioned by Neel and identified that both samples share the same code, have similar functions, and very similar modules in several locations. As such, many security researches have attributed the WannaCrypt ransomware campaign to the DPRK. Kudelski Security urges caution when attempting attribution based on similarities in binaries as several state sponsored threat actors often repurpose code in other to obfuscate the true origin of malware and tools.

 

A word about the Bitcoin wallets used

The Kudelski Security Cyber Fusion Center has continued to monitor the three bitcoin wallets found the various WannaCrypt samples. As of the time of this writing, the three wallets have received a total of 34.9 Bitcoins ($61,153.77 USD at current exchange rates) from 232 unique transactions. That is a large increase from the $27,614 USD observed early this morning.

It is likely that as organizations and users arrived at work this morning, several have chosen to pay the ransom in an attempt to restore access to critical files:

 

Additional variants

Over the weekend and throughout Monday morning and afternoon Kudelski Security has continued to monitor developments related to the Wana Decrypt0r 2.0 / WannaCrypt ransomware. Since our last update, we’ve seen at least two new variants of the ransomware which include new “kill switch” domains. Luckily, these new samples have been quickly identified and the additional domains have been registered, thus stopping the spread of these new variants.

Over the weekend the Kudelski Security Cyber Fusion Center team examined available WannaCrypt examples and discovered that both the “worm code” and the portions of the malware which deploy the actual ransomware payload are highly modular. The modular nature of these variants means that we can expect to see modified examples that attempt to deploy other ransomware or malware variants. Additionally, the worming code can easily be replaced to leverage other remote code execution (RCE) vulnerabilities as they become available.

 

Windows 10 not affected

Analysis by Microsoft, Kudelski Security, and several other organizations has also identified that the EternalBlue exploit code leveraged by currently available examples of the WannaCrypt ransomware appear to only target the Windows 7 and Windows Server 2008 (or earlier) platforms. As such, organizations or users with Windows 10 were not affected by this attack.

 

Decryption is a manual process

Independent security researchers investigating samples of the WannaCrypt ransomware have discovered that the ransomware requires manual intervention from “operators” to provide the decryption keys. Additionally, there has not yet been any independent verification that paying the ransom actually ensures that files are decrypted. Kudelski Security recommends that affected organizations do not pay the ransom.

 

Initial infection vector still unknown

The initial infection vector that caused the start of the campaign in Europe is still unknown. While most ransomware campaigns spread by either phishing campaigns or by leveraging exploit kits. However, in this case researchers have not yet identified any email examples or exploit kit landing pages which distribute to the WannaCrypt` variants which such havoc over the last 3 days.

 

Update May 13

Data was coming in very quickly on Friday and while we worked to provide timely and reasonable information we know now more about what happened and how the Wana Decrypt0r 2.0 ransomware outbreak managed to escalate so quickly.

First some good news: The malware, once executed checked for the existence of a randomly generated domain. If the domain did not exist or could not be reached, the execution of malicious code continued. If the domain existed and was accessible, a kill switch was activated and the infection was halted. A malware blogger and reverse engineer from the U.K registered the domain which effectively slowed the malware spread in the U.S. Unfortunately, many anti-virus vendors began to block the domain, unintentionally allowing the installation to continue, realizing the error some of the anti-virus vendors have removed the block and now sinkhole the domain instead.

More information here:

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

The unfortunate news is that there are now samples emerging that no longer contain the domain based “kill switch”.

An example of this new variant is available here:

db349b97c37d22f5ea1d1841e3c89eb4

Additionally, are further review of the malicious binaries, we’ve identified that all RF1918 (private) netblocks as well as randomly generated internet netblocks are also scanned looking for further propagation avenues. This means that organizations could also potentially be affected by way of site-to-site VPN connection with business partners or vendors. The ransomware has also spread via guest wifi, thus users should be cautious as it is possible they could be affected while connected to an open wifi hotspot.

Researchers have noted that WannaCry 2.0 is not the actual worm. The worm is the MS17-010 “spreader”. WannaCry 2.0 is dropped by the “spreader” which can also be used to drop other binaries and files. Thus, it is extremely critical that organizations apply the MS17-010 patches as quickly as possible.

Mac OS and Linux users running Windows VMs or Wine are also affected if not patched.

Along with the ETERNALBLUE components, the dropper also calls out and downloads DOUBLEPULSAR. Organizations affected will want to check for the existence of DOUBLEPULSAR once the initial attack is remediated. There is a free script available to check for this located here:

https://github.com/countercept/doublepulsar-detection-script

The Wana Decrypt0r 2.0 ransomware campaign utilized 3 Bitcoin wallets and as of today they show modest returns. Note: there is no indication that paying the ransom actually provided the user with the keys to decrypt their data and some researchers reported that users had to interact with a human via phone or web chat to negotiate. In the ransom note, the attackers mention that if someone is “too poor” to pay that their files will automatically decrypt in 6 months.

The following Bitcoin wallets have been linked to this ransomware campaign:

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The Global response to this campaign has been swift and effective, unfortunately, too late for a large number of European organizations. Microsoft released updates to its malware protection engine to block the malware. Additionally, Microsoft has unexpectedly released security patches for EternalBlue and MS17-010 vulnerabilities for the unsupported Windows XP, Vista, Windows 8, and Windows server 2013 operating systems.

When unfortunate events like this take place, it’s easy for information security practitioners to point fingers and assign blame but the global information security community would be better served by helping organizations understand and avoid these situations in the future.

Moving forward, Kudelski Security expects to see most if not all ransomware and malware families using similar techniques to spread quickly and infect large numbers of users and organizations.

This global ransomware outbreak is a stark reminder that organizations must have the basics covered. Organizations must review and evaluate their vulnerability and patch management programs to ensure confidence, comprehensiveness, and effectiveness. Security patches are a fundamental and critical foundation of any organizations security program and should be tested and applied quickly. Organizations should also perform a “health checkup” and review backup strategies, test backups regularly, and ensure backups are easily accessible while also being protected from encryption and deletion. Also, organizations should review and reevaluate what traffic is allowed to and from the internet.

Once the basics are covered, now is the time to start looking at some of the newer endpoint protection platforms that rely on behavioral indicators that executables could be malicious instead of solely relying on signatures.

Now is the time to take a look at security, review and apply the basics, and then pragmatically strengthen its effectiveness.

Summary

On May 12 2017, a widespread cyber-attack utilizing the WCry2 ransomware, also known as Wana Decrypt0r 2.0, began spreading across the globe. At the time of this writing, the Ransomware has currently impacted organizations in 99 countries and continues to spread. Wana Decrypt0r 2.0 uses the EternalBlue exploit (MS17-010), released by the Shadow Brokers in March 2017. This SMB exploit is used to attempt to infect other machines within the same network and to scan for, and infect, potentially vulnerable Windows machines on the internet.

Wana Decrypt0r 2.0 is a highly effective ransomware variant that encrypts several file types, making them inaccessible to the user, and demands a payment of $300 U.S dollars in Bitcoin to decrypt the files.

Additional details on Wana Decrypt0r 2.0 and EternalBlue (MS17-010)

Wana Decrypt0r 2.0 is a variant of the WannaCrypt ransomware family that is currently being spread by exploiting EternalBlue (MS17-010). Wana Decrypt0r 2.0 encrypts several file types on an infected computer demands a ransom of $300 USD in Bitcoin to decrypt the inaccessible files.

ExternalBlue is an exploit that takes advantage of previous vulnerabilities in SMB, a critical protocol for Windows Systems. The exploit allows for the remote execution of malicious code on vulnerable systems without requiring any use interaction. The ExternalBlue exploit requires that the systems be vulnerable and expose the SMB service (enabled by default on Windows systems) to successfully compromise a system and replicate across network infrastructure to other vulnerable Windows systems.

Global Threat

At the time of this writing, this cyber-attack has quickly spread to 99 countries across multiple regions of the world. This global threat arrives in the form of a phishing email with a malicious attachment, once the malicious attachment is opened a dropper begins to download and unpack the actual ransomware code. The ransomware encrypts the user’s files, scans the networks to which the machine is connected, and uses the EternalBlue exploit to spread across organizations with unpatched Windows systems.

Kudelski Security has observed several industries and regions being specifically targeted by this ransomware campaign. Kudelski Security has intelligence that indicates that other ramsomware campaigns are actively integrating more of the Fuzzbunch framework exploits into their code.

As of this writing, according to internet scanning tool Shodan, there are approximately 2.4 million internet exposed systems which may be vulnerable to this exploit.

Mitigation and Response

Microsoft released a patch for the EternalBlue and other critical remote code execution vulnerabilities in March 2017 as part of Microsoft Security Bulletin MS17-010.

Kudelski Security recommends that clients immediately apply the patch for MS17-010. For organizations unable to quickly apply the Microsoft patches, potential mitigations include using a GPO to apply Windows Firewall rules to block inbound SMB connections on all unpatched endpoint systems and limiting SMB connections between servers.

Kudelski Security also recommends limiting all inbound and outbound communication on UDP ports 137 & 138 and TCP ports 139 & 445 on internet firewalls in order to reduce exposure and the slow the propagation of this ransomware.

Kudelski Security recommends backing up all files, including systems already affected by the ransomware in case future decryption tools become available.

Additionally, Kudelski Security recommends that organizations evaluate their vulnerability management programs to ensure that updates and patches are tested and applied quickly once they are released.

The Kudelski Security Cyber Fusion Center has ensured all managed and monitored security devices are updated with detection signatures and methodology to detect the uses of the Wana DeCrypt0r 2.0 ransomware and exploitation with ExternalBlue and other recent Windows exploits.

Sources

MS17-010 –Critical security advisory

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

VirusTotal analysis of malicious PDF:

https://www.virustotal.com/en/file/75457f282337bccb7f48db927bdfb16d517c13eb5f361419776363bcdb2a64f2/analysis/

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

https://securelist.com/blog/research/78431/wannacry-and-lazarus-group-the-missing-link/

Indicators

Ransomware Dropper  b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

Malicious PDF

75457f282337bccb7f48db927bdfb16d517c13eb5f361419776363bcdb2a64f2

Outbound communication

62.138.10.60:9001   82.94.251.227:443   213.239.216.222:443   51.255.41.65:9001   86.59.21.38:443   198.199.64.217:443 83.169.6.12:9001   192.42.115.102:9004   104.131.84.119:443   178.254.44.135:9001   163.172.25.118:22

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa  dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696  201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9  ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa  0345782378ee7a8b48c296a120625fd439ed8699ae857c4f84befeb56e727366  78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df  eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb  57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4  dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696  a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740  fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a  201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9  ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa  24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c  2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd  4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982  5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec  7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff  c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9  f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

 C&C Domains:

gx7ekbenv2riucmf.onion

http://57g7spgrzlojinas.onion

http://xxlvbrloxvriy2c5.onion

http://76jdd2ir2embyv47.onion

http://cwwnhwhlz52ma.onion