Facebook Google Plus Twitter LinkedIn YouTube RSS 菜单 搜索 资源 - 博客资源资源 - 网络研讨会资源资源 - 报告资源资源 - 活动icons_066 icons_067icons_068icons_069icons_070

WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware

By now everyone has heard about the ransomware called Wanna, WannaCry or WCry spreading across the globe and locking down the data of some of the world’s largest companies. The malware appears to exploit an SMB flaw that Microsoft provided a patch for in March 2017. You may have heard that the worm has been successfully stopped and you have nothing to worry about, but the vulnerability still exists on millions of systems and can be used again. Now is not the time for complacency; it is time for action. Tenable has several ways to help you know where your business is exposed so you can make informed decisions about what to do first to detect WannaCry and protect your business.

Take action now

If you are a Tenable SecurityCenter® customer, here are three things you can do now before the next variant of WCry appears and before it encrypts the files on your machines.

1. Hunt for infected machines: Check for DNS queries and Scan for Malware.

The first version of WCry that spread across the globe performs a DNS lookup when it initializes; luckily, the Passive Vulnerability Scanner® (PVS™) can record DNS queries on your network. You can apply the following filters in Event Analysis view to hunt for hosts that send queries to this domain:

Type: dns
Syslog Text: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea
Timeframe: Last 7 Days

Event Analysis filter

Note: Passive Vulnerability Scanner (PVS) is now Nessus Network Monitor. To learn more about this application and its latest capabilities, visit the Nessus Network Monitor web page.

After you apply the filter, change the view tools to Source IP Summary. If you have any host that sends queries to this domain, it has most likely been compromised. You should disconnect that machine from the network and take appropriate action.

Note: There are reports of some organizations attempting to block this domain at their firewalls, assuming this is a CnC domain. Don’t do that! The domain has been sinkholed and is actually a kill switch for the malware. If the malware can successfully reach that domain, it terminates - so don’t block access.

If you already have credentialed scans or Nessus Agents in place, detection is even easier; just use the Malware Scan Policy; machines infected with WCry will be reported under plugin 59275.

Malware Scan Policy

2. Hunt for infected machines by lateral movement.

The WannaCry ransomware spread so quickly because once it infects one machine, it scans for any other machine with port 445 open, and then infects that target. With SecurityCenter, you can search for any hosts that are scanning for port 445, by applying this filter:

Destination Port = 445
Timeframe = Last 7 Days

Event Analysis filters

Using the Connection Summary tool you can identify hosts that are connecting to other hosts using port 445. For example, in the image below, one host has 1650 events using port 445 with another host. You may need to investigate a situation when the same host is talking to several other hosts. You can enhance these results by using Assets or subnets as additional filters.

Event Connection Summary

3. Once your systems are clean, patch and scan.

If your environment is now clean, the best way to prevent a WCry infection is to apply patches and disable SMBv1. Tenable has several plugins that can detect if a machine is vulnerable to MS17-010:

Plugin ID

Plugin

Description

96982

Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

The system has been found to be vulnerable to SMBv1 attacks using uncredentialed checks. The Shadow Brokers group reportedly has an exploit that affects SMB, and the current WannaCry ransomware is using this exploit.

97086

Server Message Block (SMB) Protocol Version 1 Enabled

This plugin is similar to 96982, but the vulnerability is detected using credentials. The system has been confirmed vulnerable to SMBv1 attacks used by WannaCry and vulnerabilities described by Shadow Brokers. Credentialed checks are more accurate and provide mode details.

97737

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY)

Credentialed plugin to detect MS017-010 (detects the patch is missing)

97833

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (uncredentialed check)

Remote plugin to detect the MS017-010 vulnerability

700099

Ransomware Traffic Detected (WannaCry)

This plugin uses passive techniques to determine if the remote system may be affected by ransomware that encrypts most or all of the files on a user’s computer. This attack is related to the WannaCry ransomware.

We have developed a SecurityCenter dashboard tailored to identify hosts that may be susceptible to the WannaCry ransomware exploitation. The WannaCry Vulnerability Detection dashboard is available through the SecurityCenter Feed to provide insight into the vulnerability of your network and the progress made toward upgrading outdated hosts.

The dashboard takes all the methods of detection described in this blog and places them into an easy to use and understand location. The matrix in the upper left hand corner uses CVEs and DNS events to identify possible at-risk hosts, vs. confirmed vulnerable hosts. The dashboard also uses many of the same components used in the Shadow Brokers Vulnerability Detection dashboard, and provides an overview of patching across all operating systems, to help you understand the current progress in patch deployments.

WannaCry Dashboard

We also suggest patching other vulnerabilities disclosed by the Shadow Brokers group with the SecurityCenter Shadow Brokers Vulnerability Detection dashboard.

Tenable.io solutions

Tenable has also released an easy to use scan template for Tenable.io customers to quickly identify vulnerabilities targeted by the WannaCry malware or any derivatives that are sure to follow. The template scans for MS17-010 (CVE-2017-0144) both with and without credentials:

Tenable.io WannaCry scan template

Take a look at this video which walks you through a few simple steps to detect potentially vulnerable hosts. To scan internal hosts, download a Nessus scanner and link it to your Tenable.io account.

If you aren’t a Tenable.io customer, you can sign up for a free 60 day evaluation.

An ounce of prevention

Most ransomware attacks are caused by exploits of known vulnerabilities that remain unpatched on systems. This is especially true for systems running outdated and unsupported operating systems. By patching all your assets regularly and creating regular backups of your data, you can help prevent ransomware attacks.

For more information

We have the following ransomware-focused educational webinars available for you to attend in the coming weeks:

 

Many thanks to Gavin Millard, Anthony Bettini, Cris Thomas, Cody Dumont and the entire Tenable research team for their contributions to this blog.

Updated May 23, 2017.

订阅 Tenable 博客

订阅
免费试用 立即购买

选择 Tenable.io

免费试用 60 天

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即注册并在 60 秒内运行第一次扫描。

立即购买 Tenable.io

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

65资产
免费试用 立即购买

免费试用 Nessus Professional

免费试用 7 天

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买 Nessus Professional

Nessus® 是当今市场上功能最全面的漏洞扫描器。Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并让您调动起 IT 团队的积极性。

购买多年许可证,为您节省更多

免费试用 立即购买

试用 Tenable.io Web Application Scanning

免费试用 60 天

完整享有专为现代化应用程序而设、属于 Tenable.io 平台组成部分的最新 Web 应用程序扫描功能。可安全扫描全部在线资产的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。 立即注册并在 60 秒内运行第一次扫描。

购买 Tenable.io Web Application Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 FQDN
免费试用 联系销售人员

试用 Tenable.io Container Security

免费试用 60 天

完整获得已集成至漏洞管理平台之唯一容器安全产品的功能。监控容器镜像中的漏洞、恶意软件和策略违规。与持续集成和持续部署 (CI/CD) 系统进行整合,以支持 DevOps 实践、增强安全性并支持企业政策合规。

购买 Tenable.io Container Security

Tenable.io Container Security 经由与构建流程的集成,可供全面了解容器镜像的安全性,包括漏洞、恶意软件和策略违规,借以无缝且安全地启用 DevOps 流程。

了解有关 Industrial Security 的详情