In the case of WannaCry and other exploits, capturing traffic in the core of the network with the ability to go back in time for several days is a best-of-breed solution for both security and network teams.

The recent WannaCry exploit (WannaCrypt/WannaCrypt0r and variants) is ransomware that was leaked
by the Shadow Brokers hacker group who published several hacking tools used by the National Security
Agency (NSA).

Like other ransomware, WannaCry is designed to infect Windows machines, encrypt all important
and personal files, propagate to other systems and ask the user to pay a huge amount of money to
(hypothetically) recover the encrypted files.

WannaCry uses multiple components to infect (using kernel escalation through the DoublePulsar
exploit) and encrypt personal files (using 2048-bit RSA) and self-propagate (SMB spreading through
EternalBlue exploit).

Multiple variants have been discovered, fortunately the spread of the first kill switch variant has been
stopped, the second version without a kill switch is propagating but the ransomware payload fails to
properly deploy (the decompression is not working but the spreading is because EternalBlue and
DoublePulsar are still working), upcoming versions will definitely properly deploy without a kill switch.

benoitdesktop3

How and Why WannaCry Propagated So Quickly

First of all, the propagation mechanism is not new. The main vector are the infected emails with embedded
JS macro document or phishing and social engineering tactics.

benoitemail

benoitmacro

After a victim’s computer is compromised, the ransomware tries to self-propagate through its own
network scanner to find additional SMBv1 machines and uses EternalBlue exploit to infect the rest of
the world.

This vulnerability could allow a remote code execution if an attacker sends messages to an SMBv1
device. WannaCry is using this vector to self-deploy and propagate. Microsoft sent a patch under
advisory MS17-010 in March 2017 to solve the vulnerabilities in Windows systems, but unfortunately a huge
number of outdated and unpatched Windows devices are still up and running.

How NPMD Solutions Can Help with Security Forensics

NPMD is an acronym for Network Performance Monitoring and Diagnostics, so why does this type of
solution matter when speaking about a security breach, ransomware, and malware?

NPMD solutions are very valuable assets to help security teams to ensure that a particular attack has been
stopped and to help teams remain aware of any network behavior that could indicate a potentially corrupted device.

NPMD solutions passively capture terabytes of packets through SPAN and TAPs and act like a CCTV on
your network, making it easy to analyze problems post-event. Most of the time NPMD solutions
are not only installed on the edge of the network (like most of security devices) but they monitor internal
network paths where much more traffic is relevant for performance analysis purposes. This capability can be an important asset to security teams.

Monitoring & Remediation

Your network and security teams can join forces to remediate security attacks. This list has been designed
to help your organization to stay alert and to reduce the scope of any WannaCry propagation.

As described, WannaCry relies on multiple vectors to propagate and infect systems. Fewer SMB open doors result in fewer chances for the ransomware to self-propagate.

Alerting / Detection
• The first version of WannaCry has a kill switch. It is important not to block this domain as it is a
good trigger to detect devices infected with this version. We can be alerted if the kill switch domain
or any variant has been reached from the network. Capturing DNS and proxy servers is a good
practice.

benoitkillswitchdiagram

• EternalBlue spreads the ransomware through SMBv1 and tries to detect other SMBv1 enabled
Servers. This can generate a huge number of ARP and TCP Syn packets. Being able to know
what is the normal level of such protocols on the network is useful as an abnormal peak will trigger
an alarm and identify which devices are generating unusual ARP / TCP Syn traffic.

benoitnetworkutilization

Remediation
• It is urgent to detect which devices on the network are still using SMBv1. In addition to scanning the
network using tools like NMAP, this can be done by creating a real-time alarm (SMBv1 is using a
unique pattern in the header). Urgent action is needed to switch off the SMBv1 stack in Windows machines.

benoitTCPdata
• An application-aware NPMD solution is a huge advantage to discovering the application code
messages. Alerting and trending on application messages gives a very good hint where to first
look to discover compromised devices. WannaCry will trigger a huge number of SMB
CREATE, DELETE & RENAME operations.

benoitdeleterename

• The EternalBlue exploit would generate some weird commands to SMB devices that could be
detected as well during the propagation phase. Having a smart solution with an expert analytics
engine would help to quickly identify issues.

benoiteternal

Conclusion
Having an appliance capturing key traffic in the core of the network with the ability to go back in time for several days is a best-of-breed solution for both security and network teams to remediate security breaches. Learn more about network security forensics and how the right tools can help ensure the integrity of your network.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Close