What makes me want to cry is how much this whole thing has been blown out of proportion by people sensationalizing it for various reasons, be it for advertising views, pushing product, or trying to incite panic.
There are some things that make this different. These things should be recognized, but not sensationalized:
- There is a remote exploit that requires nothing more than a Windows based computer to propagate. This is worm style propagation similar to the likes of Blaster and Sasser if you happen to remember those.
- This exploit was leaked with a trove of other offensive cyber tools that were developed by a government agency.
The worm piece of this takes advantage of a security bug that exists in Windows SMB. This is a file sharing protocol commonly used for LAN based file sharing. That’s LOCAL area network, not to be confused with the Internet at large. The Internet can pass this traffic, but there is no reason anyone should be using this protocol on the Internet. Therefore, this worm should not be spreading over the Internet. Note that I said should. This means that the primary attack vector for this, or in other words, the way to infect patient zero within an organization is still phishing. From that perspective, this is just like any other ransomware attack.
Microsoft released a patch that fixed the remote exploit used by the worm approximately two months prior to this outbreak. It makes sense that a few computers here and there in an organization may miss patches. However, if an organization’s servers or their entire network was affected by this ransomware this speaks to a larger issue with that organization’s security policy or their ability to execute it. For those organizations that were affected by a few systems here and there – it happens. In organizations of any size it is typical to have a small percentage of endpoints or application servers escape patches. Although not desirable, patching those last few systems can be very challenging. For example, the much touted “million dollar MRI machines with embedded XP that has never been patched.” Yes, these do exist, and I have seen other types of expensive machinery controlled with just about every old and unpatched version of Windows you can imagine. There are mitigation strategies for these machines, but the people purchasing these machines rarely consider these additional efforts and expenditures when acquiring this equipment.
What this all boils down to is that this is just normal ransomware but with the added ability to propagate itself in worm fashion once it triggers behind an organization’s firewall.
Realize, however, that the worm technique uses an exploit that was patched two months ago. There’s little excuse for it to have infected as many systems as it did, even though those numbers appear to have been exaggerated by many. There are other remote exploits in the trove of leaked information. You should be preparing your organization for the next iteration that uses an exploit that has not been patched.
In brief, this is what you should be doing:
- Patch your normal endpoints and servers now, as in today. Yes, it is disruptive to have to reboot a machine, but that pales in comparison to how disruptive ransomware on that machine would be.
- Make sure your firewall is not misconfigured to allow SMB traffic from any Internet source. Default settings and best practices should prevent this, but I have seen a number of cases where “Allow All From All” style rules are inserted, probably during troubleshooting, and then never removed. While this should only affect a DMZ, or computers with public IP addresses, from the worm aspect of WannaCry, make sure that no port forwarding or NAT rules are created to forward SMB traffic either.
- Look at company policy. If there is not a policy in place to require endpoints and servers to be patched no more than a few days after a patch is released, then fix that policy and configure the tools to make that happen within your organization.
- Identify systems that cannot be patched and make mitigation efforts. These include network segmentation, ACLs, firewalls, and computer policy settings.
- Make sure you have backups in place. End users should not be saving the only copy of their data on their end device. Servers should have an out-of-band backup solution in place. Meaning something that can’t be compromised at the same time or with the same method that primary data is compromised with.
CHI Corporation has experience with these challenges and would be glad to answer questions you have.