Stepping back and taking stock of WannaCry lessons learned
During the afternoon on Friday May 12th, WannaCry ransomware infections broke out at several UK National Health Service (NHS) medical facilities and Spain’s telecommunication company, Telefonica. By the early evening, the attention to WannaCry had reached a fever pitch. While kill switches for the malware were engaged (more on that later), the DHS announced on Monday the ransomware worm had hit over 300,000 computers in 150 countries. This qualified as a legit internet dumpster fire.
In this blog post we will explore the WannaCry ransomware, activity, and reporting. We also review best practices for how professionals can use the ThreatConnect platform to respond to similar dumpster fires, avoid potential pitfalls, preserve pertinent intelligence, and facilitate the defensive response.
Well, This is Just Great
There is a special level in hell that is reserved for malicious actors that use ransomware. There is an even worse level, located under the latrines of hell, reserved for malicious actors that launch ransomware campaigns ON A FRIDAY THE WEEKEND OF MOTHER’S DAY. We’re thinking their penance might involve something like watching Hayden Christensen Star Wars scenes for eternity. WannaCry ruined many a weekend for cybersecurity professionals as they assessed their exposure and had to make heads or tails of various reports.
When notable attacks occur, especially on a Friday afternoon, there is immediate and seemingly unrelenting pressure on defenders to identify intelligence to safeguard their organization. We’ve all been through these crises before – the scramble to figure out if you’re patched and where your exposure lies combined with frantic Google queries and social media searches to figure out what’s going on. In this fog, much of the initial reporting is incorrect or inconsistent. Meanwhile, your senior leadership needs updates. Right now. Your teammates probably fall somewhere on the spectrum between Ron Swanson’s grizzled nonchalance at the situation and Leslie Knope’s frenetic energy.
How To Respond To Dumpster Fires Under Pressure
One of our ThreatConnect researchers took on the task of following the WannaCry dumpster fire over the weekend, validating the reporting, and memorializing intelligence on attacks. We’ve consolidated and shared the results with our Common Community in Incident 20170512C: Wanna Decryptor.
To recap, the worm that delivers WannaCry scans its surrounding network for hosts with port 445 (SMB) open. The worm then uses the ETERNALBLUE exploit made available in the Shadow Brokers leaks to gain remote access to the target machine and reaches out to the kill switch domain (again, more on that later). If this domain is not reachable, the worm drops the WannaCry ransomware payload. If it reaches the kill switch domain, the infected system is not encrypted. However, the malware continues to try and resolve the domain and if the domain becomes unreachable later, the system will be encrypted. Cisco Talos also has observed WannaCry samples using the Shadow Brokers-leaked DOUBLEPULSAR, which is a persistent backdoor generally used to access and execute code on previously compromised systems. This backdoor is typically installed following successful exploitation of Windows Server Message Block vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010.
While the initial fog of conflicting and incomplete information is unavoidable, teams can exit the flail stage more quickly by using the ThreatConnect Platform. Here’s how:
Validate and Memorialize Intelligence. It’s one of the most fundamental reasons to use a platform, but it bears repeating. Memorializing WannaCry file indicators allowed us to investigate ransomware samples and identify patterns that defenders could use to find newer files as they appeared in the wild. It also meant our researcher’s work was immediately visible to the rest of the team, so other team members didn’t duplicate effort and could tackle a different piece of the problem. For us, that’s clutch in striking a balance between the Ron Swanson and Leslie Knope ends of the spectrum.
Capture the Import Hash. By publishing data that allows ThreatConnect users to filter files based on Import Hash, clusters of related files appear in the fog of incoming data. New, unknown files that match these import hashes can be caught and blocked. Here we show the output of an advanced browse screen query that narrows the view down to files that cluster around the WannaCry import hashes 68f013d7437aa653a8a98a05807afeb1 and 9ecee117164e0b870a53dd187cdd7174.
Go From Indicators to Intelligence. The initial WannaCry variants came with a built-in kill switch. Several reports initially identified the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com as an indicator for the first variant of the ransomware. If this long and seemingly random domain actually resolved when the ransomware made the callout, the worm would exit and the ransomware payload would not be delivered.
Think about that. For defenders that blackhole or block all network activity to the domains identified in open source reporting on WannaCry, they are actually preventing the kill switch from engaging and pushing the malware to ransom the infected computer. This is why indicators alone do not constitute cyber threat intelligence – context is king. On Friday, a researcher actually engaged the kill switch when he identified that the domain had not been registered, then registered and sinkholed it. Any infected hosts that were able to communicate with the domain were then safeguarded from that WannaCry variant.
As research develops around a given attack and additional context becomes available, ThreatConnect enables defenders to quickly capture the new information. An indicator’s or incident’s description or attributes can be easily edited to reflect new knowledge, or defenders can raise or lower the indicator’s Threat or Confidence rating appropriately. Other defenders following the given indicator or incident are then updated with the changes, enabling the quick dissemination of new intelligence across an organization or community.
Stay up on the reporting. ThreatConnect’s Technical Blogs and Reports Source facilitates these hair-on-fire research efforts by automagically pulling in open source reports and intelligence from dozens of cybersecurity companies and researchers. As of Wednesday, there are 27 separate blogs on WannaCry in that source with 144 indicators. That’s an awesome head start. By keeping that information in a separate source, it enables our users to have all of those indicators imported and mapped to the data model, but gives a chance for curation before you action them – a way to help self-correct when the kill switch domain initially gets reported as an indicator of compromise.
Make Your Intelligence Actionable. Additionally, as defenders identify, investigate, and memorialize intelligence in the ThreatConnect Platform, you can immediately apply it to enhance detection, prevention, and mitigation across your defensive ecosystem. ThreatConnect doesn’t just memorialize intelligence and allow for investigation, we put intelligence to work. Our Playbooks orchestration capability can be used to quickly and automatically deploy indicators to network and endpoint protection tools like Cisco Umbrella, Tanium, and Crowdstrike Falcon Host. Our robust integrations with SIEMs allow for fast and timely detection as well. Using intelligence in this manner, the defenders minimize the delta between malicious actors’ operations and the integration of threat intelligence into their defenses.
Gain Insight on the Attribution Debate. As cybersecurity professionals seek to attribute identified activity, memorialized intelligence in ThreatConnect can get users quickly up to speed on threat groups if or when attribution occurs. In the case of WannaCry, security researchers identified information suggesting that the actor(s) behind WannaCry may be associated with the Lazarus Group. The Lazarus Group, an APT that has been attributed to North Korea, previously conducted 2014 data destruction attacks against Sony in a campaign dubbed Operation Blockbuster. The entry for this threat captures intelligence related to the group’s previous activities, tactics, and targets, as well as various Yara rules that may enable proactive defensive efforts against the threat.
The crossover exists in a small snippet of code from an early variant of WannaCry that matches a Lazarus Group sample from 2015. We have no additional information identifying which actors are behind the WannaCry activity; however, it should be noted that the actors may be using knowledge of the dated Lazarus Group samples to deter or mitigate attribution efforts.
It should be noted that relying solely on kill switches alone to mitigate WannaCry activity will not be sufficient. Additional seemingly-random domains acting as kill switches for later variants of WannaCry continue to be identified. It’s also conceivable that the actor(s) behind WannaCry could significantly alter or remove the kill switch functionality altogether, rendering its utility as a defensive strategy moot. Further, another ransomware variant, Uiwix, has emerged that exploits the same vulnerability as WannaCry but doesn’t employ the use of a kill switch.
To that end, we recommend that organizations and their defenders take the following preventative steps in defending against WannaCry, which come straight from US-CERT’s page on the ransomware:
- Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
- Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
- Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
- Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
- Test your backups to ensure they work correctly upon use.
US-CERT also provided additional recommendations for WannaCry and several others for combating and remediating ransomware in-general.
We also advocate for the importance of capturing the intelligence — which includes the indicators AND their context — that you encounter when responding to such activity. Doing so can help you keep track of the information you’ve identified, mitigate redundant research efforts, synthesize the activity at hand, quickly relay your findings to others, and perhaps most importantly, enhance detection and prevention in your defensive capabilities.
We created the Technical Blogs and Reports source – to start receiving posts like this sign up for a free account below. Each new post is represented by an incident in the Technical Blogs and Reports source. The content of the blog post is converted to markdown and added as the incident’s description.