Category: SMB v1.0
Ways to protect your computers from Petya Ransomware
Some CERT recommendations to better protect your computers from becoming infected by Petya Ransomware:
-
- In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
https://technet.microsoft.com/library/security/MS17-010
- In order to prevent infection, users and organizations are advised to apply patches to Windows systems as mentioned in Microsoft Security Bulletin MS17-010.
-
- Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
-
- Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1.
https://support.microsoft.com/en-us/help/2696547
- Block SMB ports on Enterprise Edge/perimeter network devices [UDP 137, 138 and TCP 139, 445] or Disable SMBv1.
-
- Applocker policies to block execution of files having name perfc.dat as well as psexec.exe utility from sysinternals.
-
- A quick fix to prevent by creating the files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions. A brief description is here:
https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
- A quick fix to prevent by creating the files (perfc, perfc.dll, and perfc.dat) to already exist on the Windows machine, under C:\Windows, with READONLY permissions. A brief description is here:
-
- Yara Rules for Petya detections can be seen here [kaspersky.yara] and here [florian.yara]
-
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
-
- Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
-
- Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
-
- Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
-
- Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
-
- Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
-
- Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
-
- Disable remote Desktop Connections, employ least-privileged accounts.
Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.
Posted by: Vincent Banial
CERT had issued Vulnerability Note VU#867968 advising about the SMB vulnerability in Microsoft Windows
WannaCry Ransomware seems to have appeared out of the blue. Because of it thousands of people have searched the internet to find out how to disable SMB on their Microsoft Windows based Servers and Workstations and Personal Computers. Thousands had dropped by Uniquely Toronto to read out posts which provided details on ways to disable SMB v1.0.
Now Adylkuzz is running another major attack which is underway and uses the SMB vulnerability in Windows.
There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.
In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.
There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware)
“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 (link is external) and 204279 (link is external).”
Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.
Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.
Posted by Vincent Banial
Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Please install the Microsoft Windows MS17-010 Security Update (see link above). Best Practice is to also always create daily backups
How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.
First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.
Click on this link to visit the SANS Institute InfoSec Reading Room, to D/L their helpful PDF about backup sets, titled “Backup Rotations – A Final Defense”.
Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.
Click on this link to view a map of the spread of the WannaCry Ransomware attack – so far over 230,000 computers have been hit.
As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.
For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.
For Windows Server Operating Systems: Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows Server.
Once your Windows Server-based Network is back up and running, start your Network Monitoring tool(s) and Packet Sniffing tool(s). Wireshark is well known. Microsoft Message Analyzer is the replacement for Microsoft’s Network Monitor. SmartSniff is another one. NAST (Network Analyzer Sniffer Tool) is popular. Capsa Free Network Analyzer allows you to monitor over 300 different protocols.
Click on this link to visit Microsoft’s Technet website to view their post titled: “Microsoft Message Analyzer Operating Guide”.
You should be looking out for the some of the following: Use of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.
Keep an eye out for instances of the file “@Please_Read_Me@.txt” on your file shares. Also check for any instances of files with these extensions: “.wnry“, “.wcry“, “.wncry” and “.wncryt“.
Video is courtesy of the DAHBOO77 YouTube channel
The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:
Click on this link to download localized versions of the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
Link to the important Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.
Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.
Posted by Vincent Banial
Disclaimer: The above post is subject to change without notice. There may be unintentional errors in the above post.
Uniquely Toronto 