Category: SMB

Ways to protect your computers from Petya Ransomware

Some CERT recommendations to better protect your computers from becoming infected by Petya Ransomware:

    • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
    • Applocker policies to block execution of files having name perfc.dat as well as psexec.exe utility from sysinternals.
    • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
    • Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
    • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
    • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
    • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
    • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
    • Disable remote Desktop Connections, employ least-privileged accounts.

Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.

Posted by Vincent Banial

Advertisements

CERT had issued Vulnerability Note VU#867968 advising about the SMB vulnerability in Microsoft Windows

WannaCry Ransomware seems to have appeared out of the blue. Because of it thousands of people have searched the internet to find out how to disable SMB on their Microsoft Windows based Servers and Workstations and Personal Computers. Thousands had dropped by Uniquely Toronto to read out posts which provided details on ways to disable SMB v1.0.

Now Adylkuzz is running another major attack which is underway and uses the SMB vulnerability in Windows.

There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.

In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.

There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware)

“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 (link is external) and 204279 (link is external).”

Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Please install the Microsoft Windows MS17-010 Security Update (see link above). Best Practice is to also always create daily backups

How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.

First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.

Click on this link to visit the SANS Institute InfoSec Reading Room, to D/L their helpful PDF about backup sets, titled “Backup Rotations – A Final Defense”.

Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.

Click on this link to view a map of the spread of the WannaCry Ransomware attack – so far over 230,000 computers have been hit.

As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.

For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.

For Windows Server Operating Systems: Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows  Server.

Once your Windows Server-based Network is back up and running, start your Network Monitoring tool(s) and Packet Sniffing tool(s). Wireshark is well known. Microsoft Message Analyzer is the replacement for Microsoft’s Network Monitor. SmartSniff is another one. NAST (Network Analyzer Sniffer Tool)  is popular. Capsa Free Network Analyzer allows you to monitor over 300 different protocols.

Click on this link to visit Microsoft’s Technet website to view their post titled: “Microsoft Message Analyzer Operating Guide”.

You should be looking out for the some of the followingUse of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.

Keep an eye out for instances of the file@Please_Read_Me@.txton your file shares. Also check for any instances of files with these extensions:.wnry,.wcry,.wncryand.wncryt“.

Video is courtesy of the DAHBOO77 YouTube channel

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

Click on this link to download localized versions of the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Link to the important Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: The above post is subject to change without notice. There may be unintentional errors in the above post.

How to disable SMB to stop WannaCry Ransomware. Also links to Microsoft Patches for Windows to stop WannaCry Ransomware

UPDATE May 14 at 3:00pm – added more ways to disable SMB

Some Cyber Weapons which were apparently developed by a National Spy Service to break into enemy computers, were supposedly stolen. Then some of the code for the Cyber Weapons was released to the public, on 14 April, through a dump by a group called Shadow Brokers.

On May 12 2017, a new Ransomware was released on the Internet. It utilized some of the code found in the Cyber Weapons and also a Malware called WannaCry. Hundreds of thousands of computers around the globe got hit. Then a kill switch was set off which dramatically slowed and possibly will stop the Ransomware from spreading further.

Stop the presses. A new version 2 of the WannaCry Malware is now out, which no longer has the Kill Switch code. That will make it difficult to stop.

The Hacker News facebook page posted a solution. Essentially their posts stated to disable the SMB service within Windows. It is not needed and is enabled for backwards compatibility.

Ok, but how do you disable SMB in Windows?

In Windows go to Control Panel. In Control Panel go to the icon labeled “Programs”. Click on it. Then under Programs and Features click on Turn Windows Features on and off. Once there, just scroll down till you find SMB 1.0/CIFS File Sharing Support. Make sure the checkbox to the left of SMB 1.0 is “NOT” checked off. Then click OK and then close control Panel. Reboot the computer.

In my Windows 10 it was already off (unchecked).

Video is courtesy of the Andr.oid Eric YouTube channel

Video is courtesy of the HatimTech YouTube channel

Another way to disable SMB is by using the Registry Editor. The following Video shows how to do it in Windows 7.

Video is courtesy of the Brxtt Tech YouTube channel

Another way to do it is to key in a Powershell command. That is like a super DOS Prompt. Open a Powershell Window and key in the following (but not the Quotes):

Disable-WindowsOptionalFeature -Online -FeatureName SMB1protocol

Press Enter and you should be good to go after you reboot the computer. I would double check in ControlPanel. Better safe than sorry.

Windows 8 and Windows Server 2012 introduce the new Set-SMBServerConfiguration Windows PowerShell cmdlet. The cmdlet enables you to enable or disable the SMBv1, SMBv2, and SMBv3 protocols on the server component.

  • To obtain the current state of the SMB server protocol configuration, run the following cmdlet:

    Get-SmbServerConfiguration | Select EnableSMB1Protocol, EnableSMB2Protocol
  • To disable SMBv1 on the SMB server, run the following cmdlet:
          Set-SmbServerConfiguration -EnableSMB1Protocol $false
  • You do not have to restart the computer after you run the Set-SMBServerConfiguration cmdlet. But I would restart the computer.

To enable or disable SMB protocols on an SMB Server that is running Windows 7, Windows Server 2008 R2, Windows Vista, or Windows Server 2008, use Windows PowerShell or Registry Editor.
Windows PowerShell 2.0 or a later version of PowerShell

  • To disable SMBv1 on the SMB server, run the following cmdlet:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force
  • Note you must restart the computer after you make these changes.

REGISTRY. To enable or disable SMBv1 on the SMB server, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1

REG_DWORD: 0 = Disabled

REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Restart the computer after making the changes to the Registry.

How to enable or disable SMB protocols on the SMB client
Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, and Windows Server 2012
To disable SMBv1 on the SMB client, run the following commands:

     sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

     sc.exe config mrxsmb10 start= disabled
     Restart the computer after executing the above.

If that is the hole inside all Windows Versions that existed prior to the Mar 2017 Microsoft Patch, then it has been around for ages.

Click on this link to visit The Hackers News Facebook page.

Click on this link to visit The Hackers News website.

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

One final note which is bugging me. People are saying that this Ransomware is a “VIRUS“. WannaCry Ransomware is “NOT” a Virus. The WannaCry Ransomware is a vastly more complex computer “WORM“, hence it’s ability to find Windows computers connected to a network.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. The WannaCry Malware has already been changed (minus the Kill Switch). Disabling SMB may not prevent future versions from affecting your computer. Best Practice is to always create daily backups