Detecting and Mitigating WannaCry and Its Copycats Using GuardiCore Centra Platform

Guardicore - Detecting and Mitigating WannaCry and Its Copycats Using GuardiCore Centra Platform

Attack overview

WannaCry and its copycat attacks work by exploiting the Microsoft Windows SMB Server critical vulnerability (MS17-010). Patched Windows machines are safe while any unpatched Windows machine is at risk. The WannaCry campaign threatens internet facing as well as internal networks, since a compromised laptop/server in the network will try to propagate and infect any accessible machine. Because EternalBlue does not require authentication, every machine accessible from the internet over SMB or accessible to an infected machine inside a network is exposed to the vulnerability.

The WannaCry attack was partially mitigated 72 hours after its launch. This was made possible thanks to a ‘kill switch’ in the malware – an unregistered domain name hardcoded into the malware’s binary, in case the malware creator wanted to stop it from spreading. Once a security analyst has registered this domain, the spread of the malware has significantly slowed down. While new variants of WannaCry with different kill switches keep showing up (and blocked), we already see variants without a kill switch at all so patching is crucial.

The attack flow (from the samples analyzed so far):

  1. Exploit using EternalBlue
  2. Use the NSA’s DoublePulsar implant to inject ransomware and scanning tools
  3. Execute ransomware to encrypt user files
  4. Execute scanning tools to continue propagation using EternalBlue

The ransomware uploads the encryption key used for encrypting the victim machine to one of its C&C servers over Tor:

  • http://gx7ekbenv2riucmf.onion
  • http://57g7spgrzlojinas.onion
  • http://xxlvbrloxvriy2c5.onion
  • http://76jdd2ir2embyv47.onion
  • http://cwwnhwhlz52maqm7.onion

Detection and Mitigation

Over the past week we’ve seen different malwares using MS17-10 and DoublePulsar to find and attack victims. While each malware is unique in nature, all these attacks use the same method. Using Guardicore Centra, we can detect and mitigate these attacks using the steps described below. While focused on WannaCry, these mitigations will also detect and block the copycat attacks we’re now seeing and expect to see more in the coming months.

Leveraging GuardiCore Centra’s deception and visibility capabilities it is possible  to detect a vulnerable machine, an already infected machine or malware attempts to propagate across the data center. Having said that, priority should be given to patch machines against the MS17-010 vulnerability. Note that Microsoft has exceptionally published patches for both supported and unsupported operating systems.

The malware communicates with its C&C servers over Tor. Using GuardiCore Reveal you can easily check whether your network was hit by searching for outgoing connections to internet destinations over TCP port 9001 or 9030. In case you discovered an infected machine, another query you will want to do is detecting all the machines that were accessed by the infected machine over SMB.

A machine infected with WannaCry in GuardiCore Reveal. The red arrow represents the WannaCry propagation attempt redirected to a GuardiCore Deception Server

GuardiCore Reveal will also allow you to see all data center servers that received SMB connections from the internet. Until these machines are patched you must block any incoming SMB connections to them.

As part of the malware’s operation it scans for additional infection targets. In this case, a GuardiCore Deception Server will disguise itself as a real vulnerable Windows machine, leaving the malware completely unaware of this. When WannaCry attempts to infect the Deception Server, Centra will trigger an immediate alarm. 

GuardiCore Centra deception generates automatic report of the WannaCry worm

In case you are using Suricata, Snort or another IDS solution in your network, the following attack signatures for the exploit will detect attacks in the network.

  1. Detect the exploitation phase (EternalBlue):

    # EternalBlue Signature matching potential NEW installation of SMB payload
    alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)# EternalBlue signature matching return signature for connection to pre-installed SMB payload
    alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Successful ETERNALBLUE Connection SMB MultiplexID = 81 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|51 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000073; rev:1;)

    # Signature to identify what appears to be initial setup trigger for SMBv1 – MultiplexID 64 is another unusual value
    alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 1/2 – Tree Connect AndX MultiplexID = 64 – MS17-010″; flow:to_server,established; content:”|FF|SMB|75 00 00 00 00|”; offset:4; depth:9; content:”|40 00|”; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000074; rev:1;)

    # Signature triggers on Trans2 Setup Request with MultiplexID – 65 – Another unusual MID – Only triggers if 64 was seen previously.
    alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 2/2 – Trans2 SUCCESS MultiplexID = 65 – MS17-010″; flow:to_server,established; content:”|FF|SMB|32 00 00 00 00|”; offset:4; depth:9; content:”|41 00|”; distance:21; within:23; flowbits:isset, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000075; rev:1;)

  2. Detect DOUBLEPULSAR:
    alert tcp any any -> $HOME_NET 445 (msg:”DOUBLEPULSAR SMB implant – Unimplemented Trans2 Session Setup Subcommand Request”; flow:to_server, established; content:”|FF|SMB|32|”; depth:5; offset:4; content:”|0E 00|”; distance:56; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618009; classtype:attempted-user; rev:1;)

    alert tcp $HOME_NET 445 -> any any (msg:”DOUBLEPULSAR SMB implant – Unimplemented Trans2 Session Setup Subcommand – 81 Response”; flow:to_client, established; content:”|FF|SMB|32|”; depth:5; offset:4; content:”|51 00|”; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618008; classtype:attempted-user; rev:1;)

    alert tcp $HOME_NET 445 -> any any (msg:”DOUBLEPULSAR SMB implant – Unimplemented Trans2 Session Setup Subcommand – 82 Response”; flow:to_client, established; content:”|FF|SMB|32|”; depth:5; offset:4; content:”|52 00|”; distance:25; within:2; reference:url,https://twitter.com/countercept/status/853282053323935749; sid:1618010; classtype:attempted-user; rev:1;)

If you have any further questions, please contact us at labs@guardicore.com.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA ImageChange Image