The Ransomware strain “Wanna Decryptor 2.0” aka “WannaCry” is currently on a devastating run, reportedly taking offline several NHS hospital networks in the United Kingdom as well as other major organizations in Europe are reporting ransomware infections.
The JASK Labs team’s initial research shows the actors have repurposed the recently (ShadowBrokers) leaked zero-day vulnerability MS17-010 in Microsoft SMB protocol. Remember this vulnerability originated as a purportedly leaked NSA offensive tool “EternalBlue” and has now been completely weaponized by criminal malware gangs for Ransomware campaigns.
Here is a Youtube video displaying the WannaCry ransomware in action:
If you recall from our earlier blog post, we did a fairly extensive run-down on EternalBlue and already offered coverage in our product for MS17-010, back when those details first emerged. Beginning today JASK added coverage for WannaCry in JASK Trident. ***UPDATE WannaCry is also installing DoublePulsar backdoor as it spreads. ***
So if your wondering how WannaCry is getting into your network and how exactly is it using EternalBlue? See the following detailed breakdown:
- The initial attack vector is simple Phishing based, a first stage exploit is sent via email either as an HTML/JS attachment or PDF with links to some Exploitkit (details coming soon)
- Second stage drops WannaCry and EternalBlue variant which starts scanning and exploiting systems on the network laterally via Windows SMB filesharing protocol. This is dangerous (*Worm like behaviour*) because if the initial phishing victim is simply a Wifi Guest or Home computer connected to the Office VPN then it quickly spreads to any vulnerable Windows Server or Workstation on the network!
- Encryption (Ransomeware) routines aggressively start on any machine compromised by Eternal Blue and hidden command and control commands are stealthy routed through TOR via an onion address. This hides the traffic from typical DNS monitoring to C2 domains.
The good news is that if you use JASK Trident you have TOR detection and Eternal Blue detections as default content. We detect TOR using advanced network analysis using meta-data, which is a huge upgrade from the typical approach of tracking exit-node IP list’s. Our approach is much more accurate and doesn’t require updating… this in itself is a huge benefit that most other security products cannot or do not support when detecting TOR!
If you are not currently a JASK user, we recommend you leverage the following Snort/Suricata rule made by the IBM X-force team and observe the below IOC’s related to WannaCry.
alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
We also recommend tracking TOR exit node IP’s as Threat Intel if thats the only viable way you can track TOR on your network, otherwise reach out to our team to get a JASK sensor setup quickly to ensure coverage here.
The following WannaCry network IOC’s were observed in AlienVault’s OTX community and deployed to all JASK customers running Trident.