In what may be the first public weaponizing of April’s Shadow Brokers dump of NS

Question

In what may be the first public weaponizing of April’s Shadow Brokers dump of NSA exploits, a ransomware attack has crippled IT systems globally and disrupted operations at major organizations, including patient services at UK hospitals.

About 80,000 infections have been detected in about 100 countries at the time of this writing, and the attack, which uses the WannaCry (WanaCrypt0r 2.0) ransomware, continues to spread.

The rapid weaponizing of newly disclosed nation state exploits for criminal purposes and, in this case, monetary gain, places new burdens on enterprises’ security organizations. They now must deal with destructive and fast-moving cyber attacks such as this one, which requires putting in place systems, tools, and processes to quickly identify, prioritize, and remediate these attacks.

It took just 28 days from the original dump of the Shadow Brokers dump of NSA exploits targeting newly disclosed vulnerabilities (MS17-010) to yield a fully operational and crippling cyber attack.

Enterprises with vulnerability management programs that scan less frequently, such as those performing only monthly scans, providing no coverage of remote user machines or lacking threat-prioritized remediation processes, can be still at risk.

In an unusual move due to the extreme threat of this type of malware, Microsoft has also released patches for some “end of life” (EOL) versions, including Windows XP, Windows 8, Windows Server 2003, and Windows Server 2008.

Identification and Tracking of Remediation

WannaCry utilizes the ETERNALBLUE exploit. Qualys’ Vulnerability Team analyzed the Shadow Brokers dump and made this analysis available to customers subscribed to the Qualys ThreatPROTECT service (see image below). Threat prioritization coupled with continuous vulnerability management across on-premises systems, cloud instances, and remote user endpoints provides full visibility of impacted assets for precise and prompt remediation.

Using Risk management to Eternal Blue

Although there have been reports that many organizations and individual computer users, in all parts of the globe, have been hit by the WCry campaign, there are steps you can take to protect your IT environment before the WCry ransomware holds your files hostage, including:

Apply the MS17-010[6] Microsoft Update from March 2017. This patch addresses the vulnerability leveraged by this worm, as well as other vulnerabilities in the Shadow Brokers'[7]April release. Microsoft also released these security updates[8] for systems running Windows XP and Windows Server 2003 legacy operating systems.

Ensure that all your systems are protected by firewalls, configured to block any connection request for SMB from the greater Internet.

Use network auditing tools (such as Nmap, Nessus, or Qualys) to scan your networks to locate all computers exploitable by the vulnerabilities described in MS17-010 and find any instances of the DOUBLE PULSAR backdoor.

Disable SMB v1 on systems where it is not facilitating business-critical functions (e.g., hosts that do not need to communicate with Windows XP and Windows 2000 systems). For systems that do need to communicate with Windows XP and 2000 systems, carefully evaluate the need for allowing SMB v1-capable systems on interconnected networks, compared to the associated risks.

Segment your networks to isolate computers and servers that cannot be patched, and block SMB v1 from traversing those network boundaries.

Regularly back up data with offline backup media. Backups to locally connected, network-attached, or cloud-based storage are not sufficient because many types of ransomware discover these file shares and drives.

Although the recommendation to apply the patch for the SMB v1 vulnerability is the first security step mentioned in this blog, we cannot reiterate how important patch management is to helping protect one's critical systems from the WCry ransomware threat, as well as from other cyber threats. It is critical that as soon as patches become available you install updates for your computer systems' firmware and software, including operating systems, Internet browsers, and browser plugins. One ironic note, in SecureWorks' 2017 Ransomware Defense Survey, 42 percent of those surveyed said they expect to invest more in patching in 2017 due to ransomware threats. The WCry campaign should send the message home that investing in prompt and regular patching" is not a "nice to have" but a "must have."

Implement an Advanced Malware Protection and Detection solution, which will inspect all email, file and web traffic, immediately sending any suspicious traffic, email attachments and links through an analytics engine looking for malicious code before delivering it to the end user.

Implement an advanced endpoint agent solution to quickly detect, respond and mitigate attacks on each computer.

Reevaluate permissions on shared network drives to prevent unprivileged users from modifying files.

What if the WCry Ransomware Has Encrypted My Critical Files?

If your organization has been hit by the WCry campaign and the hackers have encrypted some or all of your critical files, and you do not have backups of these files, what do you do?

In cases of ransomware or extortion, we advise not to pay the hackers, so as not to perpetuate the criminal practice of ransomware and extortion. However, ultimately it is up to your management to determine whether you can keep your organization running without having access to the hijacked files. In the case of the WCry ransomware, we are not aware of any victims receiving decryption keys for their files.

Please write summary on this article risk management and eternal blue in your own words

Explanation / Answer

The stated article related to Risk Management in Eternal blue can be summarized in below points.

1. Microsoft took the unprecedented step of publically calling out the National Security Agency (NSA) for hoarding vulnerabilities and exploits.

2. The WannaCry ransomware worm used a critical vulnerability in the Windows Server Message Block protocol, known as EternalBlue, which was released to the public by the Shadow Brokers.

3. The Shadow Brokers claim to have stolen EternalBlue and other exploits and cyberweapons from another hacking outfit called the Equation Group, which has been tied to the NSA.

4. While Microsoft issued a patch for the vulnerability a month before its disclosure, many organizations failed to update their Windows systems and were left exposed to the WannaCry ransomware worm.

5. Few precautions are discussed to avoid IT systems from attack of ransomware worm which includes

> Applying MS17-010[6] Microsoft Update

> Ensuring systems are protected by firewalls and accessed through proxy.

> Using Network Audit tools

> Taking Regular backup of data.

>Using an advanved malware protection and detection solution. etc

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.