WannaCry

Started by deanwebb, May 13, 2017, 03:17:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

May 13, 2017, 03:17:52 PM
This thing is for reals. Prepare.

Check with your IPS vendor to be sure you have the right signatures in place.

https://gist.github.com/Neo23x0/3a245e6206951f17125f2b214b160fe8 has some nice processes to look for and to KILL.

Check your firewalls, be sure that TCP 139 and TCP 445 aren't allowed in from anywhere they shouldn't be allowed in from.

MSFT posted a patch for the SMB vulnerability for XP devices.

Biggest, baddest version out there is currently paused because of a guy that registered a killswitch domain. Other variants may arise, so be sure to secure yourselves now.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

#1
May 13, 2017, 05:13:50 PM
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

#3
May 14, 2017, 04:01:55 PM
Be aware that the killswitch domain is not a perfect solution: it won't work where your devices require a proxy to connect to the Internet and there are lulz groups out there trying to DDoS that domain. Setting up an internal honeypot for the killswitch can help in that regard.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#4
May 15, 2017, 03:28:12 AM
You guys are blocking those IPs in the table there that are listed as malicious? Or blocking all of them?

SimonV

#5
May 15, 2017, 03:59:14 AM
I've blocked all of them, from the article that Dean provided. Here's the list in prefix format:

Code Select
104.131.84.119/32
128.31.0.39/32
136.243.176.148/32
146.0.32.144/32
163.172.153.12/32
163.172.185.132/32
163.172.25.118/32
163.172.35.247/32
171.25.193.9/32
178.254.44.135/32
178.62.173.203/32
185.97.32.18/32
188.138.33.220/32
188.166.23.127/32
192.42.115.102/32
193.23.244.244/32
198.199.64.217/32
2.3.69.209/32
212.47.232.237/32
213.239.216.222/32
213.61.66.116/32
217.172.190.251/32
217.79.179.77/32
38.229.72.16/32
50.7.151.47/32
50.7.161.218/32
51.255.41.65/32
62.138.10.60/32
62.138.7.231/32
79.172.193.32/32
81.30.158.223/32
82.94.251.227/32
83.162.202.182/32
83.169.6.12/32
86.59.21.38/32
89.45.235.21/32
94.23.173.93/32

Either configure a security policy that blocks and logs or a null/discard route.

Dieselboy

#6
May 15, 2017, 04:02:08 AM Last Edit: May 15, 2017, 06:40:27 AM by Dieselboy
Thanks very much Simon. The infected client connects to these addresses so I am expecting I will block outbound with an ACL at the perimiter. Null route is nice but I will want to see at least some ACL hits are still 0
Edit - as per the mitigations section on the link above, I have applied both in and outbound.

SimonV

#7
May 15, 2017, 04:07:32 AM Last Edit: May 15, 2017, 07:48:23 AM by SimonV
I agree. Initially I added a discard route on my SRX but that doesn't provide logs so I configured a policy. If anyone is interested in an easy patch for SRX:

Code Select
Source zone = [SRC-ZONE]
Destination zone = [DST-ZONE]

[edit security address-book global]
     address Net-104.208.0.0-13 { ... }
+    address Host-104.131.84.119-32 {
+        description "Wannacry Control server 15/05/2017";
+        104.131.84.119/32;
+    }
+    address Host-128.31.0.39-32 {
+        description "Wannacry Control server 15/05/2017";
+        128.31.0.39/32;
+    }
+    address Host-136.243.176.148-32 {
+        description "Wannacry Control server 15/05/2017";
+        136.243.176.148/32;
+    }
+    address Host-146.0.32.144-32 {
+        description "Wannacry Control server 15/05/2017";
+        146.0.32.144/32;
+    }
+    address Host-163.172.153.12-32 {
+        description "Wannacry Control server 15/05/2017";
+        163.172.153.12/32;
+    }
+    address Host-163.172.185.132-32 {
+        description "Wannacry Control server 15/05/2017";
+        163.172.185.132/32;
+    }
+    address Host-163.172.25.118-32 {
+        description "Wannacry Control server 15/05/2017";
+        163.172.25.118/32;
+    }
+    address Host-163.172.35.247-32 {
+        description "Wannacry Control server 15/05/2017";
+        163.172.35.247/32;
+    }
+    address Host-171.25.193.9-32 {
+        description "Wannacry Control server 15/05/2017";
+        171.25.193.9/32;
+    }
+    address Host-178.254.44.135-32 {
+        description "Wannacry Control server 15/05/2017";
+        178.254.44.135/32;
+    }
+    address Host-178.62.173.203-32 {
+        description "Wannacry Control server 15/05/2017";
+        178.62.173.203/32;
+    }
+    address Host-185.97.32.18-32 {
+        description "Wannacry Control server 15/05/2017";
+        185.97.32.18/32;
+    }
+    address Host-188.138.33.220-32 {
+        description "Wannacry Control server 15/05/2017";
+        188.138.33.220/32;
+    }
+    address Host-188.166.23.127-32 {
+        description "Wannacry Control server 15/05/2017";
+        188.166.23.127/32;
+    }
+    address Host-192.42.115.102-32 {
+        description "Wannacry Control server 15/05/2017";
+        192.42.115.102/32;
+    }
+    address Host-193.23.244.244-32 {
+        description "Wannacry Control server 15/05/2017";
+        193.23.244.244/32;
+    }
+    address Host-198.199.64.217-32 {
+        description "Wannacry Control server 15/05/2017";
+        198.199.64.217/32;
+    }
+    address Host-2.3.69.209-32 {
+        description "Wannacry Control server 15/05/2017";
+        2.3.69.209/32;
+    }
+    address Host-212.47.232.237-32 {
+        description "Wannacry Control server 15/05/2017";
+        212.47.232.237/32;
+    }
+    address Host-213.239.216.222-32 {
+        description "Wannacry Control server 15/05/2017";
+        213.239.216.222/32;
+    }
+    address Host-213.61.66.116-32 {
+        description "Wannacry Control server 15/05/2017";
+        213.61.66.116/32;
+    }
+    address Host-217.172.190.251-32 {
+        description "Wannacry Control server 15/05/2017";
+        217.172.190.251/32;
+    }
+    address Host-217.79.179.77-32 {
+        description "Wannacry Control server 15/05/2017";
+        217.79.179.77/32;
+    }
+    address Host-38.229.72.16-32 {
+        description "Wannacry Control server 15/05/2017";
+        38.229.72.16/32;
+    }
+    address Host-50.7.151.47-32 {
+        description "Wannacry Control server 15/05/2017";
+        50.7.151.47/32;
+    }
+    address Host-50.7.161.218-32 {
+        description "Wannacry Control server 15/05/2017";
+        50.7.161.218/32;
+    }
+    address Host-51.255.41.65-32 {
+        description "Wannacry Control server 15/05/2017";
+        51.255.41.65/32;
+    }
+    address Host-62.138.10.60-32 {
+        description "Wannacry Control server 15/05/2017";
+        62.138.10.60/32;
+    }
+    address Host-62.138.7.231-32 {
+        description "Wannacry Control server 15/05/2017";
+        62.138.7.231/32;
+    }
+    address Host-79.172.193.32-32 {
+        description "Wannacry Control server 15/05/2017";
+        79.172.193.32/32;
+    }
+    address Host-81.30.158.223-32 {
+        description "Wannacry Control server 15/05/2017";
+        81.30.158.223/32;
+    }
+    address Host-82.94.251.227-32 {
+        description "Wannacry Control server 15/05/2017";
+        82.94.251.227/32;
+    }
+    address Host-83.162.202.182-32 {
+        description "Wannacry Control server 15/05/2017";
+        83.162.202.182/32;
+    }
+    address Host-83.169.6.12-32 {
+        description "Wannacry Control server 15/05/2017";
+        83.169.6.12/32;
+    }
+    address Host-86.59.21.38-32 {
+        description "Wannacry Control server 15/05/2017";
+        86.59.21.38/32;
+    }
+    address Host-89.45.235.21-32 {
+        description "Wannacry Control server 15/05/2017";
+        89.45.235.21/32;
+    }
+    address Host-94.23.173.93-32 {
+        description "Wannacry Control server 15/05/2017";
+        94.23.173.93/32;
+    }
[edit security address-book global]
     address-set Grp-SfBAddresses { ... }
+    address-set Grp-WannaCry {
+        address Host-104.131.84.119-32;
+        address Host-128.31.0.39-32;
+        address Host-136.243.176.148-32;
+        address Host-146.0.32.144-32;
+        address Host-163.172.153.12-32;
+        address Host-163.172.185.132-32;
+        address Host-163.172.25.118-32;
+        address Host-163.172.35.247-32;
+        address Host-171.25.193.9-32;
+        address Host-178.254.44.135-32;
+        address Host-178.62.173.203-32;
+        address Host-185.97.32.18-32;
+        address Host-188.138.33.220-32;
+        address Host-188.166.23.127-32;
+        address Host-192.42.115.102-32;
+        address Host-193.23.244.244-32;
+        address Host-198.199.64.217-32;
+        address Host-2.3.69.209-32;
+        address Host-212.47.232.237-32;
+        address Host-213.239.216.222-32;
+        address Host-213.61.66.116-32;
+        address Host-217.172.190.251-32;
+        address Host-217.79.179.77-32;
+        address Host-38.229.72.16-32;
+        address Host-50.7.151.47-32;
+        address Host-50.7.161.218-32;
+        address Host-51.255.41.65-32;
+        address Host-89.45.235.21-32;
+        address Host-94.23.173.93-32;
+        address Host-62.138.10.60-32;
+        address Host-62.138.7.231-32;
+        address Host-79.172.193.32-32;
+        address Host-81.30.158.223-32;
+        address Host-82.94.251.227-32;
+        address Host-83.162.202.182-32;
+        address Host-83.169.6.12-32;
+        address Host-86.59.21.38-32;
+    }
[edit security policies from-zone [SRC-ZONE] to-zone [DST-ZONE]]
+     policy FW-WannaCry {
+         match {
+             source-address any;
+             destination-address Grp-WannaCry;
+             application any;
+         }
+         then {
+             deny;
+             log {
+                 session-init;
+                 session-close;
+             }
+         }
+     }


Replace the zone variables with your own values and apply it from configuration mode with "load patch terminal". Press CTRL+D to apply the patch, make sure it's on top of the policy and verify before you commit :)

PS - this config may not be valid for your environment so I take no responsibility  :twisted:

Dieselboy

#8
May 15, 2017, 06:08:51 AM
Excellente!

Simon, I did an nslookup for the tor web URL and found more IP's. Should we be blocking them?

C:\Users\CoolGuy1>nslookup torproject.org
Server:  juc-dc1-prd.j.randomcompany.com
Address:  192.168.7.234

Non-authoritative answer:
Name:    torproject.org
Addresses:  2a01:4f8:172:1b46:0:abba:5:1
          2001:858:2:2:aabb:0:563b:1e28
          2001:41b8:202:deb:213:21ff:fe20:1426
          2001:6b0:5a:5000::5
          2620:0:6b0:b:1a1a:0:26e5:4810
          154.35.132.70
          89.45.235.21 <-- this one blocked
          38.229.72.16
          138.201.14.197
          86.59.30.40
          82.195.75.101

not checked the others.

SimonV

#9
May 15, 2017, 07:47:18 AM
I just grabbed everything from the table and added it to my policy. There was this remark about that IP in green so I don't think it should be blocked per se...

Quote6) #62 is a false-positive reported by Talos, as it leads to deb.torproject.org and other multiple subdomains of torproject which are pretty bening - they host Tor browser which is does not make them a C2 or Malicious website.

deanwebb

#10
May 15, 2017, 08:58:47 AM
Blocking all the Tor nodes may be a good idea at this time. No need for anyone at work to do anonymous outbound connections on a VPN into the TOR network...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#11
May 15, 2017, 10:18:56 AM
I had a chat with our CEO on the drive home and he's in agreement with you, Dean - no one in our workplace should be accessing tor at all. I'll add that one to the list tomorrow.

I need to speak with Cisco RE our FirePower set up and see what we need to do  / can do there to help prevent an attack from that perspective (if it's not already)
Print
Go Up Pages1
User actions