How Stickman’s Penetration Testing identified a WannaCry vulnerability and helped a client to stay secure

On Friday 12th May 2017, the WannaCry ransomware cyber-attack caused havoc on Windows operating systems around the world. In just one day more than 230,000 computers in 250 countries were affected. Large companies didn’t escape unscathed, with Nissan, Renault, Spanish telco Telefonica and the National Health Service (UK) heavily impacted.

WannaCry screen shot Source: Wikepedia

WannaCry screen shot. Source: Wikepedia

A non-targeted attack delivered via spam emails was used to spread the ransomware. The email contained a PDF attachment embedded with a malicious macro that encrypts the files of victims, rendering their system inaccessible unless a ransom in the range of hundreds of dollars is paid via bitcoin.

The attack specifically targeted Windows systems that hadn’t been updated with the latest Windows security patch from March 2017. This patch fixed the MS 17-010 vulnerabilities that WannaCry specifically exploits. Put simply, without the update your computer system was under threat. This is a situation one of our clients found themselves in.

Our penetration test detects MS 17-010 vulnerability

An advantage of regular penetration testing is the ability to identify new threats to IT infrastructure. Security patches can often be overlooked due to server configuration and numbers of workstations leaving businesses vulnerable.

Fortunately, during a routine penetration test of our client’s IT infrastructure, we were able to exploit the MS 17-010 vulnerability and identify that the critical Windows update had been missed. We immediately notified our client, advising specific IP Addresses that were vulnerable, and gave recommendations to remove the threat to their business.

Due to the short time between identification and remediation the vulnerability and remediation, their business was quickly secured against WannaCry.  If the vulnerability hadn’t been identified, it might have been a very different story.

How to protect your infrastructure against WannaCry.

If you’re unsure if your business is at risk from WannaCry we recommend the following steps:

  1. Install the security patch released in March (MS17-010). The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  2. If you’re using unsupported versions of Windows, including: Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
  3. Modify firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
  4. This attack type may evolve over time, so any additional defence-in-depth strategies will provide additional protection. (For example, to further protect against SMBv1 attacks, you should consider blocking legacy protocols on your networks). Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB).
  5. Conduct quarterly penetration test on your current IT infrastructure to identify vulnerabilities.
  6. Engage your systems and infrastructure team to conduct monthly scans on critical-vulnerable systems and apply applicable security patches.
  7. Educate your staff on handling suspicious emails, especially those matching the pattern of WannaCry ransomware.
  8. Work with your IT teams to ensure all files have been backed-up to enable restore in event of a lock-out.
  9. Deploy monitoring tools like SIEM, IDS & FIM to detect anomalies and take corrective actions as required.  
  10. Implementing threat feed services in the environment will benefit to identify the latest risk factors on the open internet.

If you have any queries or concerns about this security threat, email us directly on sales@stickman.com.au, fill our contact form or call us on 1800 785 626.

 

Clifford Fernandes

Clifford Fernandes is a certified ethical hacker who has executed over 100 vulnerability assessments and penetration testing projects. As our National Assurance Manager he specialises in identifying security risks in networks, web and mobile applications. More articles by Clifford Fernandes

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe to Our Insights

This email address has already subscribed!