Regarding the ‘Shadow Brokers’, it has certainly come to pass that this organisation has a large number of zero-day exploits which facilitate the compromise of operating systems, infrastructure, possibly manufacturing equipment etc. which it tried to commercialise unsuccessfully with an online auction. The details are now being dumped and then recycled as they would have you believe, opportunistic criminals.
This is a very real threat and cannot be taken lightly.
As you are no doubt fully aware, the WannaCry exploit used two zero-day exploits published by this party and now exploited. The attack uses unpatched Microsoft systems which use SMB-1. Microsoft has been advising customers to move away from SMB-1 for quite a long time. This is from 2016.
Additionally, MS patched the SMB issue in March, so if you were up to date and not running an out of date Windows OS, you would be OK. Clearly, unsupported legacy products (like the NHS’ estate for instance) were like rabbits caught in the headlights.
The risk posed by this flow of exploit detail is huge, we can only hope that the source of the zero-days is talking to the vendors to get patches in early.
In an enterprise environment, especially with many legacy, potentially vulnerable devices, there are several angles on defence. We must assume that this is the start of a saga, the less patched you are, the greater chance of you catching a cold.
Firstly, each attack needs to be considered on its own in terms of viability and subsequent risk.
Secondly, it is important that a playbook is established for ‘what if’ scenarios. We would recommend this never includes paying anybody. Backup… check backups.
Thirdly, at this time, as an organisation you need to be all over the appropriate mitigating controls. Let us consider the next perceived threat ‘Esteemaudit’.
Esteemaudit is a guaranteed viable exploit of Windows 2003 or XP systems running RDP.
The exploit utilises a piece of RDP authentication code that was built for ‘smart card authentication’. The best overview we have seen is here.
There are two other vulnerabilities, known as EnglishmanDentist and ExplodingCan that MAY also be addressed in the February/March sets. This is un-substantiated currently, but we believe our customers should be giving thought to:
- Knowing where they have XP and 2K3 devices and how practically they could disable (directly) or protect (via firewalls, AFWs, ACLs etc.) RDP ports on those devices. ITC’s advice would recommend turning these devices off in the now timeframe (see above)
- Knowing the status regarding the range of February/March 2017 patches on other platforms
As far as we know, there are no patches to stop this. This is against a backdrop of the public facing RDP environment being very well understood and well reported in the Open Source Intelligence (OSInt) community.
So, if you have any systems that fall into the above category, turn them off unless of course they are business critical, in which case our advice would be to turn them off. If this is not possible, a firewall access list may provide a degree of mitigation but we wouldn’t trust it that much.
The modular nature of the delivery system for the WCry malware is a very major concern. We are working with firewall providers and vendors to look at mitigation. Cisco System’s Umbrella portfolio which includes the ‘OpenDNS’ technology may well be a viable fulcrum in this.
The currently understood attacks (which all begin with the letter ‘E’ – So we might assume that this is either alphabetical or might skip from E for Easy to H for hard, via F for…), mitigations are discussed below:
If the customer has Qualys deployed we can assist with recommendations for emergency scanning to identify the above. We know that many customers have a bunch of legacy RDP.
If the customer has Network Access Control deployed, we would recommend the quarantine of unpatched machines and the implementation of private VLANS (or equivalent) on public networks, to prevent lateral infection in the guest environment.
To recap some other known vulnerabilities in this set, the following code names have been used, shown here with the relevant security updates from Microsoft. Whilst we have focussed on MS17-0101 in response to last week’s incidents, again it would be wise to check any residual exposure to these patches.
If you would like to discuss the issues in this week’s blog or have any good reason why you are still running 2K3 or XP, do contact us at: [email protected] or call 020 7517 3900.
Creds to Rob Z Wood for his insight.
In the meantime, be careful out there.