***UPDATE*** — 6-29-17 — This article was originally written with WannaCry and EternalRocks in mind, but the same principles will stop the spread of NotPetya and other malware variants. It should be assumed that there is at least one user or computer in your environment that will be infected. We show you how to prevent additional spread.
WannaCry is old news with it being 10 days since it was released into the wild. Additionally, the encryption has been broken, and files can be recovered without paying the ransom in some instances. That said, thanks to the NSA hoarding exploits, IT departments the world over now have another piece of malware to protect against. Fortunately, it is based on the same SMB vulnerability that has already been patched by Microsoft. We can expect to see even more variants in the very near future. This article is meant to lay out what IT departments can do immediately to protect themselves against EternalRocks as it is much more deadly than WannaCry in my opinion.
First, a little information about EternalRocks. It was released during the week of 5/15/17 while the whole world was talking about WannaCry. EternalRocks is a true command and control malware. This means that it is built to steal rather than vandalize or extort. With the flip of a switch, it can be used to steal company secrets, employee personal information, or highly privileged credentials. The severity of this cannot be overstated. Defending against it is not rocket science though. If you want to read a more in-depth analysis, here’s a nice write-up: https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two. Below are some steps that you can take today to prevent full compromise of your network.
Update your Desktops and Servers
This is included just because we can’t write an article like this and not include this bullet point. This is the number one thing to prevent these and other very dangerous remote code exploits. Rightfully so, you will see this in almost every article you ever read about preventing network compromise. For that reason, we won’t spend any more time on this. Just patch. Seriously, do it! We don’t mind helping you, but even this should be considered only a first step in your defense strategy. NotPetya can spread laterally through a network that is fully patched. Please pay attention to the following recommendations.
Enable the Windows Firewall
Other than patching, this is the single most effective prevention technique. This won’t help patient zero on your network or any other user that clicks the malicious link (or opens the malicious document or whatever the initial payload happens to be), but it does stop the spread of the worm. The reason this is so effective is because it stops the packets from even being able to reach the vulnerable portion of the operating system. Even if the computer hasn’t been patched, the attacking malware can’t even attempt the exploit. For a laptop or tablet that leaves the confines of the corporate network and is put on networks with truly untrusted machines, this is a must. How many users have Wi-Fi at home with a Windows XP or Vista computer that is a few years out of date? How many of your users go to the local coffee shop and get their work done. This one mitigation stops the spread of the worm in its tracks! I’m begging you. Please turn on the firewall!
Segregate Privileged Credential Use
IT requires highly privileged accounts to keep the company running. There is no denying that, nor do we want to remove the ability for IT employees to do their job. That said, the trusted IT employee should be using separate accounts administrative activity. This is not an indictment on the integrity or trust of the employee by any means. Here’s a real-world scenario that I use very frequently in penetration tests. The helpdesk or field engineers are often low level IT employees who are just starting their career. They are good people, but often not very experienced. Often they are provided with admin level access to all the desktops in the environment, but they aren’t provided with higher level access to Active Directory or servers. They are often very in tune with their users and often get emails from asking if the attachment is “safe”. Imagine that user opens the document out of naivete. Now his account is compromised. That low level IT account then can be leveraged to spread to a desktop with a higher level administrator logged on. It is very easy to compromise that account as well. Now the attacker has very high privileges in the environment. That could have been prevented by doing a few things. (1) Ensure all IT users have separate accounts for IT admin duties vs. daily use accounts for receiving email, researching the internet, etc. (2) Deny Domain Admins, Server Admins, Enterprise Admins, and Schema Admins accounts the ability to even logon to desktops. That can seem extreme, but you guarantee that those accounts will never be compromised on a desktop. (3) Limit what accounts can perform a “network logon”. Usually, very few accounts actually need that privilege. You can grant that low level user with administrative permissions on desktops, but you don’t have to provide account the ability to logon across the network. If you do that, you know it won’t be leveraged for lateral movement across your environment.
Randomize the Local Administrator Password Immediately
This one may come as a surprise, but I’m going to lay out the following scenario. You heard about the NSA SMB exploit release. You took the necessary precautions and pushed patches to all of your computers using WSUS, SCCM, Ivanti (Shavlik), IBM BigFix, Kace, etc (insert your desktop management platform here). Good job! You sit back and know you are protected. Are you sure? Did you get all the desktops or laptops? Did any fail, but give you a false success message? How do you know? Most corporations have an acceptable percentage of failures because their desktop environment is simply not that clean. Things happen. Updates fail. Imagine that only one computer failed its update and the user of that computer is the one that clicks the malicious link. The owner of EternalRocks now has a connection to that one computer as “NT AUTHORITY\SYSTEM”. They own the local SAM database. They may get the local Administrator account password in clear text, or they may only get the hash. Either one can be used to connect to other machines on your network. If all of your computers have the same local user/password combo, the attacker owns all of them. Trust me, I do this all the time in penetration test engagements. This is a big deal. Fortunately, it can be fixed for free with a tool from Microsoft called LAPS (Local Administrator Password Solution). We can randomize all of your computer passwords in a secure and retrievable manner in an afternoon.
I’m putting this on the list because this is a common attack vector, and EternalRocks is using this today for C&C communication. There is very rarely a legitimate business need for Tor on an enterprise network. Use your firewall to block it. Additionally, you can use AppLocker, Software Restriction Policies, or other application control software to disallow it on each host. This is not an end all be all solution. Nor is it the easiest to implement fully. It can help though. Again, there’s rarely a true business need for Tor.
Use Network Port Isolation and/or Network Layer ACL’s
Usually, there isn’t a business need for desktops to communicate with other desktops directly. Most networks are built with a client/server model with little to no peer-to-peer requirements. Network isolation can restrict other infected machines from ever communicating with a vulnerable machine. This can protect any computers you have that can’t be updated or the firewall enabled for some reason. I’m thinking about factories with machine automation, ATM’s, healthcare equipment, display boards, or any other “IoT” device that can’t be readily upgraded. These should be on a separate isolated network anyways, but combining that with port isolation mitigates the threat even further. Also, ENSURE THAT GUEST WIRELESS CANNOT ACCESS INTERNAL RESOURCES AND CORPORATE WIRELESS DOES NOT ALLOW NON-COMPANY DEVICES TO CONNECT! That should be a given, but we see it all the time. This would allow an uncontrolled infected device to spread its germs to your internal network. Keep them in quarantine!
You have a corporate firewall. Use it!
If you have SMB open to the internet, close it now. Stop whatever meeting you are in. Stop answering the phone. Stop reading this article. Just go get it off the internet now! If you need help, call us. We will stop what we are doing to make sure you get it done today. If you have a next generation firewall like a Palo Alto, make sure that your Antivirus, Anti-Spyware, and Vulnerability Security Profiles are enabled on all access rules and are tuned to the highest level. Additionally, you may consider not allowing connections to sites/IP’s in the “Unknown” URL category. Depending on your business, this could require you build a large white-list. For some businesses, this wouldn’t cause a problem at all. You may or may not be able to implement this.
Protect your Cloud Assets
If your business has an Azure or AWS workload, ensure your servers aren’t inadvertently allowing internet connections internally. I recently had a customer who thought they were properly securing their Azure instance only to find that the assigned public IP of the internal servers was allowing connections directly to SMB and RDP. Use an external port scanner or vulnerability scanner to know for sure what services are available directly from the internet. We can help you audit your cloud assets as well.
Defense in Depth is Key
Each of these mitigations will individually provide a layer of defense, but when you start combining them all you get “Defense-in-Depth”. This means that it will require an attacker to spend much more time and energy to break your defenses. These aren’t the only things you can and should do. For example, what anti-virus do you have? We use next generation machine learning Cylance as our protection. Again, it isn’t an end all be all, but just a part of our larger security strategy. I’ve put it to the test against common threats, and it works. How many users are local admins? How many users are Domain Admins? Do they use those accounts to perform their non-admin duties? Do they use highly privileged accounts for reading email or researching topics on the internet? Gone are the days when this was acceptable. Do you know if your computers are vulnerable or not? Did you perform a network vulnerability scan and analysis to know for sure? The scope and severity of today’s attacks mean that if you don’t have a multi-level defense strategy, you are almost guaranteed to be breached. I expect that the malware variants to come in the next few months will be even worse than what we are currently seeing. I also expect that there will be a major large-scale information breach as a direct result of these attacks. Hopefully it won’t be your organization. Lockstep has the means and expertise to help you secure your network effectively. You can learn more about our security services and solutions here. Contact us today and we can help you defend your critical infrastructure and information from WannaCry, EternalRocks, and malware to come.