Intercepting WannaCry

Transcription

1 Intercepting WannaCry Sophos Intercept-X Yannick Escudero Sales Engineer June 2017

2 Exploit Techniques vs Antivirus How (not) to test endpoint security software

3 Intercepting Exploits Breaking the Attack Chain Blocking Exploit Techniques vs Antivirus PREPARATION TRIGGERING GAIN CONTROL Memory Heap Spray Use Corruption after Free Stack Pivot ROP /UaF CIRCUMVENT (DEP) POST PAYLOAD DROP Call OS function In-Memory (Diskless) On Disk Ransomware Activity Antivirus! Sophos Intercept X Most exploit-based attacks consist of 2 or more exploit techniques Exploit techniques do not change and are mandatory to exploit existing and future software vulnerabilities

4 WannaCry 12 th May 2017

5 What Happened? New outbreak Wanna / WannnaCry/ WanaCrypt0r Two elements o Ransomware encrypts files, demands a ransom o Spreads automatically as a worm using an exploit called EternalBlue EternalBlue was leaked o Weakness in Microsoft Server Message Block (SMB) o Microsoft patched it but lots of companies hadn t applied it o And Windows XP and 2003 originally had no public patches Started lunchtime Friday 12 th May in UK Organizations around the world were affected in over 150 countries 5

6 WannaCry Timeline Shadow Brokers emerge Shadow Brokers announce auction of NSA tools Microsoft cancels Patch Tuesday for the fist time Microsoft releases SMB updates for supported OSs Microsoft releases SMB updates for XP and 2003 NSA Tools Stolen 2013 August 2016 Jan 2017 Feb 2017 Mar 2017 May 12 May 13 Microsoft learns that weapons have been stolen and will be leaked First WannaCry samples seen in VirusTotal Sophos introduces Mal/Generic-S detection Invincea detects earliest samples WannaCry outbreak begins 6

7 Attack Anatomy

8 Attack Stages of WannaCry 1. Penetration Remote Code Execution Ring 0 Propagation 2. Deployment Unpacking Environment Preparation Payload Execution 3. Encryption Encrypt Documents Delete Shadow Copies and Backups Display Ransom Notes 8

9 Protection Layers

10 Sophos Protection INFECTED HOST XG Firewall and UTM o IPS rules protected the exploit spreading through the firewall Endpoint Standard and Advanced o Block all known variants of Wanna from executing as of 15:58 UTC on Friday Intercept X and Sophos Exploit Prevention o Protected customers and stopped the ransomware behaviour from first occurrence 10

11 Sophos Anti-Virus Detection Static Detection Generic file detection was issued for all relevant attack components, including main EXE files, DLLs, helpers, decryptor tool, VBS Sophos detection names: o Troj/Ransom-EMG o Troj/Wanna-* o Mal/Wanna-A Provided on May 12 th Runtime Detection Provided for tasksche.exe and the encryption DLL (memory byte code of the DLL thread). The parent process gets killed Detection name: o HPmal/Wanna-A Provided on May 12 th 11

12 CryptoGuard in Intercept X Full protection during encryption stage using behavioral detection: CryptoGuard revoked write access, tasksche.exe could no longer change data JIT backups made by CryptoGuard were restored no protected documents lost Associated executables and their registry entries were targeted for removal in Sophos Clean Native NT boottime deleter ensured removal of executables Crowd-sourced Remnant recipe removes associated non-pe files 12

13 Recommendations 1. Update all Windows environments as described in Microsoft Security Bulletin MS Close ports on your firewall, especially NetBIOS/SMB ( , 445) and RDP (3389); use VPN for remote/site-to-site access 3. Whitelist any kill switch domains related to this attack 4. Update your endpoint software to ensure you have the latest protections for this threat 5. Ensure you are running advanced ransomware protection such as Intercept X or Sophos Exploit Prevention (EXP) 6. Home users, consider signing up for the Sophos Home Premium beta, which adds advanced protection from ransomware 13

14 Questions? Stop Wanna with Intercept X Try for Free 14

15