This blog was written by Nat Smith.
For ransomware enthusiasts, the April release of stolen NSA Windows exploits is a gift that will not stop giving. Just weeks after the Shadowbrokers’ “Lost in Translation” file drop, WannaCry brought havoc and destruction to networks worldwide. Now a new Petya variant is using the same EternalBlue exploit—plus some newly weaponized Windows admin tools—to ransack local subnets. Like WannaCry, it encrypts the files on a compromised system, but then it encrypts the master boot record as well, rendering the machine useless. Analysts are still debating New Petya’s origin and intent, but there is complete consensus on one point: there will be more EternalBlue-enabled ransom attacks, and soon. By some estimates up to a million older Windows servers remain unpatched for the EternalBlue SMBv1 vulnerability.
One positive takeaway is that there is really no reason to panic. We already have the tools to defeat the next Petya, and the next anything else, because most new threats target a very small number of vulnerabilities, most of them known. According to Gartner’s Craig Lawson, 431,000,000 net-new malware samples were identified in 2015. Yet all of that year’s major ransomware attacks targeted just 36 vulnerabilities. When new threats recycle old exploits, we have the tools to defeat them. Consider two examples.
Vulnerability-based signatures – Unlike exploit-based signatures used by many firewalls, that attempt to identify the fingerprint of a known attack, vulnerability-based signatures look for behaviors that indicate a known vulnerability is being exploited. To block all the new ransomware variants in 2016, you would need 357,000,000 exploit-based signatures. To block all those same ransomware attacks on known vulnerabilities, you would use only 126 vulnerability-based signatures. That is why the overwhelming majority of McAfee Network Security Platform signatures are vulnerability-based and have been for more than 15 years.
Network Security Platform currently already had six vulnerability-based signatures that allowed it to detect and prevent Petya the day it was released as well as any new attack that tries to exploit the same vulnerabilities. Network Security Platform customers were protected without having to scramble and upload the latest signature file from the vendor. These vulnerabilities include:
- 0x43c0b800- NETBIOS-SS: Windows SMBv1 identical MID and FID type confusion vulnerability (CVE-2017-0143)
- 0x43c0b400- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0144)
- 0x43c0b500- NETBIOS-SS: Windows SMB Remote Code Execution Vulnerability (CVE-2017-0145)
- 0x43c0b300- NETBIOS-SS: Microsoft Windows SMB Out of bound Write Vulnerability (CVE-2017-0146)
- 0x43c0b900- NETBIOS-SS: Windows SMBv1 information disclosure vulnerability (CVE-2017-0147)
- 0x451e3300- HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)
Application controls for servers – Host-based application controls use various methods to regulate the services and processes that are allowed to execute on a workload or server. McAfee Application Control enforces three such methods: whitelists (of applications and approved updaters), reputation, and sandbox verification of safety. On a server secured with McAfee Application Control, the Petya malware payload or a variant, a Windows DLL, would be immediately shut down the moment it tried to launch, with no impact to the workload’s availability or performance. Again, McAfee Application Control customers would not have been compromised by Petya even if they were the first target. Instead of trying to protect against every new variant of malware that may present itself, security focuses what is supposed to run.
It is not that hard to block new exploits on known vulnerabilities. Patch the ones that are under attack. Do it NOW; there are not that many. Put IDS/IPS on your networks. Not just at the perimeter, but on the inside to protect your virtualized workloads, where it can see your east-west traffic. Put application control on your servers to smother and starve any malware that evades your other defenses.
Don’t be the deer in the headlights. You’ve got this!
Gartner Event Presentation, Magic Quadrant for Intrusion Detection and Prevention Systems, Craig Lawson, Gartner Security & Risk Management Summit, 12 –15 June 2017 / National Harbor, MD