Quarterly Threat Report Q2 2017
The second quarter of 2017 saw of the most severe cases of ransomware to date – WannaCry and NotPetya – surpassing the gravity of most other security news in that timeframe.
Ransomware continues as a leading cyberattack vector and cybersecurity experts tend to agree that these attacks will continue to evolve, increasing in number of affected hosts and total cost to the global economy. Both of these attacks were possible due to EternalBlue, an exploit generally believed to be developed by the U.S. National Security Agency (NSA) and leaked by the Shadow Brokers hacker group as part of the global WannaCry ransomware attack in May. EternalBlue exploits a vulnerability in the Server Message Block (SMB) protocol which is most commonly found in Microsoft Windows. NotPetya, released in June, also utilizes the same EternalBlue SMB exploit previously used by WannaCry, as well as the leaked EternalRomance SMB exploit from the NSA.
What is to be done to mitigate both of these attacks? Read up on the MS17-010 security update from Microsoft Security Bulletins and other high-quality information sources such as US-CERT and learn about Microsoft Server Message Block 1.0 (SMBv1) vulnerabilities. In short, disable SMBv1 on every system connected to the network. Once this is believed to have been done, continue monitoring your network traffic for unexpected SMBv1 connections. US-CERT does caution administrators that disabling or blocking SMB may create problems for users by obstructing access to shared files, data, or devices. However, security routinely needs to be weighed against user behavior and interests – most admins will accept the inconvenience for the added protection in this case based on the severity of these vectors. While admins and security teams continue hustling to patch the vulnerabilities enabling these attacks, a report released the day of this writing indicates that 50,000 machines remain vulnerable to EternalBlue attacks. The MS17-010 security bulletin was released in mid-March. Be sure to remedy these SMBv1 issues as soon as possible because other attacks are likely in development to continue the exploitation.
Additional information on disabling SMBv1 can be located at How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.