CNN reporting over 99 countries hit thus far (81,000 in 12 hours according to Malwarebytes) with "WannaCry" ransomware leveraging Microsoft vulnerability and leaked prior in NSA spy tools...from Spain to Russia, UK, US
Reports:
https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
http://money.cnn.com/2017/05/12/technology/ransomware-attack-nsa-microsoft/
https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/
http://www.bbc.com/news/technology-39901382
Update:
https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
Some things to do:
• Patch UPDATE for Microsoft MS17-010
• Patch: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148
• Apply hash filters
• Apply GPO for file extension WNCRY
• Apply email filter for “Please_Read_Me.txt” and extension “.wncry”
• Isolate communication to ports 137 / 138 UDP and ports 139 / 445 TCP in the networks of the organizations [might be challenging]
• Deploy specific TOR rules
• Filters on ET Trojan Possible WannaCry DNS Lookup
• Email quarantine password protected attachments
• Disabled/blocked inbound email for .zip/.js or inbound raw executables in email
• Identified and block variants: Wannacryptor, WannaCry 2.0, WCry2, or similar names
• Contact ISP and/or MSSP for additional blockage / alerting
What to have:
• Mentions of Cylance and Crowdstrike as well as Symantec cloud.email and Fortinet addressed/safeguarded environments from threats
No comments:
Post a Comment