Wannacry - X-team, at the exit

We have worked here a bit as a vacuum truck.

About 66% of the attacks of the first wave came from Russian networks. And there is a huge misconception: for some reason everyone calls the search engine for a specific domain killswitch. So, perhaps not. In the case of Russian networks of state-owned companies, finance and production, this is the mechanics of bypassing sandboxes. The main sandboxes at the entrance to the protective perimeter have many tests. In particular, when requesting certain sites from within the sandbox, they can give, for example, 200 OK or 404. If a similar answer arrives, the malware is instantly deactivated - and thus the dynamic code analyzer passes. It is protected from static analysis by several compression-encryption convolutions. So this is not a killswitch, but one of the new sandbox traversal mechanics.
')
I'll tell you about that too, but where is another interesting practical question: why the hell did so many cars fall from the Trojan? More precisely, why didn't everyone get patched on time or disable SMB 1.0? It's just how to send two bytes, right?

X-Team Tours

The first trips were on the fact of infection. The situation developed very quickly, and again, instead of a family vacation, we were alarmed. But this time fun. On Friday, customers began to contact us — on Saturday and Sunday, they connected a team and specialized specialists in customer protection systems to investigate incidents. Other customers (who have not yet become infected) have begun to consider preventive measures.

Imagine a bank where the operator opened a letter in one of the branches (remember: a great sandbox at the entrance to the DMZ). Further, presumably, the entire network segment is affected. The admin first rolls a branch out of backup, and then faces the fact that he cannot control the spread of the malware: “I took down the machines by branch and deployed from yesterday's backups. I had to do it twice, a second time opening an additional technical window in order to demolish the entire segment at once. Six minutes after deployment, the image is already corrupted. ” Or: “They revealed signs of infection manually before updates, rolled backups on infected machines. In the morning, one of the hardware terminals turned off for the night woke up - and everything started from the very beginning. ” Many segments exchanged via SMB with a file sphere, which was included in other segments, including critical ones. In one company, the network segment with work schedules (including intra-production logistics) was lost. Admins, in fact, did not have intelligible tools to search for threats inside the perimeter - it was impossible to quickly and unequivocally tell which machines and segments were compromised.

Employees began to send mass corporate newsletters "do not open letters from unclear who, we read only from those with whom you previously communicated." At one enterprise, it really worked - the archives came there, but none of the employees opened them. This gave the admin time to patch at the level of network rules.

And then the circus went. It turned out that many react hard on such events: someone is not aware of what to do at all, someone is on vacation. There are a lot of conflicts between information security and IT - there are no exact procedures, for example, an IT engineer mechanically does it, and the security officer says: my jurisdiction, we will decide at the meeting on Monday. There were three main options for stopping the spread:

1. Disable SMB 1.0 traffic. The easiest method. The problem is the number of times that it is used in the butt (file balls with data sources and exchange in large logistics networks). Yes, in some places we managed to switch to the latest versions. But these are all great efforts, each of which may well cause a cascade of falling crutches on combat systems. But even if you just try to close SMB, problems already arise. One of the most striking is to bypass 150 devices from different manufacturers, with different firmware, with different management consoles, and so on manually when there is no software in the control center of the network. “Manually” is receiving security approvals for accessing critical settings for each device.


Screenshot, as in the multi-vendor porridge from a single console, roll the policy immediately to all devices. Designed to cause pain to those who walked with his hands.

2. Update Win-machines. MS surprisingly promptly released patches for the family of systems. Remember: SMB 1.0 is supported by default for backward compatibility in the same 2012server. The average duration of such a patch in an enlightened Europe is a month. In Russia, on average - two. Why? Because you can not roll a patch on the combat system. You need a full copy of it in a test environment, a full test run, then a search for a technical window (on the night from Saturday to Sunday, for example) and an update. In Europe, test environments are ready for such situations. With us - not always. Plus, there is a question of certification - not all systems can be taken and updated, they will immediately lose the certificate. The Russian state security is alert and doesn’t want a patch of a potential enemy to accidentally get into our critical systems with a patch. That is, the patch is a great option for the future, but something needs to be done now. Yes, in a couple of cases, admins preventively rolled the patch without tests for critical production systems (there was no certification issue). Fortunately, nothing fell, but the security men almost hung their internal organs through the forest. And if something also fell - both would not have survived, it seems to me.

3. Implement antiviruses on users' machines and update them. And even if this is done, the malware is already inside the perimeter. Streaming antiviruses do not work against it - the distribution kit is delivered to the user in the archive, which he decrypts himself in the workplace. A sandbox malware is due to the extremely useful for survival feature "killswitch".

The bottom line is that a lot of places had to be solved by killing (isolating) network segments or stopping SMB with the loss of part of the workflow.

Where admins roll over something, infrastructure backups “before” were always made. We recommended doing them on a separate piece of hardware and cutting it off from the main network - there was one example in a not very large company, where the backup files were also encrypted.

Where did Wannacry stop almost immediately?

1. In two installations with micro-segmentation of the network, this is where the DMZ perimeters are the main building material of the network. Here is a post of colleagues , written before the events, it shows a lot. In such networks, antivirus and anomaly detection systems work inside the hypervisor, plus the rights are very tightly differentiated. No problems, the malware is deployed on one workstation - and does not leave it anywhere after.
2. There were less than a dozen cases with good sandboxes and well-implemented network anomaly search systems. The malware creates a tree of events - from one machine it jumps to the next few, they continue to evolve. In the second step, this tree is perfectly detected (UBA solutions and SIEM solutions). An alarm isolates the entire segment into quarantine (most often a bank branch, for example), then it is manually rolled back by the admin until the moment of infection. Then, some MaxPatrol is launched over the network with the updated settings. By the way, he will then check all the machines for the presence of this patch and all the routing nodes for the impenetrability of the malware SMB packets.
3. The malware used Tor to load the payload and get commands. Some network protection systems (in particular, NGFW) are able to detect Tor traffic (more precisely, they determine it with some probability), therefore the “torus-connection” feature served as the simplest signature for isolating network machines.
4. The admins have worked beautifully in networks with embedded forensics. Or, at the time of the alarm, it is possible to accurately list all infected machines, seeing each transaction, and roll them back, or see the previous case — this is where forensics and the search for network anomalies are connected to the system.
5. What pleased us was two very mature IT customers with special zones for testing emergency patches. One reacted in hours, the second in one and a half days.

What sandboxes did not make the way?

The sandbox and protection on CheckPoint end devices, the sandbox and protection on Palo Alto end devices worked perfectly well. Most likely, their developers have become skilled in the “shield and sword race”.

The fact is that from the first defensive sandboxes, malware is trying to determine the hypervisor mode and the reality of the workstation. The first level is to look at the physical addressing of the memory or to try to obtain the features of the processor architecture by an undocumented method. Hypervisors have risen slightly higher (more precisely, lower) to the special hardware modes of Intel, when such tricks have ceased to roll. And at the same time identified such actions as extremely suspicious. Then, the malware began to look at the real life of the user at the workstation. It was assumed that the sandbox machine image is old (there are no recently modified files), and all files date back to about one date. Sandboxes began to choose a random user and pick up his image of the machine as a test, plus they identified such actions to poll files as suspicious. The malware began to look at the latest running applications and the time of their work. Another round. The last (before the domain survey) achievement of the human mind is an assessment of the randomness of the location of icons on the desktop. If there srach - it means a live user, you can expand the next layer.

What's next?

Next you need to start to conduct information security briefings among the staff and generally improve computer literacy. Where the letters did not open, the security guards arranged a kind of training alarms, as for fire evacuation. As practice shows, it brings fruit. The percentage of phishing emails opening is decreasing. With suspicious activity, users themselves call the IT department. By the way, in the same place, at the enterprise, there is a granny-accountant, and so she was brought up under Stalin. No computer literacy, but it was one of the first to raise the alarm. Before that, however, she once called the police to an engineer who did not introduce himself and began to do something with her computer. They tied him up and held him until the evening (he was a fool, he had to go in and introduce himself by the rules, show the paper).

We are waiting for more NextGenFirewall, more expensive Forensics - and for those admins who are ready to grab a piece of mathematical analysis, a cheap but difficult to implement microsegmentation.

We have now moved from the duty “all in readiness” and sleep on the sofas in different parts of the country to the regime “not to plump at the weekend.” After him will follow the usual mode of duty. After a couple of months, how it all patched.