Sign up to save your podcasts
Or
Share WannaCry Ransomware and MS17-010 Vulnerability
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
WannaCry Ransomware and MS17-010 Vulnerability
On Friday 12 May 2017 a large ransomware attack dubbed “WannaCry” was launched targeting more than 200,000 computers worldwide, including industries such as banks, hospitals and large telecom companies. Figure 1: “WannaCry” ransom massage Infection Methods One of the main infection methods of this ransomware is by exploiting a recently patched Microsoft Windows SMB vulnerability (MS17-010). This vulnerability was publicly discovered as a result of the Shadow Brokers leaks that happened in April this year. Another possible method of infection is by phishing emails being sent to arbitrary recipients. Either way, once this ransomware gets on a network it exploits the aforementioned windows vulnerability in order to spread further into the network and infect more computers. Figure 2: Shodan search for Windows SMB service exposed directly to the internet Mitigation using BIG-IP BIG-IP is able to mitigate the Windows exploitation attempt and prevent the WannaCry ransomware infection by using the attached iApp which contains an iRule, the iRule detects a part of the kernel shellcode in the exploit and drops the packets containing it. sys application template WannaCry_Blocker_v2 { actions { definition { html-help { WannaCry Blocker
This iApp installs the WannaCry Blocker iRule which will detect, block,* log, and count attempts to exploit CVE-2017-0144 “WannaCry.”
Attach both the WannaCry Blocker iRule and the default Stream Profile /Common/stream to a TCP virtual server (the virtual server must not have an HTTP Profile).
The WannaCry Blocker iRule logs the source IP address and geolocation of each possible attack and counts attacks (per-virtual-server) using iStats.
* The WannaCry iRule blocks WannaCry attacks. It also has an option to log attacks then allow them to proceed, if you really want to do that.
} implementation { package require iapp 1.1.1 iapp::template start # Prepared by Mark Quevedo, f5 Networks #------------------------------------------------------------ set ir_wcry { # WannaCry Blocker iRule # # Attach this iRule along with the defaul Stream Profile # /Common/stream to a TCP virtual server to detect, block,* # log, and count CVE-2017-0144 "WannaCry" attacks. (The # virtual server must not have an HTTP Profile.) # # This iRule logs the source IP address and geolocation of each # attack and counts attacks (per-virtual-server) using iStats. # # * Normally this iRule blocks WannaCry attacks. If you really # wish to allow such attacks to proceed (to a honeypot, maybe?) # after they are logged, set the variable static::allow_wannacry # to '1' in the RULE_INIT event. # # Written by Mark Quevedo, f5 Networks # when RULE_INIT { # if static::allow_wannacry is set to 1 (true) (see next line) # then WannaCry attacks are not blocked, just logged and counted set static::allow_wannacry @@@@@ # Stream Profile target sequences here are TCL regular expressions. # TMOS maps payload octets as if they were ISO-8859-1 to Unicode chars set target_list { {\u00b9\u0082\u0000\u0000\u00c0\u000f\u0032\u0048\u00bb\u00f8\u000f\u00d0\u00ff{5}\u0089\u0053\u0004\u0089\u0003\u0048\u008d\u0005\u000a\u0000} {\u0010\u0000{4}\u00ff{4}\u0000{12}\u004a\u0000{3}\u004a\u0000\u0002\u0000\u0023\u0000{3}\u0007\u0000\u005c\u0050\u0049\u0050\u0045\u005c\u0000} } set static::wcry_targets "" append static::wcry_targets "/" [join $target_list "// /"] "//" } ; #RULE_INIT when CLIENT_ACCEPTED { STREAM::expression $static::wcry_targets STREAM::enable } ; #CLIENT_ACCEPTED when STREAM_MATCHED { if {$static::allow_wannacry} { STREAM::replace ; # no arg means don't replace, therefore allow set blocked "" } else { reject ; # block apparent WannaCry attack set blocked "blocked\x2
View all episodes
On Friday 12 May 2017 a large ransomware attack dubbed “WannaCry” was launched targeting more than 200,000 computers worldwide, including industries such as banks, hospitals and large telecom companies. Figure 1: “WannaCry” ransom massage Infection Methods One of the main infection methods of this ransomware is by exploiting a recently patched Microsoft Windows SMB vulnerability (MS17-010). This vulnerability was publicly discovered as a result of the Shadow Brokers leaks that happened in April this year. Another possible method of infection is by phishing emails being sent to arbitrary recipients. Either way, once this ransomware gets on a network it exploits the aforementioned windows vulnerability in order to spread further into the network and infect more computers. Figure 2: Shodan search for Windows SMB service exposed directly to the internet Mitigation using BIG-IP BIG-IP is able to mitigate the Windows exploitation attempt and prevent the WannaCry ransomware infection by using the attached iApp which contains an iRule, the iRule detects a part of the kernel shellcode in the exploit and drops the packets containing it. sys application template WannaCry_Blocker_v2 { actions { definition { html-help { WannaCry Blocker
This iApp installs the WannaCry Blocker iRule which will detect, block,* log, and count attempts to exploit CVE-2017-0144 “WannaCry.”
Attach both the WannaCry Blocker iRule and the default Stream Profile /Common/stream to a TCP virtual server (the virtual server must not have an HTTP Profile).
The WannaCry Blocker iRule logs the source IP address and geolocation of each possible attack and counts attacks (per-virtual-server) using iStats.
* The WannaCry iRule blocks WannaCry attacks. It also has an option to log attacks then allow them to proceed, if you really want to do that.
} implementation { package require iapp 1.1.1 iapp::template start # Prepared by Mark Quevedo, f5 Networks #------------------------------------------------------------ set ir_wcry { # WannaCry Blocker iRule # # Attach this iRule along with the defaul Stream Profile # /Common/stream to a TCP virtual server to detect, block,* # log, and count CVE-2017-0144 "WannaCry" attacks. (The # virtual server must not have an HTTP Profile.) # # This iRule logs the source IP address and geolocation of each # attack and counts attacks (per-virtual-server) using iStats. # # * Normally this iRule blocks WannaCry attacks. If you really # wish to allow such attacks to proceed (to a honeypot, maybe?) # after they are logged, set the variable static::allow_wannacry # to '1' in the RULE_INIT event. # # Written by Mark Quevedo, f5 Networks # when RULE_INIT { # if static::allow_wannacry is set to 1 (true) (see next line) # then WannaCry attacks are not blocked, just logged and counted set static::allow_wannacry @@@@@ # Stream Profile target sequences here are TCL regular expressions. # TMOS maps payload octets as if they were ISO-8859-1 to Unicode chars set target_list { {\u00b9\u0082\u0000\u0000\u00c0\u000f\u0032\u0048\u00bb\u00f8\u000f\u00d0\u00ff{5}\u0089\u0053\u0004\u0089\u0003\u0048\u008d\u0005\u000a\u0000} {\u0010\u0000{4}\u00ff{4}\u0000{12}\u004a\u0000{3}\u004a\u0000\u0002\u0000\u0023\u0000{3}\u0007\u0000\u005c\u0050\u0049\u0050\u0045\u005c\u0000} } set static::wcry_targets "" append static::wcry_targets "/" [join $target_list "// /"] "//" } ; #RULE_INIT when CLIENT_ACCEPTED { STREAM::expression $static::wcry_targets STREAM::enable } ; #CLIENT_ACCEPTED when STREAM_MATCHED { if {$static::allow_wannacry} { STREAM::replace ; # no arg means don't replace, therefore allow set blocked "" } else { reject ; # block apparent WannaCry attack set blocked "blocked\x2