Earlier today, the topic of the recent ransomware outbreaks, such as WannaCry and Petya, came up at the Black Hat NOC. Naturally, this sparked quite a few interesting discussions, and I was asked if we could use Scrutinizer to detect SMB traffic. In this blog, I will bring you up to speed on the Eternal Blue exploit that made the ransomware attacks possible. Then we will dive into the Scrutinizer Palo Alto Application reports and see if we can find any SMB traffic on the Black Hat network.
What is EternalBlue?
EternalBlue is the name of the exploit that enabled WannaCryptor’s ability to self-replicate and, therefore, its rapid spread across the network. According to multiple sources, it was developed by the NSA and stolen by the Shadow Brokers group. The vulnerability relies on the Microsoft Server Message Block 1.0. The SMB is a network file sharing protocol, which allows applications on a computer to read and write to files and to request services that are on the same network. The most severe vulnerabilities allow remote code execution if an attacker sends specially crafted messages to an SMBv1 server. The security patch for the EternalBlue exploit (MS17-010) corrects how SMBv1 handles these requests.
Is my workstation vulnerable?
It might be if you are running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, and Windows Server 2016.
The security group Eset has created a free tool that will check to see if your workstation or server are vulnerable to EternalBlue.
How do I reduce the risk of infection?
- If you have not already, apply the Windows Updates immediately.
- Disable SMBv1
- Block TCP port 445 as well as UDP ports 137-138 and TCP port 139 for all edge devices.
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Manage the use of privileged accounts. Implement the principle of least privilege.
- Run regular penetration tests against the network as often as possible and practical.
- Back up your data regularly and test your backups to ensure they work correctly upon use.
Detecting SMB traffic on the Black Hat network
Armed with this knowledge, we ran the Palo Alto Application report with the advanced filter element appid_pa:
Then we clicked on ms-db-smbv1 and changed the report type to Pair Hosts to Hosts to create a list of IP addresses associated with the SMBv1 traffic. That was easy, wasn’t it?
From what we have seen so far, the MS17-010 vulnerability can be exploited in a number of ways. It was spread through emails during the WannaCry pandemic. With Petya, it is believed to have spread through a software update from a Ukrainian company.
One thing is certain: the complete prevention of breaches is impossible. What organizations need is access to rich forensic data that supports fast and accurate incident response to quickly identify breaches and offending end stations, quarantine them, wipe the machines, and recover the data.
If you would like to see how Scrutinizer can deliver insight into your own network and reduce the Mean Time To Know (MTTK), you can download a free trial here.