Rapid7 Blog

Ransomware  

Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it…

A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and that it then leverages the EternalBlue and DoublePulsar exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for WannaCry as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities. For the latest updates on this ransomworm, please see Rapid7's recommended actions. To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven't done so already, download a trial of InsightVM here. Creating a Scan Template The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows: 1.  Under the Administration tab, go to Templates > Manage Templates 2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description. 3. First uncheck "Policies". Click on Vulnerability Checks and then "By Individual Checks" 4. Add Check “MS17-010” and click Save: This should return checks that are related to MS17-010. The related CVEs are: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 5. Save the template and run a scan to identify all assets with MS17-010. Creating a Dynamic Asset Group Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button: Now, use the "CVE ID" filter to specify the CVEs listed below: This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. Creating a Dashboard Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities. Also, check out the new Threat Feed dashboard which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm. If you want to build your own, here's how you can build a custom dashboard, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter: asset.vulnerability.alternateIds <=> ( altId = "MS17-010" ) Creating a SQL Query Export @00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting. Creating a Remediation Project In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”: Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS "MS17-010" Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA or ServiceNow, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks. Using these steps, you'll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don't hesitate to let us know! For more information and resources on this ransomworm, please visit this page.

Petya-like Ransomware Explained

TL;DR summary (7:40 PM EDT June 28): A major ransomware attack started in Ukraine yesterday and has spread around the world. The ransomware, which was initially thought to be a modified Petya variant, encrypts files on infected machines and uses multiple mechanisms to…

TL;DR summary (7:40 PM EDT June 28): A major ransomware attack started in Ukraine yesterday and has spread around the world. The ransomware, which was initially thought to be a modified Petya variant, encrypts files on infected machines and uses multiple mechanisms to both gain entry to target networks and to spread laterally. Several research teams are reporting that once victims' disks are encrypted, they cannot be decrypted. For this reason, there's dissent on whether the Petya-like attack should be called ransomware at all. Whatever you call it, our advice is the same: Back up, patch against MS17-010 vulnerabilities (mitigation against internal spread), and block TCP/445 traffic.Don’t pay the ransom, since decryption by the attacker is impossible. Read on for further information on infection vectors, IOCs, and additional Rapid7 resources. In the early morning hours of June 27, 2017, UTC 3 time, ransomware that appears to be an updated variant belonging to the Petya family surfaced in Eastern Europe (read a sample summary here). Incident detection and response professionals around the world immediately started connecting this Petya-like ransomware with the same EternalBlue exploits used by the WannaCry ransomware. Since the attack was so widespread, collecting a sample was pretty straightforward, and Rapid7's incident response team is currently analyzing what is actually going on here. This blog post will be updated throughout the day with what we know about the ransomware, as well as what Rapid7 customers can do to prevent, detect, and respond to it. In the meantime, organizations are strongly advised to take the following actions: Ensure that all Windows systems have been patched against MS17-010 vulnerabilities. Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems. Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. Rapid7 has a ransomware resources page available here. For those already hit by this ransomware, our best guidance right now is to work with law enforcement and incident response experts. Our own incident responders are available 24/7 on the hotline: 1-844-RAPID-IR. Unfortunately - though we really hate to say so - the bottom line here is that if you don't have thorough and timely backups, paying the ransom will need to remain an option for you. See 14:30 PM update for details. Update 13:45 PM EDT: We've confirmed that this ransomworm achieves its initial infection via a malicious document attached to a phishing email, requiring a victim to download and open it (update: see the 16:50 text below). After that, it does indeed use the EternalBlue and DoublePulsar exploits to spread laterally. Unlike WannaCry, though, it is currently using these mechanisms to spread only on internal networks. While this is bad news for compromised organizations, the good news is that the spread directly across the internet is rather limited. The worse news is that there is still plenty of SMB on the internet to go after. Here's a map of the exposed SMB we've generated from some fresh Sonar data: Malware rarely stays static for long, so it's only a matter of time before a variant of this malware is released that uses SMB to spread directly across the internet, just like WannaCry. Update 14:30 PM EDT: Victims of this attack are directed to contact an email address once they've paid the ransom; however, the email account in question has been disabled by the German company that hosts it. Therefore, victims who pay the ransom are reportedly unable to recover their files. More details here. Update 15:30 PM EDT: We've identified the IP addresses 95.141.115.108, 185.165.29.78, 84.200.16.242, and 111.90.139.247 as fine candidates to watch for at your firewall. If you get connection attempts there sources from your internal network, either someone is infected, or someone is monkeying around with live malware samples. Jon Hart goes into more detail on these, and their associated domain names, on this gist. Update 16:50 PM EDT: There have been some reports of Petya-like infections occurring in networks that seemed to lack the initial phishing component. While this might not appear to be possible, there are scenarios where this can seem to happen. First, recall that infected computers actively search their local network for targets vulnerable to the issues addressed in MS17-010. Second, some of these devices are quite mobile, and hop around networks. If my laptop gets popped by this ransomware in my home network at FooCorp, then I take it to my local coffee shop's wifi, and infect someone from BarCom, when that BarCom employee goes back to the office, his incident response people are going to see this race around their network without the phishing email kicking everything off. This is one scenario where the phishing component would not be immediately obvious. There may be more to this malware, though, and our own IR engineers are still running through static and dynamic analysis, so we may have more on how this thing vectors around in the coming hours. Update 18:00 PM EDT: We've confirmed that this ransomware uses a lightly modified version of mimikatz to extract credentials from memory for use in its psexec and WMI vectors for spreading. Mimikatz is a widely-used open source security tool used primarily by security researchers to understand how credential handling is performed in Windows environments. (Thanks, Tim and Mike!) Update 20:15 EDT: For Rapid7 customers, you should be aware that we've already pushed the unique Indicators of Compromise (IOCs) out to all our InsightIDR users, and we've just published a handy HOWTO for InsightVM folks on scanning for MS17-010, which hits the exploit vector being leveraged in this attack. In the meantime, this is a fine time to review your own backup and restore capabilities -- especially the restore part. It seems unlikely we'll have any more updates through the night, but we're still pursuing analysis work. Once we learn anything new, we'll be updating here.

Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose

*Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: EternalBlue: Metasploit Module for MS17-010. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary…

*Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: EternalBlue: Metasploit Module for MS17-010. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers. *Update 5/17/17: Unauthenticated remote checks have now been provided. For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided. The pre-existing instructions below will enable the remote checks on creation of the template. *Update 6/7/17: Fixed a small error in the dynamic asset group/dashboard section. We also now have a pre-built WannaCry dashboards in InsightVM. Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated ransomware attack, WannaCry, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an overview of the WannaCry ransomware vulnerability written by Bob Rudis, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren't already a customer, go try out InsightVM for free you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry. Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010: 1. Under the Administration tab, go to Templates > Manage Templates 2. Copy the following template: Full Audit enhanced logging without Web Spider. Don't forget to give your copy a name and description; here, we'll call it “WNCRY Scan Template” 3. Click on Vulnerability Checks and then “By Individual Check” 4. Add Check “MS17-010” and click save: This should come back with 192 checks that are related to MS17-010. The related CVEs are: CVE-2017-0143 CVE-2017-0144 CVE-2017-0145 CVE-2017-0146 CVE-2017-0147 CVE-2017-0148 5. Save the template and run a scan to identify all assets with MS17-010. Creating a Dynamic Asset Group for MS17-010 Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button: Now, use the "CVE ID" filter to specify the CVEs listed below: This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. Creating a WannaCry Dashboard Recently, Ken Mizota posted an article on how to build a custom dashboard to track your exposure to exploits from the Shadow Brokers leak. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter: asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0101" OR asset.vulnerability.title CONTAINS "cve-2017-0146"asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148" Creating a SQL Query Export @00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting Creating a Remediation Project for MS17-010: In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”: Give the project a name, and under vulnerability filter type in "vulnerability.alternateIds <=> ( altId = "ms17-010" )" Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks. Using these steps, you'll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don't hesitate to let us know! For more information and resources on WannaCry and ransomware, please visit this page.

WannaCry Update: Vulnerable SMB Shares Are Widely Deployed And People Are Scanning For Them

WannaCry Overview Last week the WannaCry ransomware worm, also known as Wanna Decryptor, Wanna Decryptor 2.0, WNCRY, and WannaCrypt started spreading around the world, holding computers for ransom at hospitals, government offices, and businesses. To recap: WannaCry exploits a vulnerability in the Windows Server…

WannaCry Overview Last week the WannaCry ransomware worm, also known as Wanna Decryptor, Wanna Decryptor 2.0, WNCRY, and WannaCrypt started spreading around the world, holding computers for ransom at hospitals, government offices, and businesses. To recap: WannaCry exploits a vulnerability in the Windows Server Message Block (SMB) file sharing protocol. It spreads to unpatched devices directly connected to the internet and, once inside an organization, those machines and devices behind the firewall as well. For full details, check out the blog post: Wanna Decryptor (WannaCry) Ransomware Explained. Since last Friday morning (May 12), there have been several other interesting posts about WannaCry from around the security community. Microsoft provided specific guidance to customers on protecting themselves from WannaCry. MalwareTech wrote about how registering a specific domain name triggered a kill switch in the malware, stopping it from spreading. Recorded Future provided a very detailed analysis of the malware's code. However, the majority of reporting about WannaCry in the general news has been that while MalwareTech's domain registration has helped slow the spread of WannaCry, a new version that avoids that kill switch will be released soon (or is already here) and that this massive cyberattack will continue unabated as people return to work this week. In order to understand these claims and monitor what has been happening with WannaCry, we have used data collected by Project Sonar and Project Heisenberg to measure the population of SMB hosts directly connected to the internet, and to learn about how devices are scanning for SMB hosts. Part 1: In which Rapid7 uses Sonar to measure the internet Project Sonar regularly scans the internet on a variety of TCP and UDP ports; the data collected by those scans is available for you to download and analyze at scans.io. WannaCry exploits a vulnerability in devices running Windows with SMB enabled, which typically listens on port 445. Using our most recent Sonar scan data for port 445 and the recog fingerprinting system, we have been able to measure the deployment of SMB servers on the internet, differentiating between those running Samba (the Linux implementation of the SMB protocol) and actual Windows devices running vulnerable versions of SMB. We find that there are over 1 million internet-connected devices that expose SMB on port 445. Of those, over 800,000 run Windows, and — given that these are nodes running on the internet exposing SMB — it is likely that a large percentage of these are vulnerable versions of Windows with SMBv1 still enabled (other researchers estimate up to 30% of these systems are confirmed vulnerable, but that number could be higher). We can look at the geographic distribution of these hosts using the following treemap (ISO3C labels provided where legible): The United States, Asia, and Europe have large pockets of Windows systems directly exposed to the internet while others have managed to be less exposed (even when compared to their overall IPv4 blocks allocation). We can also look at the various versions of Windows on these hosts: The vast majority of these are server-based Windows operating systems, but there is also a further unhealthy mix of Windows desktop operating systems in the mix—, some quite old. The operating system version levels also run the gamut of the Windows release history timeline: <span Using Sonar, we can get a sense for what is out there on the internet offering SMB services. Some of these devices are researchers running honeypots (like us), and some of these devices are other research tools, but a vast majority represent actual devices configured to run SMB on the public internet. We can see them with our light-touch Sonar scanning, and other researchers with more invasive scanning techniques have been able to positively identify that infection rates are hovering around 2%. Part 2: In which Rapid7 uses Heisenberg to listen to the internet While Project Sonar scans the internet to learn about what is out there, Project Heisenberg is almost the inverse: it listens to the internet to learn about scanning activity. Since SMB typically runs on port 445, and the WannaCry malware scans port 445 for potential targets, if we look at incoming connection attempts on port 445 to Heisenberg nodes as shown in Figure 4, we can see that scanning activity spiked briefly on 2017-05-10 and 2017-05-11, then increased quite a bit on 2017-05-12, and has stayed at elevated levels since. Not all traffic to Heisenberg on port 445 is an attempt to exploit the SMB vulnerability that WannaCry targets (MS17-010). There is always scanning traffic on port 445 (just look at the activity from 2017-05-01 through 2017-05-09), but a majority of the traffic captured between 2017-05-12 and 2017-05-14 was attempting to exploit MS17-010 and likely came from devices infected with the WannaCry malware. To determine this we matched the raw packets captured by Heisenberg on port 445 against sample packets known to exploit MS17-010. Figure 5 shows the number of unique IP addresses scanning for port 445, grouped by hour between 2017-05-10 and 2017-05-16. The black line shows that at the same time that the number of incoming connections increases (2017-05-12 through 2017-05-14), the number of unique IPs addresses scanning for port 445 also increases. Furthermore, the orange line shows the number of new, never- before- seen IPs scanning for port 445. From this we can see that a majority of the IPs scanning for port 445 between 2017-05-12 and 2017-05-14 were new scanners. Finally, we see scanning activity from 157 different countries in the month of May, and scanning activity from 133 countries between 2017-05-12 and 2017-05-14. Figure 6 shows the top 20 countries from which we have seen scanning activity, ordered by the number of unique IPs from those countries. While we have seen the volume of scans on port 445 increase compared to historical levels, it appears that the surge in scanning activity seen between 2017-05-12 and 2017-05-14 has started to tail off. So what? Using data collected by Project Sonar we have been able to measure the deployment of vulnerable devices across the internet, and we can see that there are many of them out there. Using data collected by project Heisenberg, we have seen that while scanning for devices that expose port 445 has been observed for quite some time, the volume of scans on port 445 has increased since 2017-05-12, and a majority of those scans are specifically looking to exploit MS17-010, the SMB vulnerability that the WannaCry malware looks to exploit. MS17-010 will continue to be a vector used by attackers, whether from the WannaCry malware or from something else. Please, follow Microsoft's advice and patch your systems. If you are a Rapid7 InsightVM or Nexpose customer, or you are running a free 30 day trial, here is a step by step guide on on how you can scan your network to find all of your assets that are potentially at risk for your organization. Coming Soon If this sort of information about internet wide measurements and analysis is interesting to you, stay tuned for the National Exposure Index 2017. Last year, we used Sonar scans to evaluate the security exposure of all the countries of the world based on the services they exposed on the internet. This year, we have run our studies again, we have improved our methodology and infrastructure, and we have new findings to share. Related: Find all of our WannaCry related resources here [Blog] Using Threat Intelligence to Mitigate Wanna Decryptor (WannaCry)

Wanna Decryptor (WNCRY) Ransomware Explained

Mark the date: May 12, 2017. This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt” burst — literally — onto the scene with one of the initial targets being the British National Health Service. According to The Guardian: the “unprecedented attack… affected 12 countries and at least…

Mark the date: May 12, 2017. This is the day the “ransomworm” dubbed “WannaCry” / “Wannacrypt” burst — literally — onto the scene with one of the initial targets being the British National Health Service. According to The Guardian: the “unprecedented attack… affected 12 countries and at least 16 NHS trusts in the UK, compromising IT systems that underpin patient safety. Staff across the NHS were locked out of their computers and trusts had to divert emergency patients.” A larger estimate by various cybersecurity firms indicates that over 70 countries have been impacted in some way by the WannaCry worm. As of this post's creation time, a group with the Twitter handle @0xSpamTech has claimed responsibility for instigating the attack but this has not yet been confirmed. What is involved in the attack, what weakness(es) and systems does it exploit, and what can you do to prevent or recover from this attack? The following sections will dive into the details and provide guidance on how to mitigate the impact from future attacks. What is "Ransomware"? Ransomware "malicious software which covertly encrypts your files – preventing you from accessing them – then demands payment for their safe recovery. Like most tactics employed in cyberattacks, ransomware attacks can occur after      clicking on a phishing link or visiting a compromised website.” (https://www.rapid7.com/solutions/ransomware/) However, WannaCry ransomware deviates from the traditional ransomware definition by including a component that is able to find vulnerable systems on a local network and spread that way as well. This type of malicious software behavior is called a “worm” and the use of such capabilities dates back to 1988 when the Morris Worm spread across the internet (albeit a much smaller neighborhood at the time). Because WannaCry combines two extremely destructive capabilities, it has been far more disruptive and destructive than previous cases of ransomware that we've seen over the past 18-24 months. While the attackers are seeking ransom — you can track payments to their Bitcoin addresses: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 here: https://blockchain.info/address/ — there have been reports of this also corrupting drives, adding a destructive component as well as a ransom-recovery component to the attack. What Systems Are Impacted? WannaCry only targets Microsoft Windows systems and is known to impact the following versions: Microsoft Windows Vista SP2 Windows Server 2008 SP2 and R2 SP1 Windows 7 Windows 8.1 Windows RT 8.1 Windows Server 2012 and R2 Windows 10 Windows Server 2016 Windows XP However, all versions of Windows are likely vulnerable and on May 13, 2017 Microsoft issued a notification that included links to patches for all impacted Windows operating systems — including Windows XP. As noted, Windows XP is impacted as well. That version of Windows still occupies a 7-10% share of usage (as measured by NetMarketshare): and, this usage figure likely does not include endpoint counts from countries like China, who have significant use of “aftermarket” versions of Windows XP and other Windows systems, making them unpatchable. The “worm” component takes advantage of a Remote Code Execution (RCE) vulnerability that is present in the part of Windows that makes it possible to share files over the network (known as “Server Message Block” or SMB). Microsoft released a patch -MS17-010 - for this vulnerability on March 14th, 2017 prior to the release of U.S. National Security Agency (NSA) tools (EternalBlue / DoublePulsar) by a group known as the the Shadow Brokers. Rapid7's Threat Intelligence Lead, Rebekah Brown, wrote a breakdown of this release in a blog post in April. Vulnerability detection tools, such as Rapid7's Metasploit, have had detection capabilities for this weakness for a while, with the most recent Metasploit module being updated on April 30, 2017. This ransomworm can be spread by someone being on public Wi-Fi or an infected firm's “guest” WiFi and then taking an infected-but-not-fully-encrypted system to another network. WannaCry is likely being spread, still, by both the traditional phishing vector as well as this network worm vector. What Can You Do? Ensure that all systems have been patched against MS17-010 vulnerabilities. Identify any internet-facing systems that have not been patched and remediate as soon as possible. Employ network and host-based firewalls to block TCP/445 traffic from untrusted systems. If possible, block 445 inbound to all internet-facing Windows systems. Ensure critical systems and files have up-to-date backups. Backups are the only full mitigation against data loss due to ransomware. NOTE: The Rapid7 Managed Detection & Response (MDR) SOC has developed detection indicators of compromise (IOCs) for this campaign, however we are only alerted once the malware executes on a compromised system. This is not a mitigation step. UPDATE - May 15, 2017: For information on how to scan for, and remediate, MS17-010 with Nexpose and InsightVM, please read this blog. A Potentially Broader Impact We perform regular SMB scans as a part of Project Sonar and detected over 1.8 million devices responding to full SMB connection in our May 3, 2017 scan: Some percentage of these systems may be Linux/UNIX servers emulating the SMB protocol but it's likely that a large portion are Windows systems. Leaving SMB (via TCP port 445) open to the internet is also a sign that these systems are not well maintained, and are also susceptible to attack. Rapid7's Heisenberg Cloud — a system of honeypots spread throughout the internet — has seen a recent spike in probes for systems on port 445 as well: Living With Ransomware Ransomware has proven to be an attractive and lucrative vector for cybercriminals. As stated previously, backups, along with the ability to quickly re-provision/image an impacted system, are your only real defenses. Rapid7 has additional resources available for you to learn more about dealing with ransomware: Understanding Ransomware: https://www.rapid7.com/resources/understanding-ransomware/ Ransomware FAQ: /2016/03/22/ransomware-faq-av oiding-the-latest-trend-in-malware If you'd like more information on this particular ransomworm as seen by Project Sonar or Heisenberg Cloud, please contact research [at] rapid7 [dot] com. Many thanks to the many contributors across Rapid7 who provided vital information and content for this post. For more information and resources on WannaCry and ransomware, please visit this page.

Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that,…

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone. Unfortunately, high popularity for software also means more high-value targets in the eyes of an attacker, and malware-infested Office macros are like an irritating rash that doesn't go away for IT professionals. A macro is a feature that allows users to create automated processes inside of a document used by software like Microsoft Word, Excel, or PowerPoint. This is used to enhance user experience, increase productivity, or automate otherwise manual tasks. But, in other words, it executes code. What kind of code? Well, pretty much whatever you want, even a Meterpreter session! Macro attacks are nothing new or unusual. A typical attack usually involves embedding malicious macro code in an Office document, sending it to the victim, and asking him or her very nicely to enable that code. The saddest part isn't how lame the attack is, since you are basically begging the victim to run your malware. It's that people have been falling for this trick for decades! The impact of such attacks should not be underestimated. In fact, malicious macros are often used in ransomware, and other high-profile breaches. For example, the Cerber Ransomware was a macro attack against Office 365 that put millions of users at risk. Since Office 365 is extremely popular in businesses, we expect it to be one of malicious macros' favorite audiences for quite some time. Yup, I think people call that social-engineering, and apparently it always works. I figured: "ok, why not, a shell is a shell. Let me write some exploits for these"... and that's how Metasploit's macro exploits were born: The Microsoft Office Macro Exploit This Microsoft Office macro exploit is specifically written for the Word document format. It has been tested against these environments: Microsoft Office 2010 for Windows Microsoft Office 2013 for Windows Microsoft Office 2016 for Windows Microsoft Office Word for Mac OS X 2011 The following demonstrates how to create a macro exploit for Microsoft Office for OS X, setting up a handler, as well as obtaining a session: If you actually have a valid certificate to sign the malicious macro, you can actually apply that by using Microsoft Office to sign it. Having a valid cert will not have the "Enable Content" prompt, Microsoft Office will just execute your code by default. However, this is obviously only ideal for internal use. Good certificates are expensive. The OpenOffice Macro Exploit The Apache OpenOffice macro exploit is specifically written for OpenOffice Writer (odt). It has been tested against these environments: Windows with Powershell support (which should be the case since Windows 7) Ubuntu Linux (which ships LibreOffice by default) OS X Unlike Microsoft, OpenOffice actually does not want to open any documents with macros, which means in order to attack, the victim has to manually do the following in advance: 1. Choose Tools -> Options -> Security 2. Click the Macro Security button 3. Change the security level to either medium to low. If the security level is set to medium, a prompt is presented to the user to either allow or disallow the macro. If set to low, the macro will run without warning. Now let's talk about how to use the exploit. The design for it is actually different than the Microsoft one: not only will it create the malicious document file, the module will also spawn a web server, and a payload handler. The purpose of the web server is when the victim runs the macro, the malicious code will download the final payload from our web server, and execute it. The following demonstrates how to use the exploit: Exploit Customization Although the Metasploit macro exploits work right out of the box, some cosmetic customizations are probably necessary to make the document look more legit and believable. To do this, you will need a copy of either Microsoft Office or OpenOffice (depending on the type of exploit you're using), and then: Generate the exploit Move the exploit to a platform with Office that can edit the document Open the document with Office, do your editing there. When you're done, simply click save. As long as you're not modifying the macro, it should still work Time to Play! Congratulations, young grasshopper! If you've read this far, and have not fallen asleep, then you are ready to start your journey of sweet Office macro pwnage. But before you leave, if you have never used Metasploit - a cyber weapon forged in the fires of um... Austin, Texas - then you shall download it here. If you already possess such power, then we strongly recommend you run msfupdate. Go now, embrace your destiny of pwnage, and let that glory be yours with Metasploit Office macro exploits.

The Ransomware Chronicles: A DevOps Survival Guide

NOTE: Tom Sellers, Jon Hart, Derek Abdine and (really) the entire Rapid7 Labs team made this post possible. On the internet, no one may know if you're of the canine persuasion, but with a little time and just a few resources they can easily determine…

NOTE: Tom Sellers, Jon Hart, Derek Abdine and (really) the entire Rapid7 Labs team made this post possible. On the internet, no one may know if you're of the canine persuasion, but with a little time and just a few resources they can easily determine whether you're running an open “devops-ish” server or not. We're loosely defining devops-ish as: MongoDB CouchDB Elasticsearch for this post, but we have a much broader definition and more data coming later this year. We use the term “devops” as these technologies tend to be used by individuals or shops that are emulating the development and deployment practices found in the “DevOps” — https://en.wikipedia.org/wiki/DevOps — communities. Why are we focusing on about devops-ish servers? I'm glad you asked! The Rise of Ransomware If you follow IT news, you're likely aware that attackers who are focused on ransomware for revenue generation have taken to the internet searching for easy marks to prey upon. In this case the would-be victims are those running production database servers directly connected to the internet with no authentication. Here's a smattering of news articles on the subject: MongoDB mauled! http://www.zdnet.com/article/mongodb-ransacked-now-27000-databases-hit-in-mass-r ansom-attacks/ Elasticsearch exposed! http://www.pcworld.com/article/3157417/security/after-mongodb-ransomware-groups- hit-exposed-elasticsearch-clusters.html CouchDB crushed! http://www.pcworld.com/article/3159527/security/attackers-start-wiping-data-from -couchdb-and-hadoop-databases.html The core reason why attackers are targeting devops-ish technologies is that most of these servers have a default configurations which have tended to be wide open (i.e. they listen on all IP addresses and have no authentication) to facilitate easy experimentation  exploration. Said configuration means you can give a new technology a test on your local workstation to see if you like the features or API but it also means that — if you're not careful — you'll be exposing real data to the world if you deploy them the same way on the internet. Attackers have been ramping up their scans for these devops-ish services. We've seen this activity in our network of honeypots (Project Heisenberg): We'll be showing probes for more services, including CouchDB, in an upcoming post/report. When attackers find targets, they often take advantage of these open configurations by encrypting the contents of the databases and leaving little “love notes” in the form of table names or index names with instructions on where to deposit bitcoins to get the keys back to your data.  In other cases, the contents of the databases are dumped and kept by the attacker but wiped from the target, then demanding a ransom for the return of the kidnapped data. In other cases, the data is wiped from the target and not kept by the attackers, making anyone who gives in to these demands in for a double-whammy – paying the ransom and not getting any data in return. Not all exposed and/or ransomed services contain real data, but attackers have automated the process of finding and encrypting target systems, so it doesn't matter if they corrupt test databases which will just get deleted as it hasn't cost them any more time or money to do so. And, because the captive systems are still wide open, there have been cases where multiple attacker groups have encrypted systems — at least they fight amongst themselves as well as attack you. Herding Servers on the Wide-Open Range Internet Using Project Sonar — http://sonar.labs.rapid7.com — we surveyed the internet for these three devops databases. NOTE: we have a much larger ongoing study that includes a myriad of devops-ish and “big data” technologies but we're focusing on these three servers for this post given the timeliness of their respective attacks. We try to be good Netizens, so we have more rules in place when it comes to scanning than others do. For example, if you ask us not to scan your internet subnet, we won't. We will also never perform scans requiring credentials/authentication. Finally, we're one of the more profound telemetry gatherers which means many subnets choose to block us. I mention this, first, since many readers will be apt to compare our numbers with the results from their own scans or from other telemetry resources. Scanning the Internet is a messy bit of engineering, science and digital alchemy so there will be differences between various researchers. We found: ~56,000 MongoDB servers ~18,000 Elasticsearch servers ~4,500 CouchDB servers Of those 50% MongoDB servers were captive, 58% of Elasticsearch were captive and 10% of CouchDB servers were captive: A large percentage of each of these devops-ish databases are in “the cloud”: and several of those listed do provide secure deployment guides like this one for MongoDB from Digital Ocean: https://www.digitalocean.com/community/tutorials/how-to-securely-configure-a-pro duction-mongodb-server. However, others have no such guides, or have broken links to such guides and most do not offer base images that are secure by default when it comes to these services. Exposed and Unaware If you do run one of these databases on the internet it would be wise to check your configuration to ensure that you are not exposing them to the internet or at the very least have authentication enabled and rudimentary network security groups configured to limit access. Attackers are continuing to scan for open systems and will continue to encrypt and hold systems for ransom. There's virtually no risk in it for them and it's extremely easy money for them, since the reconnaissance for and subsequent attacking of exposed instances likely often happens from behind anonymization services or from unwitting third party nodes compromised previously. Leaving the configuration open can cause other issues beyond the exposure of the functionality provided by the service(s) in question. Over 100 of the CouchDB servers are exposing some form of PII (going solely by table/db name) and much larger percentages of MongoDB and Elasticsearch open databases seem to have some interesting data available as well. Yes, we can see your table/database names. If we can, so can anyone who makes a connection attempt to your service. We (and attackers) can also see configuration information, meaning we know just how out of date your servers, like MongoDB, are: So, while you're checking how secure your access configurations are, it may also be a good time to ensure that you are up to date on the latest security patches (the story is similarly sad for CouchDB and Elasticsearch). What Can You Do? Use automation (most of you are deploying in the cloud) and within that automation use secure configurations. Each of the three technologies mentioned have security guides that “come with” them: CouchDB: http://docs.couchdb.org/en/2.0.0/intro/security.html Elasticsearch: https://www.elastic.co/blog/found-elasticsearch-security MongoDB: https://docs.mongodb.com/manual/security/ It's also wise to configure your development and testing environments the same way you do production (hey, you're the one who wanted to play with devops-ian technologies so why not go full monty?). You should also configure your monitoring services and vulnerability management program to identify and alert if your internet-facing systems are exposing an insecure configuration. Even the best shops make deployment mistakes on occasion. If you are a victim of a captive server, there is little you can do to recover outside restoring from backups. If you don't have backups, it's up to you do decide just how valuable your data is/was before you consider paying a ransom. If you are a business, also consider reporting the issue to the proper authorities in your locale as part your incident response process. What's Next? We're adding more devops-ish and data science-ish technologies to our Sonar scans and Heisenberg honeypots and putting together a larger report to help provide context on the state of the exposure of these services and to try to give you some advance notice as to when attackers are preying on new server types. If there are database or server technologies you'd like us to include in our more comprehensive study, drop a note in the comments or to research@rapid7.com. Burning sky header image by photophilde used CC-BY-SA

I have ransomware and I didn't back up! What do I do now??

There is an old proverb, attributed to various cultures, which says: “The best time to plant a tree was 20 years ago. The second best time is now.” The same goes for backups. If you've been hit by a ransomware incident, the best way to…

There is an old proverb, attributed to various cultures, which says: “The best time to plant a tree was 20 years ago. The second best time is now.” The same goes for backups. If you've been hit by a ransomware incident, the best way to recover is to restore from your most recent backup. But let's say your backup process isn't as mature as it could be. And if that's true, your backups, or lack of backups, has created a gap in your business data that you cannot endure. What then, are your options, if any? Well, to be honest, there aren't many and they aren't great. The first thing you are going to do is formulate a simple backup strategy and be ready to execute it. We'll address that later. Report The Incident Federal police and anti-fraud centers want you to contact them about issues of ransomware. They will not be able to help you directly, but they do have some resources, and they track data related to ransomware events. You can find your local field office here: FBI Field Offices List US Secret Service Field Offices List Canada Anti-Fraud Centre Some decryption keys are known Now, to deal with the event. Try to clearly identify the ransomware variant you are dealing with, and then research ways to decrypt it. For example, checking the instructions files and searching on the language or terms in there can help. Sometimes the actual name of the variant will appear in the text file. If you have been hit by an older, known ransomware, you can possibly get tools or decryption keys from the internet. A quick Google search of “known ransomware decryption keys” comes up with two helpful links: Kaspersky Labs ransomware decryption tools Kaspersky has created NoRansom, a site which has tools to handle decryption of some known ransomware. They have a useful How To guide on the site. Tripwire blog post on known decryption cases This Tripwire article details 10 known cases of ransomware and has links to known decryption keys. Before you attempt any kind of decryption, make a backup and try it out on the backup copies. That way if the data is destroyed or otherwise transformed, you will have a version that can hopefully be restored to normal. Paying the ransom Ransomware is very diverse, however, so it's quite possible that your incident does not have a known decryption tool or key. In this case, you have very few options. The most obvious one is to pay the ransom. The FBI points out there are risks associated with this, and does not encourage paying a ransom. Consider the following issues, which the FBI has been tracking: Paying a ransom does not guarantee an organization will regain access to its data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. Ars Technica has a report of the malware simply deleting the files after decrypting! Some victims who paid the demand have reported being targeted again by cyber actors. After paying the originally demanded ransom, some victims have been asked to pay more to get the promised decryption key. Paying could inadvertently encourage this criminal business model. Just like with the known recovery options, doing research on the type of ransomware affecting you can help mitigate the risk of paying. Some ransomware variants even have helpful customer service available! Another option, which is probably the least palatable option, is to simply throw out the data and start over. This can be a viable choice for new data which can be easily and cost effectively regenerated. Planting your tree Whatever option you choose, the first thing after reporting your case to the FBI/USSS is to create a backup plan. Backups come in many varieties, sizes and pricing options. You should evaluate what would work best for your organization based on size of the data being backed up, the sensitivity of the data and its value to your organization. You'll notice I specifically excluded pricing as a consideration. Pricing could very well be the reason you're in this position! That said, you don't have to sell the farm to buy a backup solution. A very simple, first –tier, low tech solution is to back up your data to external drives using simple copy commands or software. This is the least cost option, but it is resource intensive, failures aren't always evident and is difficult to maintain. If you choose this option, make sure you make multiple backup copies because external hard drives, especially if they are consumer models, do not hold up well to constant operations. To avoid a recurrence of ransomware, keep these copies offline when not in use. This solution really is a stop-gap solution until you can get into a better one. Simple software here can include open source solutions such as Amanda, Bareos and Fbackup. Use these tools with discretion, as many do not have support options. Most operating systems come with basic backup tools that can also be used, such as Windows XCOPY or Linux cp –r. The second tier would have some sort of mass storage available. This could be a SAN or NAS unit in your data center, or it could be a cloud solution. You could still leverage these solutions with simple copy commands and software. This solution is easier to support and more reliable than the USB external drive but it does not lend itself to being very scalable. If you have a small business, and don't expect a large amount of data growth, this could be viable for you. Amazon's AWS solutions are offered at a reasonable price for low amounts of data storage and growth. The third tier would be an enterprise-class backup solution. This requires a great amount of resource allocation, both in terms of dollars and in support. However, this is the most desirable option for organizations with large amounts of data growth. The big players in this space are very recognizable names such as IBM, EMC, Veritas and others. Once you have your solution chosen and are implementing it, take the time to document your recovery plan, or integrate this into your existing one. During an emergency, it's always helpful to have that run book so the difficult choices are already made and people can execute faster. And remember, if your backups are always accessible from PCs or servers, they could be impacted by ransomware, so ensure you have permissions set to only allow writing new backups and not deleting or modifying old ones.

Prepare Yourself for Ransomware - No More Snake Oil, Please

Ransomware has hurt more businesses than anyone expected only a year ago. This real threat to your organization could steal a great deal of productivity while systems are “locked” or directly cost the cryptocurrency demanded as ransom. For any organization that's ill prepared, it could…

Ransomware has hurt more businesses than anyone expected only a year ago. This real threat to your organization could steal a great deal of productivity while systems are “locked” or directly cost the cryptocurrency demanded as ransom. For any organization that's ill prepared, it could cost you in both of these ways and there's no criminal customer service line if the purchased decryptor fails [though I'm excited to finally have a use for a balaclava-related stock photo]. Given their creativity and desire to make money from the susceptibility of others, we should have anticipated that organized criminals would take the destruction of the Sony breach, the anonymity of cryptocurrency, and add a little entrepreneurial innovation to yield ransomware. Now, with its many “successes” for these unlawful organizations, ransomware isn't going away any time soon, so you should prepare your organization against it. As is common for him, Rapid7's own Tod Beardsley responded to this trend with a helpful FAQ earlier this year. Since that time, a lot of vendors have seized this opportunity to add niche prevention and detection as a third guaranteed ransomware cost to your organization. This soliciting at disaster sites is spun to sound better than the boring truth: the best way to protect your organization from this threat is the very disaster recovery process you should have in place before any security program is even budgeted. There are a lot of people with their hands out, so here's what to avoid Just in the past week, I've received some fearmongering emails and tripped over a few “ransomware solutions” on LinkedIn, so in the interest of breaking down the fourth wall [like Deadpool!], here are some of the buzz-iest promises I've seen: “Detect ransomware as it enters corporate networks” – There are a lot of vendors offering to help you detect ransomware for an additional fee. Since the majority of ransomware today isn't trying to hide its existence [because then, how would you know where to send the check?], your money is best spent elsewhere. “Machine learning for detection of zero-day ransomware” – This is like a perfect storm of buzzwords. Machine learning is probably best applied to finding hidden issues, and much stealthier malware, you'd otherwise struggle to identify. In addition, the vast majority of ransomware is using old exploits in the most targeted applications, so “zero-day” here is likely being used to add buzz to malware with unknown hashes (and the 2016 Verizon DBIR found that 99% of malware is only known for 58 seconds or less). "Think you are safe from ransomware with Office 365? Think again.” – I didn't even read this email and neither should you. Just make sure you include your cloud infrastructure in your disaster recovery plan. Preventing and detecting malware needs to be part of any security team's goals, but just as you probably didn't change your entire information security plan to combat the Zeus Trojan in 2007, you cannot afford to forget your broader security and business continuity goals because you've happened upon some snake oil or machine learning. Backing up your systems [and testing the restore] should be a high priority investment, anyway The healthiest way to think about your ransomware-locked systems is the way you'd think about laptops your employees dropped on business trips. Sure, you might recover the data on them if you keep at it, but it would save everyone a lot of time and effort if you just restore the backup images from last night to the impacted systems (or replacement laptops). I am not advocating for any one backup solution, but this blogger says it well: “Prevention is good, but backups are your insurance when ransomware strikes.” The beauty of thinking about ransomware in this manner is that you can be better prepared for natural disasters (like floods), building disasters (like broken water pipes), and even an office full of people getting suddenly brainwashed and throwing their laptops off the roof [I have strange dreams, yes]. My dad, an IT consultant for 20 years, would take away my TV privileges if I didn't also insist that you test the restore process regularly. It turns out that's the buggiest feature in the backup solutions out there and you don't want to find out that you have thousands of useless backup images once you really need them. There really isn't a downside to solidifying and regularly testing your disaster recovery plan because it's probably required by your insurance provider and it can help you with a lot more than just ransomware. Focusing too much on ransomware exposes you to other less headline-grabbing attacks For those with a tested disaster recovery plan and desire to still do more, beware the common mistake the human mind makes called the focusing illusion, or convincing oneself that a current event or problem in focus is the most important one. This frequently leads to losing sight of the bigger picture and improperly planning for the future. If you are going to focus your defensive efforts solely on ransomware, it will make you more susceptible to the many other security threats to your business. A lot of these point solutions are emerging to charge more money while the truth is, as some security professionals are blogging, a few of the fundamental security controls you should already own today are the most effective defense: Security awareness training – your users should understand the importance of security, know not to install unknown software, and what to do when they believe they're being phished. Malware prevention – antivirus or similar solutions should be installed and up-to-date with browser plug-ins for website reputation scoring against drive-by malware that doesn't require a click to install. Exploit mitigation – for scenarios in which users aren't knowingly installing anything, Microsoft offers the Exploit Mitigation Experience Toolkit (EMET) free of charge and it is very effective at preventing malware from using wide array of its tricks. Your organization should absolutely install it across all Windows systems. I'll say it again: it's free. Patching – in tandem with exploit mitigation, you should always install the latest version of all operating systems and applications in your organization. The most affordable centralized tool for doing this is Microsoft System Center Configuration Manager (SCCM). These security and IT measures should be in place for any organization to defend from a great deal more than just ransomware. Unfortunately, there is no magic snake oil for all that ails you. There never has been. Whether you need a partner to help with the security fundamentals, a second set of eyes for your disaster recovery plan, or somewhere in between, Rapid7's Global Services can help. Sorry, but my dad's just retired or I'd send him.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now