Person typing on laptop showing the Wannacry virus on screen

WannaCry crypto virus outbreak

Person typing on laptop showing the Wannacry virus on screen

As you might be aware this Friday (12th of May 2017) there was a massive outbreak of a new type of crypto virus dubbed WannaCrypto aka WannaCry. The UK was hit the hardest, especially in the Health Sector, with Spanish Telecom – Telefonica, along with Portuguese & Argentinian telecoms and Russia.

How does that affect the UK? – The NHS is badly crippled (more than 30 hospitals reported malware spread), patients are being turned away, important data such as scans and personal test results are lost and planned surgeries are cancelled. We could easily say that lives are at stake as sometimes more critical operations had to be postponed or done without important tests/scan results.

About the attack:

The WannaCry outbreak is the quickest spread of malware ever (over 100 countries with many affected endpoints in a matter of hours).

This link shows the spread over time. The animation was made possible because the authors of MalwareTech, could hack into one of the Command and Control domains and gain control over it so they can trace the incoming call home requests from the hacked machines (keep in mind that this does not depict the whole spread of the virus as MalwareTech operated in EST time and the spread in Europe and Asia was already going for some hours).

https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=1

Another unique thing – the virus exploited a vulnerability in Windows OS systems that was used for years by the NSA and GCHQ government agencies but only revealed for the public a couple of months ago (by the ShadowBroker dump on the 14th of April)

Here the Security Industry in the world are divided in their opinions.

One opinion is that the vulnerability should have never been leaked so bad guys would not be aware of it and hence would not be able to exploit it. This is usually the opinion of non-hardened security guys since it loudly shouts – Security through Obscurity or the ostrich effect.

The second opinion is that not a single discovered vulnerability should remain hidden, the more people are aware of the threat, the more people can react to it. General security admins had more than two months to patch their systems as official patch from Microsoft was released quickly after the leak (official patch was released on the March 14th). One important note was that many government, slow and big organization (due their sheer size and bureaucracy) are still running Windows XP and since XP is out of life and support, there was no patch for it – An example for such organization was the NHS.

Kill switch

The virus had a kill switch designed by its creators, a hidden nonsense long domain that if alive will make the virus stop spreading. A researcher found it by looking at the malware (reverse engineering it) and he was not sure why is was there, so he registered the domain and luckily helped in stopping the spread (the malware checks if that domain is alive before attempting worm like spread in the same L2 network)

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

The Onion Router

Botnet Command and Control centres are located in TOR (the onion router)

OK, that has been done before so not quite unique but very hard to implement as the malware needs to download a whole lot of files to the end user device to make this work. The technique is adding anonymity to the guys running the botnet (hence the creators of the malware). CC is very important for Crypto Viruses as these are usually created not to destroy but to extort money out of people who want their files recovered and recovery is done via this backchannel by supplying the key. If people pay and their files do not get recovered the rumour spreads and people accept their losses and do not pay anything. The current estimation for infected systems with encrypted files is more than $55 000 and attackers want an average of £300 for endpoint recovery, that amounts to a hefty ransom sum (if 20 000 users pay, that is over 6 million dollars).

Ransom Note

Heavily customised and detailed interaction user/victim – The information displayed to the user explains in detail what has happened and what needs to be done (how to pay) to recover your files and it is translated and shown in 28 languages. The presentation (ransom note below) is done via an executable file and offers many options.

Wannacry crypto virus on screen image

How does the attack work?

The malware uses a vulnerability in the SMBv2 remote code execution in Microsoft Windows. The exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. Usually, SMB’s are not directly connected to the outside world, the attack point was via email as well as the spread or a quick vertical scan for port TCP 445. After initial infection, the virus spread like a worm, probing all hosts within the subnet for open SMB ports and trying to infect them. Also, quite unique for this virus is that it uses different services for performing different tasks, aka Modular Service approach – for example, it uses different services for file dumping, for finding files with particularly important extensions and encrypting them, for disabling the shadow copy/system restore, for presenting the screen with the note/demands/payment information – yes that is a separate executable file.

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

http://blog.talosintelligence.com/2017/05/wannacry.html

Protection techniques

  • Patch – regular/automated patching of windows systems would have prevented the malware to do any damage by removing the vulnerability that should be exploited
  • Security Training – organisation employees should be aware of the dangers of executing files from emails or clicking on links
  • Advanced malware protection on the endpoints – could stop the execution of the malware in the first stage or downloading and installation of the malware in the second stage
  • Email security – strong email security would have greatly reduced the spread of the malware or disabled any executable files from being delivered to the users (depends on tuning, but even files with unknown status should be held back and guaranteed before further analysis can be done) or will check URLs in mails and you determine if you able to click on them (more modern Email protection systems have built in Web URL protections)
  • Web security controls – would help in cases when the infection point happens by URL link in email
  • Advanced IPS with Command and Control botnet detection – would not be effective in the first minutes of the spread but will quickly update itself (depending on vendor) and will detect/drop outgoing CC connections. Traditional firewalls with stateful technology would not help except by blocking SMB traffic based on TCP 139/445 ports (however traditional firewall deployment does not scan east to west traffic and traffic in the same L2 network)
  • Backup your important information in a separate secure location – a reactive approach but very effective towards crypto viruses

Mitigation techniques (after the attack)

Unfortunately, after files are encrypted, it is close to impossible to decrypt them without having the proper key. Most endpoint protection companies give you a list of things to do to remove the virus, hinder its spread, and be immune in the future but not to recover files. General recommendation varies between different vendors but most of them follow these steps.

  • Make sure your endpoint protection software is running and not disabled by virus.
  • Download latest signatures
  • Install the PATCH from Microsoft (MS17-010) which fixed the SMBv2 vulnerability
  • Scan all systems, the virus is detected (usually by the name MEM: Trojan.Win64.EquationDrug.gen), and reboot the system (before that make sure you have the patch installed).

Indicators of compromise

How to check if your network has the malware. Typical indications are listed in the link below

Basically, you must request certain IPs on the Internet and you have seen a file transfer with the mentioned SHA-256 fingerprint (keep in mind there is small variations of the virus so there is multiple fingerprints)

https://otx.alienvault.com/pulse/5915d8374da2585a08eaf2f6/

https://otx.alienvault.com/pulse/5916cee44da2584776eaf2f6/

Data Centre for Cisco Network Security

VTI VPNs introduced to Cisco ASA 9.7.x

Data Centre for Cisco Network Security

Virtual Private Networks constitute a hot topic in networking because they provide low cost and secure communications between sites (site-to-site VPNs) whilst improving productivity by extending corporate networks to remote users (remote access VPNs). Naturally the VPN technology is widely deployed on all internet edge devices and most ASAs.

Cisco is very proud of its VPN solutions. It’s one of the few vendors that support such a wide range of VPN technologies with so many features and flexibility. Cisco Routers and Cisco ASA Firewalls are the two types of devices that are used most often to build Cisco Virtual Private Networks.  Cisco has been very strict about the way its routers and firewalls should be used and what technologies are available to them – routers will do the full range of Site-To-Site of VPNs: Traditional (Policy-based) IPsec VPNs, but also GRE IPsec VPNs, DMVPNs, GET VPNs, and have limited capabilities for the remote access VPNs: IPsec and SSL based. However, the ASA is very different so far it could do just traditional policy based L2L IPsec VPN but will have the full functionality for remote based VPNs. The message was very clear, for large organization and ISP use Routers for remote access VPN and static traditional Site-to-Site use the ASAs.

Things changed, Cisco very recently introduced a new feature with its 9.7.x code in the VPN module of the ASA – the VTI (Virtual Tunnel Interface). VTI were long available in Cisco Routers but never in Cisco Firewalls but similar technologies (Route-Based VPNs) were available in most competitors and the demand for that features finally took effect on Cisco and they introduced it.

Now before understanding why VTI are so important we will do a quick comparison between the traditional Site-to-Site IPsec VPN (Policy Based VPNs) and the VTI (Route-Based VPNs)

Policy Based VPNs

They rely on static (policy based) configuration of the encryption domain (usually by ACLs) and do not pass multicasts, not great for dynamic routing and voice/video and other multicast applications and requires re-configuration on both sides if the networks that traverse the VPN should change. The configuration is quite complex involving many steps that need to be same or mirrored (encryption domains/ACL config) and that is prone to mistakes.

However, the benefits are that this is a well matured configuration process and the IPsec VPN is a IETF standard which means all vendors must implement it according to the specifications of the standard, hence in theory it should always work between in multivendor scenarios. This is important because the two main uses of L2L (Site-to-Site) VPNs is connecting same company sites over internet thus replacing more expensive intranets or connecting one company to another company/partner/provider of services over Internet in a secure manner. In that second case, there is a big chance that both companies will use different vendors for VPN devices.

Route-Based VPNs

A route-based VPN configuration uses Layer3 routed tunnel interfaces (either GRE based or VTI based) as the endpoints of the VPN. Instead of selecting a static subset of traffic to pass through the VPN tunnel using an Access List, all traffic passing through the special Layer3 tunnel interface is placed into the VPN. Therefore, you need to configure routing accordingly. Either a dynamic routing protocol (such as EIGRP or OSPF) or static routing must be configured to divert VPN traffic through the special Layer3 tunnel interface. That makes the selection of interesting traffic dynamic and you have the flexibility to perform changes and introduce new traffic to the VPN without redoing the VPN configuration (only by changing the routing so new traffic gets routed to the interface). Another benefit is that this type of VPN can pass multicast traffic thus allowing dynamic routing protocols and enabling multicast applications to work.

There are some limitation and considerations that need to be taken in mind. First VTI is a proprietary to Cisco technology, despite other vendors having similar route-based VPN technology, there is no guarantee these will work between each other. Also, the tunnel interface itself does not provide inherited security, IPsec protection is an add-on and needs to be configured on top for encryption/security of traffic.

Summary and conclusions:

Introducing VTIs in ASAs is a big step forward in making the firewall an even more versatile network edge device. The VTI capability to provide security and encryption on multicast traffic and its flexibility for tunneling the traffic via dynamic routing with zero reconfiguration on the VPN, means that any small or middle-sized organization with ASA on network edge can now benefit very strongly from that functionality and would not need to purchase additional hardware thus maximizing its return on investment value.

References:

Release notes:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/release/notes/asarn97.html#ID-2172-00000128

Configuration:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-vti.html