The WannaCry ransomware campaign is just the latest wave of malware to target exploits in core networking protocols. And you need to protect your network with advanced threat detection.
The ransomware spreads to unpatched Windows systems (see Microsoft Security Bulletin MS17- 010 – Critical) using a buffer overflow attack, called EternalBlue, against the Server Message Block (SMB) protocol host. Any unpatched Windows environment running SMB version 1 is potentially vulnerable to this attack.
Fortunately, from the analysis we’ve done of the WannaCry exploit, the SMB dropper traffic is easy to detect with LogRhythm NetMon using a simple Query Rule. Note that the rules described here are refinements based on additional analysis of the malware.
Here’s what we know:
Let’s take a look at some example queries that can help you determine if you’re experiencing a WannaCry threat.
EternalBlue and WannaCry leverage a buffer overflow attack via SMBv1. To capture the successful attack, look for SMBv1 and the “transaction2_secondary” command. In combination, you will have a rule that will not generate false negatives. It may generate false positives if you are using older software depending on SMBv1 that also happens to use large commands requiring transaction2_secondary. This should be an extremely rare case in modern systems.
Here’s what you need to do:
For WannaCry’s current versions, you can use an alternate query to look at the “Path” metadata field for SMB traffic. This query is specific for the in-the-wild WannaCry as of May 15, 2017. Future variants of this malware could use different IP addresses.
Figure 1: Path Metadata (Click Image to View Larger)
Other means of detecting the traffic with NetMon are possible, but they require deeper packet-level analysis with a DPA rule.
How can you detect a WannaCry exploit? You need the power of LogRhythm NetMon.
LogRhythm NetMon gives you visibility into your network traffic, as well as security analytics that your team needs to monitor your organization’s network. NetMon helps you surface the most advanced threats in real time using application recognition, customizable Deep Packet Analytics, and multidimensional network traffic and behavioral analytics.
To learn more about NetMon, check out our use cases to discover how to quickly recognize and respond to vulnerabilities, such as WannaCry, and learn how to develop a protocol misuse that attempts to hide malicious activities.Acknowledgements
Special thanks to these LogRhythm Labs employees for their continued work analyzing and reporting on WannaCry and other threats affecting LogRhythm customers: Ryan Sommers, Andrew Costis, Brian Coulson, Erika Noerenberg, Kim Raburn, Matt Willems, and Nathaniel Quist.
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…
Organizations face a significant obstacle: the cybersecurity skills gap. In fact, according to a recent…