topic Re: WannaCry - how to protect our system with help from PANOS? in General Topics

WannaCry - how to protect our system with help from PANOS?

_slv_ — Sat, 13 May 2017 16:08:11 GMT

Hello

Is it a way to help protect our Windows systems from attacs from internet/lans using url protection (or other technics)?

According to https://mobile.twitter.com/msuiche/status/863284743940575232 it's using hardcoded url so it could be possible.

Regards

Slawek

Re: WannaCry - how to protect our system with help from PANOS?

_slv_ — Sat, 13 May 2017 19:02:18 GMT

Hello

I'm using BrighrCload url categorysation and ...

According to Cisco Talos http://blog.talosintelligence.com/2017/05/wannacry.html this malware using (used) url uqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

but - surprise!! Brighcloud says:

How it is possible? For what we paying?

The same with PAN DB

WIth regards

Slawek

Re: WannaCry - how to protect our system with help from PANOS?

rodvand — Sat, 13 May 2017 19:50:04 GMT

Hi,

You are advised not to block access to that domain. As read on the blog you linked to:

"The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits."

So if you block it the HTTP GET fails and the ransomware executes...

Re: WannaCry - how to protect our system with help from PANOS?

_slv_ — Sat, 13 May 2017 21:56:01 GMT

Hello

693-3991 update package was released about 1h ago and it's covers MS17-010.

But MS17-010 was patched by Microsoft in March 2017 - so why PaloAlto released update for threat provention so late?

Regards

SLawek

Re: WannaCry - how to protect our system with help from PANOS?

rodvand — Sat, 13 May 2017 23:17:41 GMT

PAN released App and threat version 692 in the end of April covering MS017-010 with default action alert. Today's release changes default action to reset-both. In both releases the vulnerability has severity critical.

Re: WannaCry - how to protect our system with help from PANOS?

jsalmans — Sun, 14 May 2017 02:29:15 GMT

Doing a search on the PA Threat Vault it looks like there were some AV and Wildfire signatures added in the last few days as well (search for "wanna").

Re: WannaCry - how to protect our system with help from PANOS?

acc6d0b3610eec313831f7900fdbd235 — Sun, 14 May 2017 04:34:47 GMT

Palo Alto released a blog post on May 12 with an update on May 13 about which methods are available to on PAN-OS to prevent WanaCrypt0r attacks.

UPDATED: Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks

http://researchcenter.paloaltonetworks.com/2017/05/palo-alto-networks-protections-wanacrypt0r-attacks/

Re: WannaCry - how to protect our system with help from PANOS?

bradk14 — Sun, 14 May 2017 10:01:57 GMT

since this thread exists, an emergency update 698 was released yesterday, which I believe changed the default for CVE-2017-0144 and CVE-2017-0146 to reset-both.

but if your vulnerability protection profile always reset for critical, it's moot. only if you're using default should you ensure you are current.

Re: WannaCry - how to protect our system with help from PANOS?

Brandon_Wertz — Mon, 15 May 2017 12:49:02 GMT

@_slv_ So my question is you're concerned about the efficacy of the Brightcloud filtering service, but the URL had (has?) a categorization of "unknown." A good security policy would be to a block "unknown," but in most organizations that's not possible so that's a risk we run. Allowing access to sites not yet categorized in order to provide the least impact to the business while accepting some risk of malicious activity which come from these "unknown" locations.

I'd argue I'd be more concerned about that site being categorized at "sports" and malicious content coming from there versus an "unknown" report.

Re: WannaCry - how to protect our system with help from PANOS?

_slv_ — Mon, 15 May 2017 17:16:19 GMT

@Brandon_Wertz: IMHO PaloALto/BrightCloud should be shamed - this is not first time when well known attack occur (I created my topic at saturday afternoon) and everyone who is concerned about security known this host. Why PANDB and BrightCVloud doesnt categrysied it as malware site - I don't know.

I tryed many time report polish phishing sites to BrightCloud - every time I got respond that everything is OK....

Has anyone know how it was at Cisco/Checkpoint ? When concurent system reported this site/host as a malware?

In situations like this - TIME - is most important thing.

Regards

Slawek

Re: WannaCry - how to protect our system with help from PANOS?

Brandon_Wertz — Mon, 15 May 2017 18:32:21 GMT

@_slv_ Currently Cisco's URL filtering service says the URL which you posted here is "Neutral"

I assume Talos (Cisco' own threat research team) would have told the URL filtering service about the maliciousness of this site.

ZScaler is one of the leading cloud web proxies also shows this site as "benign." I'm not giving Palo / Brightcloud an out, but I think casting aspersions that the service is not adequate is innapropriate in this case.

Bluecoat's URL filtering shows this category as "Suspicious.

Re: WannaCry - how to protect our system with help from PANOS?

jvalentine — Mon, 15 May 2017 18:50:35 GMT

@_slv_ Please read this article:

- https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

The infection STOPS if the malware can reach the domain successfully.

If you block the domain, then the encryption/ransomware process STARTS.

Given this information, please let us know why you believe the domain should be blocked.

Re: WannaCry - how to protect our system with help from PANOS?

_slv_ — Mon, 15 May 2017 19:11:46 GMT

@jvalentine:that's wired ... blocking c&c starting encrypting..

we will see how will behave new wariants ot wannacry.

Regards

Slawek

Re: WannaCry - how to protect our system with help from PANOS?

jvalentine — Tue, 16 May 2017 00:46:12 GMT

@_slv_ It certainly is different than what you would expect. It's not really C2, though... the working theory is that the author placed that check as a "kill switch" in case they wanted to stop the campaign.

And you're absolutely correct... new variants will pop-up and their behaviors will need to be analyzed.

Re: WannaCry - how to protect our system with help from PANOS?

_slv_ — Tue, 16 May 2017 07:13:39 GMT

Hello

And we have "new one" without killing-switch http://www.securityweek.com/patched-wannacry-ransomware-has-no-kill-switch