WannaCry - how to protect our system with help from PANOS?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

WannaCry - how to protect our system with help from PANOS?

L4 Transporter

Hello

 

Is it a way to help protect our Windows systems from attacs from internet/lans using url protection (or other technics)?

 

According to https://mobile.twitter.com/msuiche/status/863284743940575232 it's using hardcoded url so it could be possible.

 

Regards

Slawek

14 REPLIES 14

L4 Transporter

Hello

 

I'm using BrighrCload url categorysation and ...

According to Cisco Talos http://blog.talosintelligence.com/2017/05/wannacry.html this malware using (used) url uqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

but - surprise!! Brighcloud says:

2017-05-13_205900.png

How it is possible? For what we paying?

 

The same with PAN DB

2017-05-13_210120.png

 

WIth regards

Slawek

Hi,

 

You are advised not to block access to that domain. As read on the blog you linked to:

 

"The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits."

 

So if you block it the HTTP GET fails and the ransomware executes...

Hello

 

693-3991 update package was released about 1h ago and it's covers MS17-010.

But MS17-010 was patched by Microsoft in March 2017 - so why PaloAlto released update for threat provention so late?

 

Regards

SLawek

PAN released App and threat version 692 in the end of April covering MS017-010 with default action alert. Today's release changes default action to reset-both. In both releases the vulnerability has severity critical.

Doing a search on the PA Threat Vault it looks like there were some AV and Wildfire signatures added in the last few days as well (search for "wanna").

Palo Alto released a blog post on May 12 with an update on May 13 about which methods are available to on PAN-OS to prevent WanaCrypt0r attacks.

UPDATED: Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks

http://researchcenter.paloaltonetworks.com/2017/05/palo-alto-networks-protections-wanacrypt0r-attack...

since this thread exists, an emergency update 698 was released yesterday, which I believe changed the default for CVE-2017-0144  and CVE-2017-0146 to reset-both.

 

but if your vulnerability protection profile always reset for critical, it's moot. only if you're using default should you ensure you are current.

 

 

--
CCNA Security, PCNSE7

@_slv_ So my question is you're concerned about the efficacy of the Brightcloud filtering service, but the URL had (has?) a categorization of "unknown."  A good security policy would be to a block "unknown," but in most organizations that's not possible so that's a risk we run.  Allowing access to sites not yet categorized in order to provide the least impact to the business while accepting some risk of malicious activity which come from these "unknown" locations.

 

I'd argue I'd be more concerned about that site being categorized at "sports" and malicious content coming from there versus an "unknown" report.

@Brandon_Wertz: IMHO PaloALto/BrightCloud should be shamed - this is not first time when well known attack occur (I created my topic at saturday afternoon) and everyone who is concerned about security known this host. Why PANDB and BrightCVloud doesnt categrysied it as malware site - I don't know.

 

I tryed many time report polish phishing sites to BrightCloud - every time I got respond that everything is OK....

 

Has anyone know how it was at Cisco/Checkpoint ? When concurent system reported this site/host as a malware?

 

In situations like this - TIME - is most important thing. 

 

Regards

Slawek

@_slv_ Currently Cisco's URL filtering service says the URL which you posted here is "Neutral"

 

Cisco_URL_Lookup.PNG

 

I assume Talos (Cisco' own threat research team) would have told the URL filtering service about the maliciousness of this site.

 

ZScaler is one of the leading cloud web proxies also shows this site as "benign."  I'm not giving Palo / Brightcloud an out, but I think casting aspersions that the service is not adequate is innapropriate in this case.

 

ZScaler_URL_Lookup.PNG

 

Bluecoat's URL filtering shows this category as "Suspicious.

 

BC.PNG

@_slv_ Please read this article:

 - https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-...

 

The infection STOPS if the malware can reach the domain successfully.  

 

If you block the domain, then the encryption/ransomware process STARTS.  

 

Given this information, please let us know why you believe the domain should be blocked.  

@jvalentine:that's wired ... blocking c&c starting encrypting..

 

we will see how will behave new wariants ot wannacry.

 

 

Regards

Slawek

@_slv_ It certainly is different than what you would expect.  It's not really C2, though... the working theory is that the author placed that check as a "kill switch" in case they wanted to stop the campaign.  

 

And you're absolutely correct... new variants will pop-up and their behaviors will need to be analyzed.  

Hello

 

And we have "new one" without killing-switch http://www.securityweek.com/patched-wannacry-ransomware-has-no-kill-switch

  • 5688 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!