- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-13-2017 09:08 AM
Hello
Is it a way to help protect our Windows systems from attacs from internet/lans using url protection (or other technics)?
According to https://mobile.twitter.com/msuiche/status/863284743940575232 it's using hardcoded url so it could be possible.
Regards
Slawek
05-13-2017 12:02 PM
Hello
I'm using BrighrCload url categorysation and ...
According to Cisco Talos http://blog.talosintelligence.com/2017/05/wannacry.html this malware using (used) url uqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
but - surprise!! Brighcloud says:
How it is possible? For what we paying?
The same with PAN DB
WIth regards
Slawek
05-13-2017 12:50 PM
Hi,
You are advised not to block access to that domain. As read on the blog you linked to:
"The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits."
So if you block it the HTTP GET fails and the ransomware executes...
05-13-2017 02:56 PM
Hello
693-3991 update package was released about 1h ago and it's covers MS17-010.
But MS17-010 was patched by Microsoft in March 2017 - so why PaloAlto released update for threat provention so late?
Regards
SLawek
05-13-2017 04:17 PM
PAN released App and threat version 692 in the end of April covering MS017-010 with default action alert. Today's release changes default action to reset-both. In both releases the vulnerability has severity critical.
05-13-2017 07:29 PM
Doing a search on the PA Threat Vault it looks like there were some AV and Wildfire signatures added in the last few days as well (search for "wanna").
05-13-2017 09:34 PM
Palo Alto released a blog post on May 12 with an update on May 13 about which methods are available to on PAN-OS to prevent WanaCrypt0r attacks.
UPDATED: Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks
05-14-2017 03:01 AM
since this thread exists, an emergency update 698 was released yesterday, which I believe changed the default for CVE-2017-0144 and CVE-2017-0146 to reset-both.
but if your vulnerability protection profile always reset for critical, it's moot. only if you're using default should you ensure you are current.
05-15-2017 05:49 AM
@_slv_ So my question is you're concerned about the efficacy of the Brightcloud filtering service, but the URL had (has?) a categorization of "unknown." A good security policy would be to a block "unknown," but in most organizations that's not possible so that's a risk we run. Allowing access to sites not yet categorized in order to provide the least impact to the business while accepting some risk of malicious activity which come from these "unknown" locations.
I'd argue I'd be more concerned about that site being categorized at "sports" and malicious content coming from there versus an "unknown" report.
05-15-2017 10:14 AM - edited 05-15-2017 10:16 AM
@Brandon_Wertz: IMHO PaloALto/BrightCloud should be shamed - this is not first time when well known attack occur (I created my topic at saturday afternoon) and everyone who is concerned about security known this host. Why PANDB and BrightCVloud doesnt categrysied it as malware site - I don't know.
I tryed many time report polish phishing sites to BrightCloud - every time I got respond that everything is OK....
Has anyone know how it was at Cisco/Checkpoint ? When concurent system reported this site/host as a malware?
In situations like this - TIME - is most important thing.
Regards
Slawek
05-15-2017 11:31 AM - edited 05-15-2017 11:32 AM
@_slv_ Currently Cisco's URL filtering service says the URL which you posted here is "Neutral"
I assume Talos (Cisco' own threat research team) would have told the URL filtering service about the maliciousness of this site.
ZScaler is one of the leading cloud web proxies also shows this site as "benign." I'm not giving Palo / Brightcloud an out, but I think casting aspersions that the service is not adequate is innapropriate in this case.
Bluecoat's URL filtering shows this category as "Suspicious.
05-15-2017 11:50 AM
@_slv_ Please read this article:
The infection STOPS if the malware can reach the domain successfully.
If you block the domain, then the encryption/ransomware process STARTS.
Given this information, please let us know why you believe the domain should be blocked.
05-15-2017 12:11 PM
@jvalentine:that's wired ... blocking c&c starting encrypting..
we will see how will behave new wariants ot wannacry.
Regards
Slawek
05-15-2017 05:46 PM
@_slv_ It certainly is different than what you would expect. It's not really C2, though... the working theory is that the author placed that check as a "kill switch" in case they wanted to stop the campaign.
And you're absolutely correct... new variants will pop-up and their behaviors will need to be analyzed.
05-16-2017 12:13 AM
Hello
And we have "new one" without killing-switch http://www.securityweek.com/patched-wannacry-ransomware-has-no-kill-switch
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

