How to protect against WannaCrypt with Palo Alto Networks

For every FireWall administrator who has already implemented our recommended Security Best Practices
Have a smile on your face, sit back and relax - you are covered, just tell the system guys to get their patching done and install Traps.

For everyone else
Get started if you don't want to get into trouble and let us know if you need help or
join the new EDU-210: Configuration- and Cyberthreat Management training where we teach you how to protect your network effectively

​After having spent the entire weekend on the phone to customers worried about WannaCrypt (also known as WannaCry) and asking what to do, I thought I write a quick blog post with all the things you need, to protect against this nasty ransomware  using Palo Alto Networks Security platform.

Let's start with the good news, a security researcher “MalwareTech” accidentally stopped the initial outbreak by registering a DNS name he found in the malware code. So all done and no need to worry? Well I don't think so because is very simple for the threat actor behind the WannaCrypt ransomware or any copycats to change the code. Apparently Kaspersky already found a variant without the kill-switch but it had a bug in the malware which prevent it from spreading "Yes, malware has bugs too ;)" 

One important point up-front Installing the Windows update MS17-010 is crucial but will not protect you against this initial infection !

Be assured it isn't over yet !!!

sStage 1 - Initial Infection of the first Device
In the first stage a device gets infected with malware. In case of WannaCrypt, there is no proof yet on how the initial infection exactly happend. There are numerous possibilities like for instance a malicious Word document distributed in phishing e-mails which is the classical threat vector for ransomware these days. However based on what we have seen on Friday, with so many attacks happening at the same time, it is hard to believe that users in so many well known companies opened malicious e-mail attachments and nobody has evidence of these e-mails. My personal theory is that the threat actor behind WannaCrypt simply bought access to devices which were already infected with malware and with this was able to check if the Microsoft patch was already deployed in its victims network. This wouldn't be unusual as today's cybercrime is very well organise with hackers specialising on specific attacks like infecting devices, deploying a remote access Trojan and then selling the access to others. What is clear in case, is that you have to protect your network from the initial infection. So let's explore the most common possibility.

1. Victim: A user receives a phishing e-mail with a malicious Word attachment
   1. FireWall Protection:
      1. Apply AntiVirus to inbound SMTP traffic and make sure your Wildfire signatures are checked and installed every minute - If the SMTP traffic passes through the FireWall and Wildfire already knows about the malicious attachment then the FireWall would block the e-mail. Tip: Make sure the SMTP traffic isn't encrypted and the FireWall is able to detect files. You can check this in the data filtering log. The filter "( app eq smtp )" should show Email Links and other attachments on SMTP traffic coming from the Internet.
      2. Apply a Wildfire security profile to inbound SMTP traffic - If Palo Alto Networks didn't know yet about the file then the FireWall will upload it to Wildfire for analysis.
      3. Enable a Log Forwarding profile with Wildfire E-Mail Alerts to inbound SMTP traffic - Wildfire will issue a report after five minutes in case the attachment was malicious and the FireWall will send an immediate alert via E-Mail.
   2. Other Protection: If you have one of the better E-Mail Security Solution like Proofpoint then it should block the delivery of the e-mail in the first place. Tip: If you have a Wildfire subscription then you can integrate it with Proofpoint free of charge.
2. Victim: The User gets tricked to open the malicious Word attachment and clicks "Enable Content". The Word document includes a malicious macro which, in the background and without the users knowledge, downloads the real WannaCrypt malware executable (PE) from the Internet, installs it on the device and starts to encrypt files.
   1. FireWall Protection:
      1. Apply URL Filtering to Internet Outbound traffic and block the URL Categories  "malware" and "phishing" - The FireWall not only uploads files to Wildfire but also the information from where they were downloaded from. With this Wildfire will update Palo Alto Networks PAN-DB URL Filtering every half an hour with malicious URLs which makes it very effective blocking access to bad URLs.
      2. Apply URL Filtering to Internet Outbound traffic and block the URL Categories "unknown" - While Wildfire updates PAN-DB very quickly, it still means that it would have had received at least one malicious sample. Therefore unknown URLs should also be blocked. Tip: PAN-DB is very quick at picking up and categorising unknown URLs. So blocking unknown URLs isn't as big of a risk as you might think it is. In any case you should still do a quick check in your URL Filtering log to see if there are any legitimate unknown URLs that you need to categorise beforehand.
      3. Apply a File blocking profile to Internet Outbound traffic and block the Download of Executable Files "PE" as well as "Multi-Level-Encoding" - Most attacks including WannaCrypt depend on the download of an portable executable "PE" because the initial exploit or Office macro doesn't provide enough capabilities to do whatever the hacker wants to do like encrypting files and ask for a ransom. Blocking the download of executables is therefore highly effective. Tip: You will need to setup additional rules to allow the download of executables from trusted sources like various update application. Although it's rare, please be aware that there are evasion techniques which prevent the FireWall from identifying files in a traffic stream.
      4. Enable SSL Decryption - SSL is very commonly used by hackers to evade detection and therefore SSL Decryption is essential. Tip: Always apply a SSL Decryption profile blocking all the bad staff from day one to make SSL Decryption effective but use User-ID to apply SSL Decryption only to a small test group which you expand over time to check for any applications that are broken by SSL Decryption and need to be excluded.
   2. Traps Advanced Endpoint Protection:
      1. Wildfire Office file protection (New default policy in Traps v4.0) - Traps local analysis engine detects and blocks suspicious office documents that include macros which are commonly used by ransomware like WannaCrypt. Traps will still upload the suspicious office documents to Wildfire to confirm the verdict and should it have been a false positive then the verdict will be overwritten so that the user can open the document again after about 10min.
      2. Child Process Protection (New default policy in Traps v4.0) - Traps is blocking Office to launch child processed like powershell which is used by malicious office documents to instruct the PC to download and run the WannaCry ransomware from the Internet
      3. Setup E-Mail Alerts - Office documents which are not detected as malware by the local analysis but include a macro (and only if they have a macro) are still uploaded to Wildfire for analysis, should the file turn out to be malicious then Traps will log a post detection event and send an alert via E-Mail
      4. Wildfire Malware Protection - Traps blocks any executable files / applications that are already known to Wildfire as malware. Traps local analysis detects and blocks suspicious executable files / applications that are not yet known to Wildfire. Executables which are not detected as malware by the local analysis are still uploaded to Wildfire for analysis, should the file turn out to be malicious then Traps will log a post detection event and send an alert via E-Mail
      5. Setup a Wildfire policy to Block Unknown PEs - Any executables which are not yet known to Wildfire should be blocked. Tip: You can setup a custom message under Agent settings informing the user that the file is under investigation and he can try again to launch it in 10min at which point a verdict from Wildfire would be available. The Wildfire Unknown Verdicts Recheck Interval should be reduced to one minute to make sure the verdict is available on the ESM
   3. Other Protections: Don't feel safe with your old AntiVirus as it only stops known malware signatures. Hackers use Crypters to generate self-decrypting executables and with this malware always has a new signature at time of download which evades your AntiVirus. Even the big guys like McAfee and Symantec openly admit that they would only block about 40-45% of malware and guess what, the remaining 60% is what really causes the big damage so AntiVirus is effectively useless and a waste of money.
3. Victim: The WannaCrypt Ransomware on the infected device tries to use Tor to communicate with the hackers command and control server. This can be used to upload the encryption key, receive updates and other instructions. Some posts suggest that Tor is also used by the malware to receive the decryption key to decrypt the files after a ransom has been paid. In my opinion: Never ever pay Ransomware as you will fund the next malware campaign.
   1. FireWall Protection: Setup a "Block Known Bad" rule at the top of your rulebase blocking tor and any other applications which you never ever want to allow in your network.
   2. Traps Advanced Endpoint Protection: Not needed as it wouldn't have gotten to this stage with Traps being installed and setup correctly :)

Stage 2 - Distribution of the Malware inside of your Network
The real problem starts at stage two. Once the first device in your network is infected or an already compromised machine connects to your network, then it will scan the entire network for devices which a vulnerable to the EternalBlue exploit (CVE-2017-0143 to 0148). Once it has found new victims, which is effectively every Windows machine not patched with MS17-010, it implants the DoublePulsar backdoor to install the WannaCrypt ransomware and this time the user on the new victims machine doesn't have to do anything which means the domino effect starts and it is spreading everywhere bringing your company's IT operation to a hold.

1. FireWall Protection:
   1. Implement a Zero Trust Architecture - The FireWall can only protect communication which is transferred over the FireWall. This means that your Next-Generation FireWall cannot do anything from WannaCrypt spreading in your network if it is not in-between the initially infected users and any potential victim. This shows that it is no longer enough to just have a FireWall at the Internet Perimeter but also at least between your users and your datacentre
   2. Apply a Vulnerability Protection Profile to all internal communication with severity critical set to reset-both - Palo Alto Networks already released signatures to block exploits related to MS17-010 (CVE-2017-0143 to 0148) at the middle of April. Please make sure to install as well the latest content update 693-3991 or higher as it includes an update to these signatures
2. Traps Advanced Endpoint Protection:
   1. Exploit prevention (default policy) - Traps Exploit Prevention Modules (EPMs) prevent against exploits of the Microsoft Windows Vulnerabilities patched in MS17-010 (CVE-2017-0143 to 0148) and with this also protects unpatched servers and workstations Tip: Please make sure that all devices have been restarted after the installation of Traps as EPMs are only injected when a process is started.
   2. Malware Prevention - All the malware prevention techniques as described above will also prevent the infection of new victims with WannaCrypt as long as Traps is installed.
   3. Update to the latest content update to make sure all recommended default policies are in place.
3. Other Mitigation:
   1. Keep patching all of your systems for MS17-010 as any unpatched system is a ticking time bomb from a security point of view. Please note that a hotfix has also been released for Windows Server 2003 and XP. I would also highly recommend you to run an internal vulnerability scan to detect devices which are not patched. It has been a while since I saw a worm like this but even today we still see devices being infected with Conficker, a worm from 2008 which released new variants every month until mid-2009. Conficker’s command and control infrastructure has long being destroyed but there are still lots of infected devices, mostly machines for special functions like cash tills and door opening systems that were not part of the active directory domain. Therefore it is very important to do such a scan to identify all potential victim machines in your network.

---

Disclaimer: Consigas Limited accepts no liability for the content of this blog post, or for the consequences of any actions taken on the basis of the information provided. Any views or opinions presented in this document are solely those of the author and do not necessarily represent those of Palo Alto Networks.