Tech Solvency / The Story So Far / SMB exploitation 2017

Reason:

https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/
https://heimdalsecurity.com/blog/bluedoom-worm-eternablue-nsa-exploits/
https://blog.varonis.com/eternalrocks/

Refs for ExternalRocks / MicroBotMassiveNet:

https://blog.joshlemon.com.au/wannacry-fact-from-fiction
https://github.com/stamparm/EternalRocks/
https://github.com/fabrimagic72/malware-samples/tree/master/EternalRocks
https://otx.alienvault.com/pulse/5921c641f6d89f5d69168fd6/
https://blog.varonis.com/eternalrocks/

Recommendations:

* Scan for SMB in your environment.

- If your use of IPv4 space is sparse by routes, dump your internal routing table and convert to summarized CIDR.

- Feed your CIDRs to masscan:

    https://github.com/robertdavidgraham/masscan

    ... to quickly scan for internal SMB ports. Masscan randomizes targets so that destination office
    WAN links won't saturate - but local/intermediate might if you're not careful, so tune:

    sudo masscan -p137,139,445,U:137,U:138 --rate=[packets-per-second safe for your network] -iL routes.list -oG masscan-smb.list

- Feed that list of SMB-speaking hosts to a scanner that scans for the vulnerability.

    Option 1: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse

    sudo nmap -T5 -p137,139,445,U:137,U:138 --script smb-vuln-ms17-010.nse -iL masscan-smb.list -oA nmap-smb-vuln

    NOTE: You will need a modern nmap, 7.40+ is best

    Option 2: https://github.com/RiskSense-Ops/MS17-010/tree/master/scanners (the python2 one, or
    the Metasploit one if you can use that internally) to detect vuln. the python one is *not*
    a parallelized script, so consider breaking it into multiple parallel runners if you have a lot of scale)

- If you're using SCCM/other, verify that MS17-010 was applied - but be mindful of Windows-based
    appliances not centrally patched, etc. Trust but verify.

- In parallel, consider investigating low-hanging fruit by OU (workstations?) to disable SMBv1 entirely.


* Apply IOCs to all systems that support them. Potential sources:
    https://github.com/stamparm/EternalRocks/
    https://www.virustotal.com/en/file/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30/analysis/

* Block both Tor exit nodes and web/Tor gateways, on all firewalls (pfSense,Check Point,ASA,Sonicwall,Palo,etc.)
    * Per Blue Coat docs, "an SSL license is required to effectively block Tor"

* Fast-alert (email-to-SMS?) on any attempts to avoid proxy controls (by DNS, web filtering category, etc.)
    * SIEM, snort, DNS monitoring, full-packet-capture systems, etc.

* Verify blocks with antivirus vendors and prioritize AV updates

* Uses default (wide open) install of DOUBLEPULSAR backdoor, so continue scanning for DOUBLEPULSAR
    https://nmap.org/nsedoc/scripts/smb-double-pulsar-backdoor.html
    https://github.com/countercept/doublepulsar-detection-script

* Consider spawning a process that locks this mutex: BaseNamedObjects \ {8F6F00C4-B901-45fd-08CF-72FDEFF}

----------------------------------------------------------------------

Blocking exit nodes:

Getting lists: two different methods:

1. https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1
2. wget -q https://check.torproject.org/exit-addresses -O- | grep ExitAddress | cut -f 2 -d ' ' | sort -n > exit-nodes.txt

----------------------------------------------------------------------

Palo:

http://www.whodoesitforyou.com/?p=180

----------------------------------------------------------------------

ASA:

https://www.hacktheplanet.tips/topics/2571


Prerequisites : ASA botnet Traffic licence for ASA. For more information: Botnet ASA license

Example configuration:

(config)# dns domain-lookup outside
(config)# dns server-group DefaultDNSServers
(config)# name-server 8.8.8.8
(config)# name-server 8.8.4.4
(config)# domain-name pc.local
(config)# dynamic-filter updater-client enable
(config)# dynamic-filter use-database
(config)# access-list dynamic-filter_acl extended permit ip any any
(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
(config)# class dynamic-filter_snoop_class
(config-cmap)# match port udp eq domain
(config-cmap)# exit
(config)# policy-map dynamic-filter_snoop_policy
(config-pmap)# class dynamic-filter_snoop_class
(config-pmap-c)# inspect dns dynamic-filter-snoop
(config-pmap-c)# exit
(config-pmap)# exit
(config)# service-policy dynamic-filter_snoop_policy interface outside


Blue Coat

http://bluecoat.force.com/knowledgebase/articles/Solution/000011275

Note: an SSL license is required to effectively block Tor.


Other refs:

BlueDoom:
    https://www.virustotal.com/en/file/cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30/analysis/
WannaCrypt Map
    https://intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all

Return to The Story So Far (list of notable security events)

$Id: index.html,v 1.1 2017/05/21 14:57:02 royce Exp royce $
Royce Williams