I Don’t WannaCry

Since it has now been over a week since WannaCry was released, we now have a better understanding of the systems it infected and how it spreads.  The Washington Post reported that the most infected system is not the highly publicized Windows XP but is in fact Windows 7, with 67% of the infected computers, which Microsoft ended mainstream support for on January 13th, 2015.  Microsoft’s latest operating system, Windows 10, was the second most hit system with 15%, with the remaining consisting of Windows 8.1, 8, XP and Vista.

So what does this tell us?  Even though Windows XP computers were infected, they tended to crash when the virus ran, so most of them avoided infections by sheer luck.  It did not help that Windows XP is out of support and does not receive updates from Microsoft, although Microsoft did release a patch recently in this one instance.  However, Microsoft did release patches for Windows 7, 8, 8.1 and 10 on March 28th, 2017, so this points to the more worrying issue that companies are either not installing Security patches, or the time frame for their patch management process is too long.

The other issue is the lack of mitigation relating to the attack vectors.  WannaCry used email to infect a machine on a network, and then SMBv1 to spread to other machines.   Most companies should be disabling downloads of executable and script files by users at the firewall, and disabling ports 445, 135, 138, and 139 (SMB over TCP/IP and NetBIOS over TCP/IP), which would have prevented infection and the replication to other computers.  Also using an IP reputation list, such as ThreatStop, would block access to IP addresses that might host known and emerging threats such as ransomware, botnets, etc.

But the bigger issue is the continued use of SMBv1 and other similar protocols which are now known to be unsafe and are used by WannaCry to spread.  SMBv1 was replaced in Windows Vista with v2 and in Windows 8 by v3, which are both safer and provide additional security mechanisms, such as SMBv3 providing in-transit encryption, so disabling SMBv1 should be a priority.  Only Windows XP and Windows Server 2000 & 2003 use SMBv1, and they should be isolated, or even better, upgraded due to their out of support status and not being secure.  To disable SMBv1 follow the directions on the Microsoft Support Website.

Other insecure protocols to disable include PCT 1.0, SSL (all versions), TLS v1.0, telnet, and SNMP v1 & 2, which should be disabled on both clients and servers.

And, of course, try to install Security patches as soon as possible, and next time you will not have to worry or wanna cry.

Originally posted at https://newsignature.com/articles/i-dont-wannacry/