Very topical at the moment. Couple of things to watch out for
More info in this blog post which I will keep updated as new information comes in.
https://www.netfort.com/blog/detect-wannacry-ransomware/
Thanks for the post. Should Network Traffic Analyzer be able to show SMB1 traffic?
This makes another good case for network monitoring, file monitoring, etc.
NetFlow and NBAR2 can detect SMB on port 445, but they cannot differentiate between SMBv1, v2, or v3. Safe to say that by the time you can run a report in NTA to look for the traffic, it would be too late anyway
Also, check out this article written by a malware analyst who managed to stop the spread of Wannacry: https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
Thanks for the response. Yes, had read that article and he bought the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com which has now turned into a sinkhole. Problem is that WannaCry2 is just around the corner and those behind it will make it more robust so it does not go down if one domain is taken out.
From what I understand SMBv1 can only be identified by looking at packet payloads. We have included detection capabilities in our LANGuardian product to report on any servers communicating using SMBv1. Doing further research at the moment to extend this to report on systems that can potentially communicate using this legacy protocol.
Tenable make a product called Passive Vulnerability Scanner (PVS). Think of it a Snort style sniffer that specifically looks for protocol versioning. Such as SNMPv2 traffic where only SNMPv3 exists. PVS could look for SMBv1 and alert.
It's best to disable smbv1 in group policy:
https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-win…
Agreed--disable SMB1 everywhere.
These should NOT have to be said:
It doesn't save money to avoid moving to newer operating systems when Microsoft (or others) declares your existing systems obsolete and/or unsupported. It puts your system at risk of easy compromise and loss.
You can also passively identify XP clients by analyzing network traffic. This can be useful for tracking down systems with embedded operating systems. I often see things like hospital equipment running really old operating systems. I cover this off in the video below
https://www.youtube.com/watch?v=oybbx4B_iA8
Did you see the British Nuclear Missile Submarines run on Windows XP? bit worrying... some in the military say its the Windows XP / Nuclear Submarine edition, so its security hardened, but i'm not so sure about that at all.
The subject of this thread sounds good . . .
But isn't it too late if Wannacry is present? I'd expect you'd know WannaCry was in your network by seeing this:
That is very true. What we find sometimes is that on medium\large networks users get afraid when they see this and they don't tell anyone. Network admins get caught on a loop of restoring and restoring when the Ransomware keeps active. All they need to know is where the damn client is
I never thought of that. Silly users!
As a follow on to the WannaCry post I have just published this one which looks at detecting SMBv1 systems in more detail. Now I know you can disable it via group policy and that may be the end of it but a lot of people are running audits after just to double check.
How to Detect SMBv1 Use on Your Network Using Traffic Analysis
