The latest wave of ransomware, Petya/GoldenEye, started hitting Ukraine, Russia and western Europe earlier today and has already brought down critical infrastructure. Among those confirmed as impacted are Kiev’s main airport and metro system, Ukraine’s state power company, and several large banks, healthcare companies and manufacturing operations.
Like WannaCry, Petya/GoldenEye uses a worm-like distribution and seems to be primarily exploiting the EternalBlue vulnerability on most versions of Microsoft Windows for clients and servers. EternalBlue was patched in March of 2017, as described in bulletin MS17-010. That vulnerability allows malicious users to exploit Windows’ SMBv1 file sharing code to execute code remotely, sometimes as a privileged user.
There are also indications that CVE-2017-0199 may be involved in the attacks. This is a Windows/Microsoft Office exploit that allows a remote attacker to embed malicious PowerShell commands in Office documents and was patched in April 2017.
The CloudPassage Halo SVA module has been alerting on both of these vulnerabilities since the patches were released a few months ago. If you have fixed the SVA alerts by patching your systems since April, you should be protected against this vulnerability.
Vulnerable systems are those that do not have Microsoft KB file 4013389 from bulletin MS17-010 installed, and have SMBv1 enabled, and have no firewall preventing SMBv1 queries from infected systems.
Patch all affected systems. Where possible, disable access to and from all systems on potentially affected ports (UDP 137 and 138, and TCP ports 137, 139, and 445) until patching is completed. Do not allow unknown systems to connect to servers via SMB.
Never open Office documents from unknown or untrusted sources.
CloudPassage customers can use Halo to protect themselves by following these steps:
- Use CloudPassage Halo’s SVA Module to find vulnerable servers and patch them. The Halo Agent should be updated to version 3.9.7 or newer if at all possible, to increase detection accuracy.
- Use CloudPassage Halo’s CSM Module to find evidence of compromise or the presence of the SMBv1 protocol being active and remediate.
- Use CloudPassage Halo’s Firewall Module to craft rules allowing only permitted clients to connect to SMB ports: UDP 137 and 138, and TCP ports 137, 139, and 445.
See our earlier post on WannaCry for more details on detecting and protecting against this vulnerability with CloudPassage Halo.