Last night, I ran a special webcast for the SANS Institute on the outbreak of the WanaCrypt0r malware. One thing I love about SANS is that we always look out for our students. If huge security news breaks during the day at one of our major conferences, we designate an instructor to do impromptu night sessions. These sessions ensure that our attendees stay up to date with what’s going on (since they’ve been stuck in class learning all day). Yesterday, I had the privilege of delivering this material to our attendees in San Diego, CA at our Security West conference.
We simulcast the event and had more than 1,000 people online. I know some that wanted to attend couldn’t, but I think we got the video of the webcast posted on YouTube this morning. I released the slides as well. I hope that you find these useful in understanding the threat.
What should we do now?
If you haven’t patched, patch now. Microsoft released the patch for MS17-010 on XP and Server 2003 today and you should apply that patch immediately. These systems have the fewest exploit mitigations and patching these is of course important.
Network segmentation is another option. Rendition Infosec was quoted in a story weeks ago where we recommended segmenting networks using router ACL’s and private VLANs. If these aren’t an option for some reason, you can always use host-based firewalls to prevent workstations from talking to one another using SMB. The good news is that this activity also limits lateral movement, so it’s a double win.
Don’t assume that because the kill switch in this malware was activated, the threat is over. It is not. The release of government hacking tools by Shadow Brokers gives even unsophisticated attackers a leap ahead in their hacking activities. We expect to see more advanced threats emerging in the coming weeks.
The time you spend today battening down the hatches will save immense time and effort later remediating compromise. As always, if you need assistance securing your network, please contact Rendition Infosec for world class information security support.