In addition to our earlier security alert, we like to provide you with a hands on security update. What do you need to know and how do you specifically combat infections with WannaCry and other forms of malware?
Install the Windows Update MS17-010. This is default when using Windows Update without WSUS. If a central update server (WSUS) is used, this update will need to be approved by an administrator.
Inform staff who bring their own (Windows) laptop / workstation BYOD (Bring Your Own Device) in the network that they also make sure their laptop / workstation is up-to-date! This update was released by Microsoft on March 14, 2017 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx). A, so called, out-of-band update is currently available for Windows XP and Windows Server 2003.
WannaCry spreads through network over port 445 / TCP. This is the default SMB (Server Message Block port) port. SMB is the netwerkprotocol used by Microsoft Windows to enable file exchange between nodes on a network. The exploit uses a vulnerability in SMB version 1. SMBv1 is an old protocol that has not really been used for years. However, it is still enabled in all Windows versions before Windows 10 or Windows Server 2016. Therefore, the advice is to disable SMBv1 on any Windows device. Windows Server 2008 and Windows Vista or later can use SMB version 2 which is not vulnerable. See: https://support.microsoft.com/en-gb/help/2696547/how-to-enable-and-disable-smbv1,smbv2,-and-smbv3-in-windows-vista,-windows-server-2008 , -windows-7, -windows server-2008-r2, -windows-8, -and-windows-server-2012
WannaCry uses an NSA exploit, which has recently been placed on the Internet by a group called the ShadowBrokers. WannaCry uses port 139/TCP (NetBIOS) and 445/TCP (SMB). Make sure port 139 / TCP and 445 / TCP are not directly remotely accessible over the Internet. If, for whatever reason it’s necessary to connect to these port remotely, for example, use a VPN for this. To prevent infection and, especially to decrease the impact we advice to segment networks and filter between these segments. You can think of the following actions:
1. Make use of a DMZ to the Internet. In this DMZ, only place servers that offer services for, for example, customers.
2. Separate OTAP (Development, Test, Acceptance, Production) environments.
3. Segment and filter the office automation network of segments where servers are placed.
4. Block port 445 / TCP from office workstations for other office workstations using a local firewall.
5. No SMB access required? Filter these ports through, for example, a (local) firewall.
Technical measures are important to protect yourself from malware. Don’t let this make you feel safe. Virus scanners definitely do not stop ransomware at the first outbreak, so a virus scanner is not always THE solution. Most security incidents are caused by human mistakes. So, how do you prevent being a ransomware victim?
A few important tips:
For further information about ransomware or ITsec, please feel free to contact us!