{{vm.title}}
25{{vm.includesText}}
{{item}}
{{vm.selectText}}
{{ vm.welcomeLabel.trim() }},
{{ vm.userName }}
{{ vm.text }}
{{vm.newUser1}} {{vm.newUser2}} {{vm.newUser3}} {{vm.newUser4}}
{{ vm.unknownUser }}
{{ vm.title }}
{{ vm.title }}
{{ vm.title }}
- {{ vm.siteSelectorList.flyout.cell1.heading }} {{ site.countryLocale }} {{ vm.siteSelectorList.flyout.cell1.global.countryLocale }}
{{ vm.closeTabLabel }}
- {{ vm.flyout.cell2.title }} {{ vm.flyout.cell2.newTabAllow }} {{ vm.flyout.cell2.title }}
- {{ vm.flyout.cell3.title }} {{ vm.flyout.cell3.newTabAllow }} {{ vm.flyout.cell3.title }}
- {{ vm.flyout.cell1.viewAll.label }} {{ vm.flyout.cell1.viewAll.newTabAllow }} {{ vm.flyout.cell1.viewAll.label }}
WannaCry Global Ransomware Attack
WannaCry Global Ransomware Attack
As of last Friday, a widespread cybersecurity attack using leaked NSA hacking tools is infecting computers in tens of thousands of locations throughout the world.
WannaCry Global Ransomware Attack
As of last Friday, a widespread cybersecurity attack using leaked NSA hacking tools is infecting computers in tens of thousands of locations throughout the world. The malware appears to be launching a large-scale ransomware campaign against dozens of organizations, including hospitals, transportation, manufacturing and telecom companies causing outages, delays and losses.
Ransomware is a debilitating form of malware that breaks into a system and locks users out by encrypting all of their files. That data is then held as “ransom” until the hacker’s demands are met.
The software in today’s massive attack, a variant of “Wanna Cry,” was spread via email and then spreads autonomously via network scans and exploiting other vulnerable systems without the need for an operator action, and demands $300 in Bitcoin. Reports of infected computers have been seen in as many as 100 countries, including the U.K., U.S., China, Russia, Germany, Spain, Italy, Taiwan, and Vietnam.
Immediate Risk Mitigation Countermeasures
Organizations looking to mitigate the risk of becoming compromised should follow the following recommendations:
- Ensure all Windows-based systems are fully patched. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied. Please note that Microsoft has released security updates for all affected operating systems, including Windows XP and Windows 2003 Server. Please see https://technet.microsoft.com/en-us/library/security/ms17-010.aspx for details.
- All SMBv1 should be disabled immediately if not required or else affected systems must be isolated and heavily monitored. See https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 for details.
- In accordance with known best practices, any organization who has SMB publically accessible via the internet (TCP ports 139, 445) should immediately block all inbound traffic.
- Do not block outbound traffic to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com as this will trigger the encryption of files and folders. This domain has been registered by IT Security researchers from the UK and is actively monitored. It is currently the known 'kill switch' for the malware variant spreading at present.
- Organizations should consider blocking email attachments for the immediate future if this is viable and until such time reliable anti-malware definitions have been made available.
- Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on network. The following C2 Servers have been identified (all TOR hidden servers):
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52ma.onion
- sqjolphimrr7jqw6.onion
- All Cybersecurity systems such as Anti Malware, Anti-Virus, Security Information and Event Management, Intrusion Detection and Prevention etc. should be updated with the latest Indicators of Compromise (IOC) information. See https://www.us-cert.gov/ncas/alerts/TA17-132A for details.
- Organizations operating a Security Operations Centre are advised to start monitoring for IoC’s and notify KPMG's Cybersecurity Team and other Incident Response contacts immediately in the event of IOC detection.
- For systems without patches, organizations should isolate them from the network as much as possible (i.e. via strict VLANs and firewalls with very explicit ACLs, for example only allow TCP 139/445 to file server and domain controllers).
- All end of life machines should be upgraded as a matter of priority as more exploits / malware are expected to be launched for the ETERNALBLUE vulnerability.
Should your organization have been affected and you require immediate assistance, please contact us. Our Cybersecurity team will be on alert to assist.
- Will Nguyen, CISA, CISM – Head of IT Advisory, CIO Advisory
Email: williamnguyen@kpmg.com.vn - Kostja Reim, CISA, CISM, CGEIT – Cybersecurity Leader. Email: rkostja@kpmg.com.vn
Reference links
- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012
- https://www.us-cert.gov/ncas/alerts/TA17-132A
