Fallbeispiel Erpressungstrojaner WannaCry Was lief schief? First Frame Networkers IT-Security Breakfast 22. Juni 2017 Gabriel Kälin Systems Engineer Fortinet Schweiz gkaelin@fortinet.com
Themen Erpressungstrojaner / Ransomware WannaCry im Speziellen Lösung von Fortinet Ein paar Grundregeln War s das? 2
Erpressungstrojaner / Ransomware Warum? Unmittelbare Ummünzung» Opfer bezahlen direkt» Keine Daten, welche zuerst verkauft werden müssen Digitale Währungen erleichtern die Gewinneinstreichung» Keine Banktransfers nötig» Keine Mittelmänner nötig, um die Strafverfolgung abzuschütteln» Stetig breitere Akzeptanz von digitalen Währuingen Ausgereifte kriminelle Support-Infrastruktur» Ransomware-as-a-service» Zusammenarbeit und Aufgabenteilung zwischen kriminellen Gruppierungen 3
Bitcoin: Anonym, aber nachvollziehbar https://rud.is/b/2017/05/14/r%e2%81%b6-tracking-wannacry-bitcoin-wallet-payments-with-r/ 4
Was ist/war speziell an WannaCry? Copyright Fortinet Inc. All rights reserved.
WannaCry Wer war betroffen? 6
WannaCry Technischer Hintergrund Schwachstelle US CERT Alert TA17-132A Microsoft MS17-010 CVE-2017-0143 to CVE-2017-0148 The vulnerability used is NSA Exploit EternalBlue (CVE-2017-0144) ShadowBrokers leaked public exploits in April All related to SMB server in windows, different vulnerabilities Vulnerable systems from Win XP to Win10» Win 7 to Win 10 were patched mid March» Public patches for XP, Win Server 2003 were made avaliable on Saturday May 13th Patched systems were unaffected Verbreitungsweg An infected machine will probe for other machines listening on port 445 (SMB) and check for the existence of the DoublePulsar backdoor If there is a backdoor, the payload will get installed via this way If there isn t then the less reliable exploit route is taken Happens without user interaction Verschlüsselungsmethode It s a dropper with a AES encrypted DLL Unencrypted DLL loaded directly to memory, never exposed to disk Each file is encrypted using AES-128-CBC, with a unique AES key per file 8
Warum ist WannaCry so bemerkenswert? 1. Verbreitung ist unabhängig von menschlichem Mitwirken 2. Schwachstelle auf allen gängigen Microsoft Windows Versionen 3. Schwachstelle wurde bekannt durch NSA Lücke 4. Auswirkungen gehen weiter als Erpressung My heart surgery was cancelled 9
Lösung von Fortinet Advanced Threat Protection und die Security Fabric
Fortinet Referenzarchitektur Advance Threat Protection (ATP) Framework FortiManager Centralised Management FortiSIEM Security Info Event Management FortiCameras IP Survalliance FortiAnalyzer Logging, Analysis, Reporting FortiAuthenticator User Identity Management VM FortiSandbox Advanced Threat Protection ISFW Application Servers FortiConnectors For VMX, ACI, OpenStack FortiMail Email Security Web Servers FortiWeb / FortiADC Web Application Firewall Application Delivery Controllers FortiToken Two Factor Authentication FortiClient Endpoint Protection, VPN FortiDDoS DDoS Attack Mitigation FortiGate & FortiAP NGFW with Wireless Controller AWS & Azure Fortinet Solutions FortiCloud Analytics & Management Secure by FORTIGUARD TM 11
Fortinet Security Fabric Wie nützt sie meinem Unternehmen? Verbessert den Überblick und vereinfacht Betriebsabläufe» Vernetzte Lösung statt einzelne Silos Automatische Verbreitung der Bedrohungsinformationen automatisiert die Incident Response Durchdachtes Zusammenspiel der Produkte» Geringere Betriebskosten Breites Partnernetzwerk (26 Fabric Ready Partner) Führende Bedrohungsforschung FortiGuard labs Enterprise FW ISFW/NGFW Client Advanced Threat Intelligence Network Endpoint Access Network Application Cloud Access Application Connected UTM Partner API Secure Access NOC/SOC Advance Persistent Threat Data Center Cloud Cloud 12
Layers of Protection Prevent the probing» FortiGate firewall (port 445) Protect the vulnerability» FortiClient vulnerability management» FortiGate IPS Block delivery and install» FortGate AV, CPRL and/or web filter» FortiClient AV, CPR and/or web filter Identify new variants» FortiSandbox» FortiSIEM» IoC Service Contain incidents» FortiGate internal segmentation firewall Fortinet Security Fabric 13
Use Case Threat Hunting - Who has the Hash? Sandbox will analyze threat. If threat exists malicious URLs and Hashes sent to FortiSIEM NGFW inspection performed on FortiGate. At risk objects sent to FortiSandbox for analysis. FortiSIEM saves IOCs in Threat Intelligence Center SOC Window Agents send hashes up to Workers/Supervisor where queries, alerts and reports can be generated to identify possible compromised machines. Internet NGFW FortiGate Breach Detection FortiSanbox FortiSIEM Agent Manager Windows Agents File Integrity Monitoring Query/Alerts/Reports 14
Drei Grundregeln Copyright Fortinet Inc. All rights reserved.
Regel 1: Vermeide Infektionen Awareness campaigns/training» Email attachments, Web site links - obvious danger» Spear phishing campaigns work Keep software updated» Exploit kits & downloaders rely on known vulnerabilities» Updates are usually available» If unable to update/patch, increase monitoring Use a reputable security solution» Network security gateway with multi-level protection Antivirus, Intrusion Prevention, IP Reputation, URL Filtering 16
Regel 2: Erstelle Backups Backups look at mission critical processes and data repositories» Example share drives not always considered critical until lost Make incremental backups over a long period Perform restore dry-runs Ensure that you are backing up the right files» If new directories are created, make sure that they are part of the backup» Avoid backing up data you don't need data retention policies Do not back up to connected storage & leave it connected» Odds = backups will also be encrypted» Applies to all, including network shares 17
Regel 3: Gründliche Bereinigung ist wichtig If you paid the ransom:» Perform a full antivirus check after decryption» The cyber criminal will come back for more later if he or she can» System rebuilds & cleanup If you have backups:» Best to burn it down» Re-install the OS, then restore the data» Avoid restoring system files backups may be infected 18
Und, was lief nun eigentlich schief?? Betroffene Firmen hatten ungepatchte Systeme Betroffene Firmen hatten öffentlich erreichbare File Shares (SMB) in der Schweiz gibt es laut MELANI 5 000 davon. Die Sicherheitsarchitektur war zu wenig engmaschig» Mangelnde Internal Segmentation» Mangelnde Erkennung von neuen Bedrohungen und deren automatisierter Entfernung (Advanced Threat Prevention) 19
Was kommt noch auf uns zu? Vorhersagen für 2017 von den FortiGuard Labs