[Owasp-leaders] Anybody is involved in an "Security message on recent Ransomware attacks (WannaCry worm)" email

Eoin Keary eoin.keary at owasp.org
Sun May 14 17:58:57 UTC 2017


We (edgescan) sent out the following.
Certainly not a silver bullet but preventative advisory:

WannaCry Update:
Some Information Security technology companies are pointing to the initial attack vector being an encrypted Zip as an email attachment. This seemingly contained JS files that kicked off the WannaCry RansomWare.
Most of the anti-MalWare companies have signatures issued yesterday evening and are blocking current version of WannaCry

Recommendations:
Make sure policies at the perimeter of networks are blocking encrypted attachments
During this current period of heightened threat, release of emails with encrypted attachments should not be permitted
Verify the anti-malware solutions deployed throughout the organisation have a signature, or detection string, for WannaCry
Verify that ALL endpoints, including portable devices and servers, are covered with the anti-malware solution and signatures are up to date
If one device on the network is not protected, it could be the entry point and then the SMB vulnerability could be exploited across the network and compromise ALL other computers not patched
Notification to all users on the risks of opening unexpected attachments, no matter how legitimate it looks
Where the MS17-010 patch has not already been deployed to all devices, it must be rolled out as a matter of extreme urgency
Given the publication of the exploit code recently, it was only a matter of time before WannaCry appeared to exploit the vulnerability. It is a fairly safe bet that there will be multiple new variants of WannaCry appearing in the short term. This will require new signature updates. This will be a continuous cycle  - an arms race…..
The initial vector of compromise will likely change as well - expect methods other than encrypted zip files as attack vectors
The following are the current known file extensions that are used when a file is encrypted. Where an organisation can alert on, or block the creation of, files of this type, please implement immediately. Microsoft File Server Resource Manager (FSRM) can apply these filters.
.wnry
.wcry
.wncry
.wncryt
All existing recommendations to limit the threat of RansomWare still apply, especially the prohibition of use of privileged accounts to access email and Internet services

@eoinkeary
OWASP since 2004!!

> On 14 May 2017, at 17:59, Azzeddine Ramrami <azzeddine.ramrami at owasp.org> wrote:
> 
> I will ask internally at IBM Security X-Force if I can share the message sent to our customer, including Developers.
> 
> If ok I will share it with you.
> 
> Regards
> Azzeddine
> 
> 
> Le 14 mai 2017 4:49 PM, "Dinis Cruz" <dinis.cruz at owasp.org> a écrit :
> Hi on the topic of the recent WannaCry worn, anybody has an example of an message (sent to users, developers and sys admins) they can share?
> 
> I'm trying to crowdsource this question :)
> 
> Dinis
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20170514/f6ff7526/attachment-0001.html>


More information about the OWASP-Leaders mailing list