Archive for May, 2017

WanaCrypt0r aka WannaCry ransomware wreaks havoc worldwide

Tuesday, May 16th, 2017

The WanaCrypt0r ransomware hit with a vengeance on Friday, with the outbreak beginning in Europe, striking hospitals and other organisations, then quickly spreading across the globe. As of 1:00pm Pacific Time, it is believed more than 57,000 systems in more than 74 countries had been affected.

Researchers at SentinelOne have determined that the Endpoint Protection Platform does successfully detect and block this ransomware strain. Customers are advised to make sure that they are running the latest version.

Additional reports indicate that this ransomware strain was distributed using the EternalBlue exploit that was released by the ShadowBrokers in April. This vulnerability was patched by Microsoft (MS17-010) before ShadowBrokers released the exploit. This shows that in the real world keeping up-to-date with patches and critical updates can be difficult but is a crucial step for all organisations.

Watch SentinelOne’s advanced machine learning engines at work against WannaCry:

This article was taken from SentinelOne.

Palo Alto Networks Protections Against WanaCrypt0r Ransomware Attacks

Tuesday, May 16th, 2017

What Happened

On Friday, May 12, 2017, a series of broad attacks began that spread the latest version of the WanaCrypt0r ransomware. These attacks, also referred to as WannaCrypt or WannaCry, reportedly impacted systems of public and private organisations worldwide. Our Next-Generation Security Platform automatically created, delivered and enforced protections from this attack.

How the Attack Works

While the initial infection vector for WanaCrypt0r is unclear, it is certain that once inside the network, it attempts to spread to other hosts using the SMB protocol by exploiting the EternalBlue vulnerability (CVE-2017-0144) on Microsoft Windows systems. This vulnerability was publicly disclosed by the Shadow Brokers group in April 2017, and was addressed by Microsoft in March 2017 with MS17-010.

Microsoft published a post on protections from the WanaCrypt0r attacks here, and has taken the step of providing patches for versions of Windows software that are no longer supported, including Windows XP. Organisations that have applied the MS17-010 update are not at risk for the spread of WanaCrypt0r across the network, but given it addresses a remotely exploitable vulnerability in a networking component that is now under active attack, we strongly urge making deployment of this security update a priority.


Palo Alto Networks customers are protected through our Next-Generation Security Platform, which employs a prevention-based approach that automatically stops threats across the attack lifecycle. Palo Alto Networks customers are protected from WanaCrypt0r ransomware through multiple complementary prevention controls across our Next-Generation Security Platform, including:

  • WildFire classifies all known samples as malware, automatically blocking malicious content from being delivered to users.
  • Threat Prevention enforces IPS signatures for the vulnerability exploit (CVE-2017-0144 – MS17-010) used in this attack: SMB vulnerability – ETERNALBLUE.
  • URL Filtering monitors malicious URLs used and will enforce protections if needed.
  • DNS Sinkholing can be used to identify infected hosts on the network. For more, please reference our product documentation for best practices.
  • Traps prevents the execution of the WanaCrypt0r malware on endpoints.
  • AutoFocus tracks the attack for threat analytics and hunting via the WanaCrypt0r tag.
  • GlobalProtect extends WildFire and Threat Prevention protections to remote users and ensures consistent coverage across all locations.

For best practices on preventing ransomware with the Palo Alto Networks Next-Generation Security Platform, please refer to their Knowledge Base article. We strongly recommend that all Windows users ensure they have the latest patches made available by Microsoft installed, including versions of software that have reached end-of-life support.

This article was originally published by Palo Alto Networks.View the original article.

Change Log:

On May 13, 2017, this post was updated to include:

  • Link to Microsoft blog on protections against WanaCrypt0r attacks
  • Details on additional protections via DNS sinkholing
  • Updated URL Filtering section to reflect new analysis

On May 15, 2017, this post was updated to clarify the WanaCrypt0r attack delivery method based on additional information.

May 17, 2017:

  • Added Threat Prevention signature information for anti-malware and command-and-control activity.
  • Added link to Traps blog.
  • Practice These 10 Basic Cyber Hygiene Tips for Risk Mitigation

    Tuesday, May 9th, 2017

    For six years in a row, cybersecurity has been identified as the #1 “problematic shortage” area across all of IT. What’s more concerning is that in 2016 and 2017, there was a dramatic increase in the shortage across organisations.

    With companies scrambling for cybersecurity personnel, they are also distracted by involvement in an innovation race. Today, intense pressure is placed on organisations to stay on top of new technology without slowing daily operations. As rapid implementations of these technologies continue, security measures and risks that tend to cause vulnerabilities in the IT environment are overlooked. With the popularity of Internet of Things and BYOD, we’re also witnessing the creation of weak spots that IT departments do not have the bandwidth or expertise to address.

    In today’s modern cybersecurity, a large emphasis is placed on managing risk, which is dire for companies lacking professionals that can respond to attacks. With ever-evolving threats, it’s nearly impossible to always know what is coming. That’s why it is so imperative to practice basic cyber hygiene as a way to eliminate and mitigate possible threats, especially during a time of digital transformation.

    What is Basic Cyber Hygiene?

    The Center for Internet Security (CIS) and the Council on Cyber Security (CCS) defines cyber hygiene as a means to appropriately protect and maintain IT systems and devices and implement cyber security best practices.

    This risk mitigation technique is a must for all businesses deploying emerging technologies to their networks. Without clear assessments and interventions, hackers will have an easy in through unpatched and outdated solutions, and unforeseen security gaps in newer technologies.Executive Brief Endpoint Protection

    Keeping Good Cyber Hygiene Habits

    While cyber hygiene isn’t an ironclad protection, it’s important for everyone in contact with your network, from the CEO to the lowly intern, to act securely with these ten tips:

    1. Keep an inventory of hardware and software on the company network.
    2. Develop a process for software installation by end users. That could include limiting installation of trusted software or prohibiting and blocking all installation without prior approval from IT.
    3. Educate users on practising good cyber behaviour, including password management, identifying potential phishing efforts, and which devices to connect to the network.
    4. Identify vulnerable applications that aren’t in use and disable them.
    5. Consistently back up data and keep multiple copies. Consider using a secure cloud solution as well as on premise.
    6. Turn to industry-accepted secure configurations/standards like NIST and CIS Benchmark. These can help organisations define items like password length, encryption, port access, and double authentication.
    7. Patch all applications right away–regularly. Unpatched systems are one the biggest risk factors in attacks.
    8. Create complex passwords.
    9. Limit the number of users with administrative privileges.
    10. Upgrade ageing infrastructure and systems.

    Reduce the Human Impact

    Even with the best protection, there are no guarantees that your business won’t become the victim of a ransomware attack, data breach, or other cybersecurity threat. That’s why it is so important to reduce human impact by automating security practices whenever possible.

    Providing double authentication sign-ons that require complex passwords, blocking certain file types, and testing users on their security knowledge are steps that all companies can take to protect today’s diversified networks.

    For businesses with a shortage of cybersecurity professionals, these steps while simple may still prove to be a challenge. That’s why it is helpful to find tools like machine learning that can react and predict malicious behaviour for you.

    With machine learning and behavior-based detection, you can relieve your IT team of exhaustive manual procedures. SentinelOne automates security for you with EPP. To learn more on how to protect your network in our quickly evolving technological world, download our executive brief Get Your Endpoint Protection Out of the 90’s!

    Item take from SentinelOne blog.