The Wanna Crypt Malware has been shown to utilize vulnerabilities involving the SMB networking protocol. With the resumption of the work week today after the havoc that started last week, further compromises across the US are expected to be reported as workers return from the Holiday weekend and boot up their computers.
Unlike other malware, this malware utilizes the NSA leaked Double Pulsar exploit MS17-010 vulnerability that was leaked online three weeks ago by a group known as the Shadow Brokers. What is most concerning is that the exploits for this vulnerability allow for compromising of a target without having to get the user to click on an attachment. Any attacker or compromised machine that is on the same network as another device with the vulnerable port 445 open and running SMB v 1 protocol can be compromised without any specific action by the target necessary in order for the infection to take place.
Fortunately, Microsoft released patches last Tuesday that if applied, would protect a target from attack. Microsoft even released a patch for their no longer supported Windows XP Operating system.
A search today of Shodan.io, a security vulnerability search engine tool, revealed that more than 509,000 publicly facing web servers in the United States have the vulnerable port 445 open, which could allow for infection of those devices over the Internet. Once a target is compromised, other computers that compromised target has access to are vulnerable for further exploitation, unless proper security steps have taken place. Remediation of an infected target remains complicated given the many disclosures of hiding places for malware, including on board the computing devices firmware, and peripheral storage areas that can allow for persistence of infection even after completely reformatting a computer’s hard drive.
Vulnerabilities allegedly leaked from US Intelligence organizations are now readily available to the bad guys, with many computers in Government, Corporations and Healthcare Organizations still not properly patched and secured.
A search for on Shodan.io for computers with the port 445 open showed that Los Angeles had the greatest potential for propagation of Wanna Crypt malware. Copy Cat malware is likely to begin infecting the unpatched devices.
The Top 50 Major/Medium sized Cities showing the highest count of computing devices with port 445 open as reported on the morning of May 15th, 2017 follow:
- Los Angeles – 122,612
- Cheyenne, WY – 42,973
- Thousand Oaks, CA – 42,549
- San Jose, CA – 36,895
- Phoenix, AZ – 35,589
- Walnut, CA – 32,814
- Burbank, CA – 14,216
- Dallas, TX – 6,772
- Chicago, IL – 5,605
- Ashburn, VA – 5,178
- Boardman, OR – 3,847
- San Antonio, TX – 3,472
- Kansas City, MO – 3,316
- Seattle, WA – 3,084
- Denver, CO – 2,924
- Scottsdale, AZ – 2,601
- Atlanta, GA – 2,058
- Yelm, WA – 1,909
- New York, NY – 1,869
- Matawan, NJ – 1,816
- Las Vegas, NV – 1,661
- Tulsa, OK – 1,573
- Houston, TX – 1,429
- Miami, FL – 1,392
- Saint Louis, MO – 1,363
- Secaucus, NJ – 1,298
- Wayne, PA – 1,233
- Orlando, FL – 1,182
- Overland Park, KS – 834
- Columbus, OH – 784
- Austin, TX – 771
- San Diego, CA – 666
- San Francisco, CA – 652
- Tampa, FL – 641
- Washington, DC – 619
- Des Moines, IA – 512
- College Park, MD – 488
- Philadelphia, PA – 365
- Jacksonville, FL – 216
- Fort Lauderdale, FL – 197
- Detroit, MI – 154
- Minneapolis, MN – 154
- Huntsville, AL – 151
- Cincinnati, OH – 127
- Pittsburgh, PA – 124
- Cleveland, OH – 115
- Baltimore, MD – 114
- Louisville, KY – 118
- Boston, MA – 94
- Indianapolis, IN – 86
Steps individuals and organizations should take to protect themselves from further spreading of this malware include:
- Run windows update and fully apply all patches with reboot
- Make a complete backup of your data and store offline in case you get compromised
- Block port 445 on your firewall both local and your router
- Disable services running SMB v1 on your devices
- Search for and apply firmware updates to secure hardware chips such as the Intel vulnerabilities recently reported
- Monitor your firewall for suspicious traffic
Mac users should remain equally vigilant and be sure their devices are running the latest versions of the Operating system since there are many other vulnerabilities leaked that may impact tablets, smartphones and all types of computing devices.
Overtime Snapshots showing spreading of the Malware Across the United States Follow:
5/15/17 12:05PM
5/15/17 1:49PM (IP’s reporting infection within the last 24 hours)
5/16/17 10:40AM CST (IP’s reporting infection within the last 24 hours)
Be the first to comment on "Wanna Crypt Malware Begins US Assault"