The Wanna Crypt Malware has been shown to utilize vulnerabilities involving the SMB networking protocol.  With the resumption of the work week today after the havoc that started last week, further compromises across the US are expected to be reported as workers return from the Holiday weekend and boot up their computers.

Unlike other malware, this malware utilizes the NSA leaked Double Pulsar exploit MS17-010 vulnerability that was leaked online three weeks ago by a group known as the Shadow Brokers. What is most concerning is that the exploits for this vulnerability allow for compromising of a target without having to get the user to click on an attachment. Any attacker or compromised machine that is on the same network as another device with the vulnerable port 445 open and running SMB v 1 protocol can be compromised without any specific action by the target necessary in order for the infection to take place.

Fortunately, Microsoft released patches last Tuesday that if applied, would protect a target from attack.  Microsoft even released a patch for their no longer supported Windows XP Operating system.

A search today of Shodan.io, a security vulnerability search engine tool, revealed that more than 509,000 publicly facing web servers in the United States have the vulnerable port 445 open, which could allow for infection of those devices over the Internet. Once a target is compromised, other computers that compromised target has access to are vulnerable for further exploitation, unless proper security steps have taken place.  Remediation of an infected target remains complicated given the many disclosures of hiding places for malware, including on board the computing devices firmware, and peripheral storage areas that can allow for persistence of infection even after completely reformatting a computer’s hard drive.

 

Vulnerabilities allegedly leaked from US Intelligence organizations are now readily available to the bad guys, with many computers in Government, Corporations and Healthcare Organizations still not properly patched and secured.

A search for on Shodan.io for computers with the port 445 open showed that Los Angeles had the greatest potential for propagation of Wanna Crypt malware. Copy Cat malware is likely to begin infecting the unpatched devices.

The Top 50 Major/Medium sized Cities showing the highest count of computing devices with port 445 open as reported on the morning of May 15th, 2017 follow:

1. Los Angeles – 122,612
2. Cheyenne, WY – 42,973
3. Thousand Oaks, CA – 42,549
4. San Jose, CA – 36,895
5. Phoenix, AZ – 35,589
6. Walnut, CA – 32,814
7. Burbank, CA – 14,216
8. Dallas, TX – 6,772
9. Chicago, IL – 5,605
10. Ashburn, VA – 5,178
11. Boardman, OR – 3,847
12. San Antonio, TX – 3,472
13. Kansas City, MO – 3,316
14. Seattle, WA – 3,084
15. Denver, CO – 2,924
16. Scottsdale, AZ – 2,601
17. Atlanta, GA – 2,058
18. Yelm, WA – 1,909
19. New York, NY – 1,869
20. Matawan, NJ – 1,816
21. Las Vegas, NV – 1,661
22. Tulsa, OK – 1,573
23. Houston, TX – 1,429
24. Miami, FL – 1,392
25. Saint Louis, MO – 1,363
26. Secaucus, NJ – 1,298
27. Wayne, PA – 1,233
28. Orlando, FL – 1,182
29. Overland Park, KS – 834
30. Columbus, OH – 784
31. Austin, TX – 771
32. San Diego, CA – 666
33. San Francisco, CA – 652
34. Tampa, FL – 641
35. Washington, DC – 619
36. Des Moines, IA – 512
37. College Park, MD – 488
38. Philadelphia, PA – 365
39. Jacksonville, FL – 216
40. Fort Lauderdale, FL – 197
41. Detroit, MI – 154
42. Minneapolis, MN – 154
43. Huntsville, AL – 151
44. Cincinnati, OH – 127
45. Pittsburgh, PA – 124
46. Cleveland, OH – 115
47. Baltimore, MD – 114
48. Louisville, KY – 118
49. Boston, MA – 94
50. Indianapolis, IN – 86

Steps individuals and organizations should take to protect themselves from further spreading of this malware include:

1. Run windows update and fully apply all patches with reboot
2. Make a complete backup of your data and store offline in case you get compromised
3. Block port 445 on your firewall both local and your router
4. Disable services running SMB v1 on your devices
5. Search for and apply firmware updates to secure hardware chips such as the Intel vulnerabilities recently reported
6. Monitor your firewall for suspicious traffic

Mac users should remain equally vigilant and be sure their devices are running the latest versions of the Operating system since there are many other vulnerabilities leaked that may impact tablets, smartphones and all types of computing devices.

Overtime Snapshots showing spreading of the Malware Across the United States Follow:

5/15/17 12:05PM

5/15/17 1:49PM (IP’s reporting infection within the last 24 hours)

5/16/17 10:40AM CST (IP’s reporting infection within the last 24 hours)