The “EternalBlue” flaw that’s been taking over headlines in the news over the last few hours rose to popularity as a result of its inclusion in the leaked ‘Shadow Broker’ data. It has so far been hugely damaging to healthcare organizations. This article will catch you up if you’re not up to speed on the latest.
To cut to the chase: Yes, CylancePROTECT® fully prevents all in-the-wild examples of the malware related to these specific attacks.
To explain, this attack exploits a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow for remote code execution upon proper and successful exploitation. This flaw was patched in Microsoft’s March 2017 update cycle (MS17-10).
However, many environments are still behind on patches for various reasons and may also be running legacy operating systems (ex: XP) which are no longer updated/supported with security updates, which leaves those systems exposed.
Leveraging this exploit, the attackers can fully execute arbitrary code.
In the case of the WanaCrypt issue, we are dealing with a ransomware executable that includes additional worm functionality. It has the ability to scan and locate other machines and propagate itself to other adjacent and exposed hosts via the EternalBlue vulnerability.
Due to the nature of the flaw, machines that are propagated to via the worm functionality do not require interaction from the user on the victimized host.
The worm/ransomware binary handles the remote execution. In most confirmable cases today, stage one is a malicious phishing email. This includes an attachment that “patient zero” executes, which infects them, while simultaneously kickstarting “Stage 2” – the worm-type functionality and internal propagation/pivoting.
In addition to employing strong and effective endpoint controls, users are also encouraged to:
• Keep software up-to-date, including operating systems
• Avoid dangerous web locations
• Educate users to detect potential cyberattacks delivered via phishing emails, infected banners, spam emails, social engineering attempts, etc.
Our threat researchers are continuing to investigate new samples as they arrive, to ensure that CylancePROTECT can fully block all new variants. Get started with CylancePROTECT now to make sure you’re safe against threats like this one – reach us at firstname.lastname@example.org.
The Blue Cube ethos is to offer fully independent and accurate advice providing the expertise, technology and management skills to help identify where to protect, what to protect and how to protect corporate IT resources and enable secure access for authorised users.
Blue Cube Security Ltd.
0345 094 3070
©2017 BLUE CUBE SECURITY LTD. ALL RIGHTS RESERVED.