Threat Intelligence Brief – June 2017


Minimizing damage from the next WannaCry

The recent use of the Shadow Brokers’ leaked tools in recent malware campaigns ( Wannacry /Adylkuzz Botnet/EternalRocks) has highlighted a dirty little secret in the IT world: The continued reliance on unsupported, past end-of-life or unpatchable servers.

These legacy systems create easily exploited holes in a corporate security program due to their inability to be updated against recently identified vulnerabilities or attack vectors. They unnecessarily expose critical data and infrastructure to all levels of threat actors and undermine the efficiency of still-supported technology in your network.

In the fight against cyber threats, every weak link in your infrastructure, no matter how small, can become a serious liability if left unaccounted for. To limit exposure and potential damage from the next WannaCry, organizations need to consider the defense in depth of their security program.

Defense in Depth

Defense in depth is the concept of arranging lines of defense in a way that they defend each other. Each defensive line, or system, in this case, compensates for the weakness of the others – a sort of “bend but don’t break” strategy. So, when added to this defensive formation, an unpatchable, outdated server makes the entire infrastructure vulnerable. To illustrate the point, let’s look at a defense in depth approach that would have minimized the effects of Wannacry on an organization with vulnerable machines

Defense in Depth vs. WannaCry

Firewall (External) – Firewall rules can be used to restrict internet access to internal resources. By only allowing inbound traffic to a minimal number of servers/services, the attack surface of your organization can be minimized. Since the primary infection vector of Wannacry was remote exploitation of SMBv1 via port 445, a firewall rule on the edge of a company’s network blocking inbound traffic destined for port 445 would have prevented external infection. A similar rule prohibiting an organization’s machines from connecting to random machines on the internet on 445 would have also prevented any internal compromises from spreading outside the organization’s environment.

Network Segmentation – By dividing network resources into segments (either through the use of additional firewalls or utilization of VLANs) and restricting communications between these segments, the spread of worms such as Wannacry within an organization could have been minimized or prohibited.

OS Hardening – Even if you can’t have the latest patch, you can still disable unneeded services. Doing so reduces the number of potential attack points that exist on your systems. It also limits an adversary’s options for movement should a compromise occur. In the case of Wannacry, a single line of code could have been used by a system administrator to disable SMBv1 and prevent a machine from being compromised.

Using PowerShell, an administrator could just run the following:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

For large enterprises, Windows Group Policy may also have been used to disable SMBv1 for all domain attached systems.

Firewall (Host-Based) – Firewalls on endpoints can also be used to minimize the number of exploitable services from within an organization. If you can’t segregate the network utilizing VLANs or internal firewalls, host-based firewalls provide a means to prevent compromised systems from being used to spread laterally.

Anti-Virus Software – No anti-virus software can catch everything, but installing one on each system that can support it serves as an additional hurdle for an adversary to overcome. Even if an attacker successfully exploits a system, the A/V can serve as the last line of defense and detect known payloads that an attacker might send.

Malicious IPs

We’ve seen the following IPs involved in various malicious activity, and have taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated and no longer pose a threat. It is prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

IP Attack Signature IP Address Geo Location Phishing United States Command and Control Turkey Malware Host Great Britain Command and Control Thailand SSH Brute Force Argentina Phishing Russia SSH Brute Argentina Phishing Turkey Malware Host Switzerland SSH Brute Force China Phishing Russia Webshell Huntin Netherland Command and Control Venezuela Webshell Hunting China

Security Trends and Insights


Espionage has long been the domain of nations with the financial resources needed to carry out an effective operation. In this age of low-cost cyber operations, it’s become possible for smaller players to enter the game and gain meaningful insights into their adversaries’ operations. Previously main actors in this realm were Russia, the United States and China. Now we have new players such as India, Macedonia, Ethiopia and Malaysia. All are now conducting their own plans with very similar goals: leveraging low-cost techniques for large intelligence gains.

Read more


IBM’s X-Force has reported that the financial Trojan Qakbot, which has been around since 2011, is now responsible for a spike in active directory (AD) user lockouts. This is due to the way the malware attempts to spread through the affected network. After gaining access to user account credentials, it will attempt to move within the network by repeatedly reusing those credentials. This tactic triggers AD lockouts for affected users. The malware, primarily used as part of spear phishing campaigns, also performs a “man in the browser” attack once it gets on an endpoint. This is used to inject malicious code into online banking sessions.

Learn more


Over the past year, threat actors have increasingly used ransomware to target unprotected online databases and servers. The first victims of this type of attack were users of MongoDB and Elasticsearch databases. Recent attacks have begun targeting Hadoop Clusters and CouchDB servers as well. The popular internet of things (IoT) search site Shodan shows nearly 5,000 Hadoop servers hosting more than 5000TB of data, most of which are on AWS. This illustrates a key misunderstanding of secure Hadoop configuration or of the AWS environment’s security. Hosting Hadoop servers in AWS poses a security risk. The ransom attacks against MongoDB, Elasticsearch, CouchDB and Hadoop servers are still occurring. This development indicates that this is likely to increase as organizations continue their migration to the cloud.

Read more