- As WannaCry went nuts last week and everyone moved quickly to support one another; we all moved on our best intelligence at the time.
- Because most ransomware is typically delivered via email, website or file, we worked with our customers to make sure their endpoints were protected.
- One week later, I wanted to take a moment to be absolutely transparent about what we do and what we don’t do.
When attacks such as the WannaCry crypto-malware occur, it is important to offer complete transparency to customers. We want you to know what you can expect from us. My goal in this brief blog is to technically state what Bromium does protect, identify the limitations of that protection, and to provide some advice on mitigation generally.
How Bromium Works
Bromium protects any single VT-capable end-user endpoint running Windows 7+ using micro-virtualization. The endpoint protects itself by hardware-isolating execution of untrusted files, executables and the web. Each isolated task runs in a micro-VM that has no access to endpoint data, shares, high value networks or sites, or credentials. To be crystal clear: any crypto malware that is delivered via a user initiated task to a Bromium protected client is unable to damage that device or to move laterally in the organization. Any endpoint that is attacked via the above vectors will be protected, and the endpoint will automatically remediate itself.
Each Bromium endpoint is also a sensor in a distributed breach detection system: The endpoint monitors its own execution to detect malicious execution (in a micro-VM and natively), and shares its intelligence with the Bromium management system in real-time. When crypto-malware executes in a micro-VM or on a host with Bromium Secure Monitoring, there is an extremely high probability that it will be detected. A full trace of execution is immediately shared and this is used to search all endpoints in the enterprise, to identify possible latent threats inside the network. Bromium can also directly inform other components of the security infrastructure, for example firewalls – to block C&C access.
Bromium and WannaCry
The WannaCry crypto-malware variant uses the EternalBlue vector to move laterally in an organization. EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target. To attack a target, the attacker must be able to reach it – crossing the firewall. If a compromised computer has mounted shares or knows how to reach an SMB server, the attacker can use this to propagate from the compromised device to the SMB server.
To breach an enterprise, the attack must arrive from outside the organization. WannaCry and other forms of crypto-malware have been delivered in zip files, documents, or executables from the web, email attachments and on USB keys. Security firm, Zscaler has also discovered new variants using phishing email or drive-by-download. Bromium protects attacks from, and isolates all content delivered via these vectors. Any organization that uses Bromium, and that is attacked in this way, will be protected. Here is a demo of how WannaCry, delivered via a document attached to an email, behaves when isolated in a micro-VM.
The WannaCry malware (or a variant) could also be delivered remotely if the organization has publicly accessible SMB servers that are vulnerable to EternalBlue, a vector which Bromium does not isolate.
Once WannaCry has found a way into an organization, it moves laterally using EternalBlue. As I have previously stated, Bromium isolation capabilities do not protect against a worm moving laterally within the enterprise. Bromium host monitoring can search for, and block, execution of the payload by its hash using a custom rule.
Mitigation and Our Responsibility for Protecting Our Companies
Neither Bromium nor any other security tool should be considered a replacement for basic security hygiene. Since the release of Windows 7, Microsoft has a built-in firewall that is properly configured by default and easily controlled using Active Directory Group policies. When a user takes a laptop off the internal network, it should automatically block all inbound connections, including SMB, which would stop a worm such as WannaCry. Microsoft has also provided advice for disabling SMBv1 using group policy.
Additionally, critical Windows updates for things such as kernel vulnerabilities should also be patched and applied with regularity. There is no excuse for waiting more than 30 days to apply critical Windows updates. Indeed in the vast majority of organizations or use cases, automated patching by Microsoft should be the way forward. It’s critically important to state that quickly patching vulnerable systems is fundamental to stopping lateral spread in any organization.
Have questions? You can comment below or contact us.