Visualizing WannaCry & Shadow Brokers with Dashboards

Jeremy Briglia

Last updated on: September 6, 2020

To assess infections from WannaCry ransomware and threat exposure from the Shadow Brokers vulnerabilities across an entire IT environment, it’s helpful to visualize your exposure via dynamic dashboards.

Using Qualys AssetView and ThreatPROTECT, I created a single-pane incident response dashboard containing six key data points that provide a complete picture to assess both infection of WannaCry and threat exposure from the Shadow Brokers vulnerabilities. With the data from this dashboard, you can take immediate action against WannaCry. Each dashboard element automatically collects trend data that allows customers to track their remediation efforts over time.

See Visualizing WannaCry and Shadow Brokers: How to Configure Dashboards in AssetView for the details of the dashboard, including how to create dashboards in Qualys AssetView and specifically how I built the dashboard for WannaCry and Shadow Brokers.

Detections (QIDs)

The WannaCry & Shadow Brokers dashboard visualizes the following detections, allowing you to analyze and take action on all key aspects of this outbreak.

QID 91345 to detect a missing MS17-010 patch, and QID 91360 for detecting ETERNALBLUE

  • These QIDs are nearly identical in terms of assessment capabilities, but it is recommended to report on both to identify vulnerable systems that may have missed more recent scan windows. Herein lies the foundation of WannaDecrypt0r: A remote attacker could gain the ability to execute code by sending crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Signature for these QIDs have been updated to detect the patch released by Microsoft for end-of-life operating systems Windows XP, Windows 2003 and Windows 8.

QID 1029 to detect WannaDecrypt0r ransomware artifacts

  • This authenticated detection works by checking for the presence of a registry key and a few files that are found on a system post infection.

QID 70077 for detecting DOUBLEPULSAR backdoors

  • This QID sends a “trans2 SESSION_SETUP” SMB request to the remote target. Remote system will respond with a “Not Implemented” message. Within the message a “Multiplex ID” is returned which is 65 (0x41) for normal systems and 81 (0x51) for infected systems.

QID 45261 to check if SMB Version 1 is enabled

  • Microsoft recommends users to update to latest SMB versions and stop using SMBv1. Alternatively, you may consider blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

QID 90126 to check for hosts pending reboot

  • If this pending reboot is set by a Microsoft security patch such as MS17-010, the host is probably still vulnerable to the security issues addressed by the patch, even though the registry may show that the patch is installed.

For more information on the WannaCry outbreak, see How to Rapidly Identify Assets at Risk to WannaCry Ransomware and ETERNALBLUE Exploit.

Show Comments (1)

Comments

Your email address will not be published. Required fields are marked *

  1. This is a fantastic. Identifying a problem, and developing a strategy that helps solve it. I’m not surprised at your brilliance at all.