Penetration Testing and WannaCry/WannaCrypt
How could penetration testing have reduced the risk of being affected by WannaCry/WannaCrypt ?
What is WannaCrypt?
As you probably already know, a new piece of ransomware had quite an impact this weekend and the damage it caused is still being dealt with. The name of this piece of malware is WannaCry or WannaCrypt and its purpose is to encrypt most of your assets’ data in order to get a ransom, in money.
We will not list here all major actors that have been affected but it successfully attacked organisations such as NHS, Telefonica in Spain, Renault, etc.
What’s new in this threat and why did it have such a big impact?
First of all, generic ransomware is propagated by classic phishing attempts (email containing malicious documents or links toward executable binaries) and affect only one victim.
Some more advanced pieces of malware sometimes replicate using domain credentials to access other machines on your local network.
WannaCry, however, embeds a specific propagation technique, based on the tools leaked from the NSA. It exploits a critical vulnerability (patched by Microsoft in March 2017) on most Windows systems through a standard Microsoft service : SMB on TCP ports 139/445.
As such, any Windows machine that was not patched in the last two months will be at risk and probably targeted by Wannacry through an already infected computer on the internal network. It is also important to mention that the vulnerable service (SMB) is sometimes available from the Internet, meaning that servers can be compromised by WannaCry from the Internet even without the need of phishing.
WannaCry acts as black hat hackers as it scans for vulnerabilities on entire local and remote ranges, exploits the flaws found and spreads through that in order to continue its attacks and encryption process. What makes it more dangerous is its ubiquity as it is a fully automated process that could affect thousands of machines at the same time.
How could SSL247® penetration testing services could have prevented this threat?
SSL247® now delivers audit services such as internal, external and application penetration tests.
Internal penetration testing simulates what an intruder on your internal network could do. This intruder could be present locally but also logically, using a compromised machine, as with WannaCry. What makes this threat work is the lack of network segmentation and system updates. During the internal penetration testing sessions, these vulnerabilities are identified and exploited in order to determine what impact an attacker/malware could have on your network.
External penetration testing simulates another type of attacker: one that can only access your infrastructure through external services from the Internet. In this case, the consultant conducting the tests checks exactly the same flaws as WannaCry (and more), in order to verify that one or more of your servers are not at risk.
At the end of each assignment, a full report is written, as well as an oral presentation of the results. This helps identifying and categorising the threats in terms of impact but also probability of exploitation. For instance, what WannaCry is using would have been flagged as critical and its exploitability marked as simple as this behavior can be automated.
Using this information, your team can apply correct patches but also prioritise remediation actions. WannaCrypt variants are still active and equivalent or more dangerous malware will probably surface soon.
Want to know more about penetration testing ?
Keeping that in mind, if you need more information it can can be found at the address: Penetration testing
For more information on how Penetration Testing can benefit your business just get in touch with one of our friendly accredited consultants for a no obligation discussion:
Author: Loic Castel, Audit and Pentest Manager.
Send us your comments
Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!