Included in the dump were a number of previously unreleased vulnerability exploits, mostly targeting Windows systems. Some of these exploits provide the ability for an attacker to remotely execute code on a target system with zero client interaction using the SMB service running on port 445. This type of “wormable” vulnerability in Windows (i.e. a vulnerability that can remotely take control of a system and then use the infected system to attack other systems) is very rare. The last notable example where a working exploit was released was the “MS08-067” vulnerability which was used in the Conficker Worm in 2008.
Whilst there was initially a great deal of speculation and panic that these Windows exploits were “0 days”, i.e. unpatched vulnerabilities, Microsoft published a comprehensive blog-post indicating that all relevant exploits in the dump had already been patched in supported Operating Systems.
- These vulnerabilities still exist in unsupported Operating Systems such as Windows Server 2003 which will not receive patches.
- Some of the most critical vulnerabilities were only fixed in the March 2017 “Patch Tuesday” release.
We would therefore recommend that organisations take the following immediate actions:
- Scan for Windows machines where port 445 is externally exposed to incoming traffic from the Internet and block this at the firewall.
- Where servers were found with this port open, review server logs to look for evidence of malicious activity.
- Prepare a plan to patch all Windows machines with the key patch (MS17-010) and any of the other patches from the Microsoft blog-post above which have not yet been applied.
- Prepare a mitigation plan for any Windows machines which are unsupported or cannot be patched in a timely fashion.
- Review the list of exploits to look for non-Windows exploits which may directly affect you.
We would also recommend the following, mid to long term actions:
- Ensure that you have a robust Patch Management process in place to allow timely application of updates.
- Ensure all non-vital ports are inaccessible externally across the technology environment.
- Prepare a plan to upgrade unsupported OSes as soon as possible.
Organisations should ensure that strong detection controls are in place to discover unexpected or malicious activity in the internal network and design the network to make it harder for an attacker to move laterally from one part of the network to another without detection.
Senior Information Security Consultant and Team Leader