Shulou(Shulou.com)06/02 Report--

I didn't expect that a simple text written under an emergency could break 4000 reading so quickly. Suddenly rubbed the popularity of the Internet celebrity virus, a little unaccustomed.

So, I want to take some time to write something a little deeper. After all, in my opinion, this outbreak is just the beginning.

Before I begin, I will make a brief statement about interests: I have been a Microsoft MVP in 8 directions since 2004, but I have no interest with Microsoft; I am not a security professional, with my main experience in infrastructure, cloud and virtualization, and IT management; later, I will introduce the products or solutions of the company I work for, which can be chosen by myself. All references in this article are provided "as is" (AS IS), and the copyright belongs to the original author. I do not guarantee that all views are correct, for reference only.

Origin

Let's first take a look at the pedigree of the virus. Encryption and extortion software has long been available. Although I have left the front line of IT management, I remember that the first outbreak of blackmail was the year before last or last year, when I saw the virus forwarded by my old colleague Kaspersky on Wechat moments. Because communication basically depends on traditional methods, such as mail, links, storage media, and so on, it didn't arouse much interest to me. I just started to back up my working files synchronously with SyncToy. I am more worried about the SSD damage of my computer than to prevent the virus.

And then, last August? About this time? Shadow Brokers claims to have obtained a number of security vulnerabilities from the NSA TAO team, which have been around for a long time and are both powerful and powerful.

You can refer to some links:

The Shadow Brokers:

Https://en.wikipedia.org/wiki/The_Shadow_Brokers

NSA Equation Group hacking tools leak:

Https://arstechnica.com/security/2016/08/hints-suggest-an-insider-helped-the-nsa-equation-group-hacking-tools-leak/

Http://www.reuters.com/article/us-intelligence-nsa-commentary-idUSKCN10X01P

With these sharp weapons, how can you not use them? In April this year, these weapons began to be released and put up for sale.

'NSA malware' released by Shadow Brokers hacker group

Http://www.bbc.com/news/technology-39553241

So, in addition to the well-known Eternal Blue, what other weapons have been released? The old driver is about to start, please sit tight and hold on.

ETERNALROMANCE-Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445) ENTERNALCHAMPION, ETERNALSYSTEM-Remote exploit up to Windows 8 and 2012ETERNALBLUE-Remote Exploit via SMB & NBT (Windows XP to Windows 2012) EXPLODINGCAN-Remote IIS 6.0 exploit for Windows 2003EWORKFRENZY-Lotus Domino 6.5.4 and 7.0.2 exploitETERNALSYNERGY-Windows 8 and Windows Server 2012FUZZBUNCH-Exploit Framework (Similar to Metasploit) for the exploits.

A separate analysis by researcher Kevin Beaumont found three zerodays affecting Windows systems. They are Esteemaudit-2.1.0.exe, a Remote Desktop exploit that installs an implant on Windows Server 2003 and XP; Eternalchampion-2.0.0.exe, which also works against SMB; and the previously mentioned Eternalblue. Beaumont found four other exploits that he believes may be zerodays, including Eskimoroll-1.1.1.exe, a Kerberos attack targeting domain controllers running Windows Server 2000, 2003, 2008 and 2008 R2; Eternalromance-1.3.0.exe, Eternalromance-1.4.0.exe, an update of Eternalromance-1.3.0.exe; and Eternalsynergy-1.0.1.exe, a remote code-execution attack against SMBv3.

With the exception of Esteemaudit, the exploits should be blocked by most firewalls. And best practices call for remote desktop connections to require use of a virtual private network, a practice that should make the Estememaudit exploit ineffective. Microsoft also recommends that organizations disable SMBv1, unless they absolutely need to hang on to it for compatibility reasons, which may block Eternalblue. That means organizations that are following best practices are likely safe from external attacks using these exploits. There's no indication any of the exploits work on Windows 10 and Windows Server 2016, although it's possible the exploits could be modified to work on these operating systems.

This article was published on 2017-04-15, when Microsoft's patch had been released. The full text is as follows:

Https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

It can be said that it is the combination of these strategic vulnerability tools that enable WanaCry and its variants to come aggressively.

Is Microsoft indifferent under the 0. 0 Dayhorse tools? Please refer to:

Https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/

Action

As IT industry employees, the most direct action must be the first time to understand the original situation, seize every second to plug loopholes, and try to recover losses for users. How to defend quickly has been briefly introduced in the previous Blog, so I won't repeat it. After waking up, we also need a little time to think about why a seemingly secure architecture is so fragile in the face of such a situation.

One of the biggest reasons is the indifference to the patch work. It's understandable that users don't understand; as an IT practitioner, ignoring patches is a little less acceptable. In fact, Microsoft released patches for most of the tools, including several 0Dayside tools, such as MS17-010:

Code NameSolution "EternalBlue" Addressed by MS17-010 "EmeraldThread" Addressed by MS10-061 "EternalChampion" Addressed by CVE-2017-0146 & CVE-2017-0147 "ErraticGopher" Addressed prior to the release of Windows Vista "EsikmoRoll" Addressed by MS14-068 "EternalRomance" Addressed by MS17-010 "EducatedScholar" Addressed by MS09-050 "EternalSynergy" Addressed by MS17-010 "EclipsedWing" Addressed by MS08-067

Need to be reminded that the virus is bound to produce new variants, defense is not done after playing this MS17-010. Don't prevent the latest loopholes, but not the ones that already have patches.

And, again,

1. Patch. Patch as soon as possible, WSUS, SCCM, Group Policy installation, script installation or even manual installation as soon as possible. Enterprises recommend WSUS, which is simple and easy, and avoids the difficulty of downloading too many patches on the official website recently.

2. Don't blindly follow the so-called expert advice to close the port. Many users have experienced application failures and system anomalies after sealing the port. When you don't know what the impact is, remember to proceed with caution.

3. Don't listen to the 0Day response that some bottomless vendors claim. What have you been doing early? Have you tested the * code? Have users been reminded to defend themselves since March? In addition to the patches on Microsoft's official website, do not use patches from unknown sources. Who knows what's in it? Some users can't get up after patching.

These are not enough, we need to continue to think about the architecture, and this kind of *, how should we deal with it.

First, understand the risk. In addition to the previous introduction, there is a picture from Citrix Blog to help you understand:

Https://www.citrix.com/blogs/2017/05/16/wannacry-why-citrix-customers-are-not-crying-today/

WannaCry*** will have three steps. The structure should also be corresponding.

The first step is infection.

No matter how you get the virus code, e-mail, links, or remote execution by exploiting system vulnerabilities, the virus needs to run locally before it can continue to destroy the action. Therefore, banning the operation locally or plugging loopholes to invalidate the operation is what we want to achieve in the infection phase.

Patch. Patching is always a painful thing for administrators, because you can't control when all PC patches are made and whether they are actually patched. Even if we use WSUS, or even SCCM, there is no guarantee of 100%. Therefore, the most suitable secure desktop is the standard desktop. As a TC that has been engaged in terminal management projects for many years, from traditional PC ghost to WDS, WinPE, SCCM OSD, and then to VDI, desktop maintenance support staff will never get out of the nightmare if it is not a pooled standard desktop. With the development of technology, most of the personalized needs of users can be met through profile management, personal disk PvD, AppLayer and other technologies. For the diversified requirements of applications, flexibility can be achieved through virtual desktops and virtual applications. My view is that the enterprise work desktop, should not casually give administrator permissions. If there are really a few personal installation requirements, you can do so through RunAs-based gadgets, for example, I wrote one a long time ago:

The administrator encrypts the command line that the user needs to run and his user name and password.

After the encrypted command line, there is no need to worry about the disclosure of the administrator password. It can only be used to run a command line that has been confirmed by the administrator. The example above is to open an IE window to access Bing.com.

Therefore, it is highly recommended to use a single image to centrally upgrade all desktops, that is, pooled desktops. Especially for PVS, after the template is updated, all desktops are updated within minutes. The kung fu in the world is fast but not broken.

Anti-virus. Whether the desktop is running on a physical machine or a virtual machine, open to the external network or running on the intranet, antivirus work is always needed. one need not look far for a lesson. Traditional antivirus efficiency is very difficult on virtual desktops, because centralized update and antivirus often consume all system resources. At least keep the interval between batch updates and antivirus. At present, there is also the so-called agentless antivirus, which will scan the data of virtualized IO. A better approach is to use the underlying scan of virtualization. Once the risk code is loaded into memory, no matter which virtual machine it is in, the virtualization underlying layer directly forbids it to run. The new version of XenServer provides interfaces. At present, some domestic manufacturers have corresponding antivirus products. For details, visit the Citrix website or contact the phone for pre-sales.

The second step is contagion.

An uncommunicable virus is not a good virus. Ha ha. The common ways to spread viruses are mobile storage media, email attachments, malicious links and the Internet. Let's see if some work can be done in terms of architecture.

File copy. The protocol of virtual desktop should have the policy control ability of local storage redirection and file transfer, so that the client can be restricted from copying files directly to the intranet desktop at any time as needed. Traditionally, if you want to transfer files and scan all desktops, it will be difficult to ensure that all desktops update the protection software in a timely manner and ensure a unified security baseline. A workaround is to release the file manager application and strictly apply virus protection and scanning on the server you are running. As the number of possible entries to files is reduced, it is relatively simple to ensure timely updates of protection software and management.

Email attachments and malicious links. It is perfectly possible to run email access and browsers off the desktop. For the same reasons as above, reducing the number of systems running under the same conditions means a reduction in the number of possible infections. For example, 1000 users use desktops, and if they all use email clients and browsers to browse potentially risky websites, there are 1000 possible infected systems that need to be protected. Instead of switching to a virtual application, assuming that a virtual server allows 50 users to use, then the protection only needs to be aimed at 20 virtual application servers. More importantly, secure email access servers and secure browsers can achieve network isolation. For enterprises, it can be easily realized whether it is an application with desktop access to a high security level network deployed on a low full level network, or an application with desktop access to a low security level network deployed in a high full level network. You no longer have to use two PC or network cards with switches. This architecture is already on the horizon, yes, virtual desktops nesting virtual applications. The flexibility to respond to requirements through standard deployment without losing security.

Network *. At the network level, I just want to make two points. Although virtualization platforms can implement ACL and QoS through virtual switches, it is really not recommended to close ports without knowledge, and there have been countless painful cases for reference. And the most important thing is, is it safe? For me, of course it's not safe. × × is a very simple and cheap way of remote access, but when connecting to the intranet, the difficult client bypasses the firewall and connects to the secure intranet. Yes, a quarantine zone can be used for network access to determine whether antivirus and patch updates meet the requirements, but it is not as good as allowing only one-way access to a single application.

For example, NetScaler's proxy access to the ICA protocol. Except for Receiver, systems and applications on client devices cannot access resources located on the intranet. In this way, the network and transmission of the client using * will be eliminated.

The third step is destruction.

The ultimate goal of all viruses and malicious code must be to destroy and / or profit. For WannaCry ransomware, the goal is simple: encrypt valuable files and require users to pay a ransom for bitcoin for profit and fame. How to minimize the impact of possible losses in terms of architecture? As for documents, I think they can be divided into two topics: storage and sharing.

File storage. In accordance with the best practices of virtual desktops, it is recommended that the operating system, applications, and data be separated as much as possible to achieve maximum flexibility and management. As mentioned earlier, PC-like virtual desktops are difficult to achieve centralized management. On the one hand, the data is scattered in every desktop, so it is difficult to centralize scanning and security management, and it also causes a lot of waste of repeated storage. On the other hand, scattered data is almost impossible to back up.

Therefore, it is recommended to split user data from the desktop, use user profile redirection, network disk and quota management, and even user data layering for CPM and AppLayer. It is not recommended to use personal disks, although you can take advantage of the deduplication of storage, it is still difficult to save storage and management. Save the location, in addition to the file server, you can also use NAS. In this way, the user's data can be centrally stored and managed, which is convenient for centralized antivirus and backup. Just imagine, after being hit, update the antivirus and patch of the file server as soon as possible to prevent the virus program from continuing to spread through file sharing. The regular backup of files does not cost too much storage space, but it can be recovered through backup when the real files are kidnapped.

File sharing. Because this virus takes advantage of the loophole of SMBv1 of file sharing CIFS/SMB, it has to cause us to think about data sharing among users. Is it possible to introduce other file sharing methods? Such as WebDAV, enterprise network disk? Citrix's ShareFile is currently the leading file sharing product in the leader quadrant. File sharing no longer transfers files between clients, but extracts files from the server by linking credentials, and makes corresponding permissions and controls.

To sum up, it can be found that by adjusting the existing desktop architecture and using an appropriate solution, the probability of success and losses can be greatly reduced. As a matter of fact, up to now, I have not received notifications of losses caused by WannaCry*** for customers using suitable virtual desktop solutions, and more people listen to the system and user problems caused by the hasty closure of ports.

Users who use virtual desktops based on open source development need to be reminded to fix the vulnerability in a timely manner. As far as I know, many virtual desktop solutions that claim to be autonomous and controllable are based on the early RDP of KVM+. The emergence of a lot of virtual desktops based on early RDP protocol vulnerabilities is not a pipe dream. Just as we argue why these viruses don't go to the MAC system, I think it only depends on how much benefit can be gained.

Maybe, as Citrix's Blog said, Our customer are not crying today. The purpose of writing this article is very simple, in a word:

I don't Wanna you Cry. I hope all the tears in the world are tears of joy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.