The WannaCry journey from a SOC point of view – internal sinkholing of killswitch servers

[ see also: The WannaCry journey from a SOC point of view ]

In the previous post I described how our Security Operation Center managed the WannaCry news.

We also made a lot of side activities in the past hours and one of these was to implement an internal sinkholing of the killswitch servers in case some clients where infected; with a working local sinkholing we where able to avoid the ransomware spreading in case of infection.

Killswitch for WonnaCry ransomware
Killswitch for WonnaCry ransomware

How? Let me explain.

Continue reading “The WannaCry journey from a SOC point of view – internal sinkholing of killswitch servers”

The WannaCry journey from a SOC point of view

#WCry at University of Milano-Bicocca
#WCry at University of Milano-Bicocca

[ see also: how and why we implemented local sinkholed killswitch servers ]

In the past hours a new ransomware called WannaCry (or WCry or WannaCrypt0) spread very fast on Internet and targeted a lot of public and private organizations. The ransomware make use of public exploits related to the last Shadow Brokers leak, in particular MS17-010 vulnerability that was fixed by Microsoft on March 14 (2 months ago). You can read very good tech posts here, here, here and here and I suggest you also to follow on twitter Hacker Fantastic and  Malware Tech.

Here I try to summarize my approach to the news, mainly highlighting what we did  in my company in the past months and how we monitored WCry from our SOC (Security Operation Center).

There was (and there is also now) a lot of hysteria, but for people like me that work in a SOC this is not an acceptable mood; you need to relax, really understand what’s happening and verify that what you did before is enough and, if not, apply emergency countermeasures. Continue reading “The WannaCry journey from a SOC point of view”

SNORT rules Advanced Parser for pulledpork

Lone Hacker in Wharehouse by Brian Klug
Lone Hacker in Wharehouse by Brian Klug

Security Onion is an Ubuntu based distribution created to handle a lot of Security task.

One of the security tool installed is SNORT, the best open source Intrusion Detection System (IDS). Security Onion use Pulledpork to get IDS rules and process them.

I wrote a perl script to make advanced modification to the downloaded SNORT rules. This script can handle rule transformation based on regular expression and multiple substitution patterns. Continue reading “SNORT rules Advanced Parser for pulledpork”

Launching Nessus scans inside Metasploit

Network by Rosmarie Voegtli from Flickr
Network by Rosmarie Voegtli

[UPDATE Feb 24th 2018: tenable disabled the API to execute remote scan since version 7 so keep in mind that if you use nessus>7 this won’t work]

Metasploit is my favorite tool while I do Pen Test and Secuirty Checks. I use also Nessus for Vulnerability Assessment and integrate Nessus and Metasploit is a must.

Follow a short guide on how to launch Nessus from Metasploit (for reference, I used NESSUS 6.5 and Metasploit PRO but also Community Edition should be ok).

Continue reading “Launching Nessus scans inside Metasploit”