Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose

2017-06-07T14:57:05
ID RAPID7COMMUNITY:3EEFED2F93F50D3C56A51C03A7A3513D
Type rapid7community
Reporter Nathan Palanov
Modified 2017-06-07T14:57:05

Description

<!-- [DocumentBodyStart:671843e7-7237-482e-9c1c-b149f122c46e] --><div class="jive-rendered-content"><p><span style="color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;"><strong>Update 5/18/17: EternalBlue exploit (used in WannaCry attack) is now available in Metasploit for testing your compensating controls and validating remediations. More info: <a class="jive-link-blog-small" data-containerId="1001" data-containerType="37" data-objectId="7880" data-objectType="38" href="https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue">EternalBlue: Metasploit Module for MS17-010</a>. Also removed steps 5 and 6 from scan instructions as they were not strictly necessary and causing issues for some customers </strong></span></p><p><span style="color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;"><strong>Update 5/17/17: Unauthenticated remote checks have now been provided. </strong></span><span style="color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;"><strong>For hosts that are locked down to prevent null or guest access an authenticated remote check has also been provided.</strong></span></p><p><span style="color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;"><strong>The pre-existing instructions below will enable the remote checks on creation of the template.</strong></span></p><p><span style="color: black; font-size: 12pt; font-family: arial, helvetica, sans-serif;"><strong>Update 6/7/17: Fixed a small error in the dynamic asset group/dashboard section. We also now have a pre-built WannaCry dashboards in InsightVM</strong></span></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">Today, security teams are starting their work week with a scramble to remediate MS17-010, in order to prevent the associated <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor" target="_blank">ransomware attack, WannaCry</a>, also known as Wanna Decryptor, WNCRY, and Wanna Decryptor 2.0 (how I miss the halcyon days when vulnerabilities had gentle names like Poodle). </span></p><p style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">With all of the WannaCry information circulating we want to keep this simple. First, check out this link to an <a class="jive-link-blog-small" data-containerId="5165" data-containerType="37" data-objectId="7869" data-objectType="38" href="https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained">overview of the WannaCry ransomware vulnerability</a> written by <a class="jive-link-profile-small jiveTT-hover-user" data-containerId="-1" data-containerType="-1" data-objectId="29826" data-objectType="3" href="https://community.rapid7.com/people/hrbrmstr">Bob Rudis</a></span><span style="font-size: 11pt; font-family: Arial; color: #000000;">, and then review the below steps to quickly scan for this vulnerability in your own infrastructure (if you aren’t already a customer, go </span><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F" target="_blank"><span style="font-size: 11pt; font-family: Arial; color: #1155cc;">try out InsightVM for free</span></a><span style="font-size: 11pt; font-family: Arial; color: #000000;"> you can use this free trial to scan for this vulnerability across your environment), create a dynamic asset group to continuously see affected assets, as well as create a dynamic remediation project to track the progress of remediating WannaCry.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:</span></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">1. Under the Administration tab, go to Templates > Manage Templates</span></p><p><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66939/pastedImage_11.png"><img class="image-1 jive-image" height="276" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66939/754-276/pastedImage_11.png" style=" width: 754.425px;" width="754"/></a></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">2. Copy the following template: Full Audit enhanced logging without Web Spider. Don’t forget to give your copy a name and description; here, we’ll call it “WNCRY Scan Template”</span></p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;"><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66940/pastedImage_12.png"><img class="image-2 jive-image" height="299" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66940/758-299/pastedImage_12.png" style="width:758px; height: 301.367px;" width="758"/></a></span></p><p dir="ltr"><span><span><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66944/pastedImage_13.png"><img class="image-3 jive-image" height="275" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66944/758-275/pastedImage_13.png" style=" width: 798.319px;" width="758"/></a></span></span><span><span><br/></span></span></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">3. Click on Vulnerability Checks and then “By Individual Check”</span></p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;"><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66945/pastedImage_14.png"><img class="jive-image image-4" height="322" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66945/758-322/pastedImage_14.png" style=" width: 867.529px;" width="758"/></a></span></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">4. Add Check “<a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010" target="_blank">MS17-010</a>” and click save:</span></p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;"><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66946/pastedImage_15.png"><img class="image-5 jive-image" height="275" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66946/758-275/pastedImage_15.png" style=" width:758px;" width="758"/></a></span></p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">This should come back with 192 checks that are related to MS17-010. The related CVEs are:</span></p><p dir="ltr" style="margin-top: 8pt; margin-left: 36pt;"><span style="font-size: 10.5pt; font-family: Arial; color: #333333;"><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143" target="_blank">CVE-2017-0143</a></span></p><p dir="ltr" style="margin-top: 8pt; margin-left: 36pt;"><span style="font-size: 10.5pt; font-family: Arial; color: #333333;"><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144" target="_blank">CVE-2017-0144</a></span></p><p dir="ltr" style="margin-top: 8pt; margin-left: 36pt;"><span style="font-size: 10.5pt; font-family: Arial; color: #333333;"><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145" target="_blank">CVE-2017-0145</a></span></p><p dir="ltr" style="margin-top: 8pt; margin-left: 36pt;"><span style="font-size: 10.5pt; font-family: Arial; color: #333333;"><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146" target="_blank">CVE-2017-0146</a></span></p><p dir="ltr" style="margin-top: 8pt; margin-left: 36pt;"><span style="font-size: 10.5pt; font-family: Arial; color: #333333;"><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147" target="_blank">CVE-2017-0147</a></span></p><p dir="ltr" style="margin-top: 8pt; margin-left: 36pt;"><span style="font-size: 10.5pt; font-family: Arial; color: #333333;"><a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148" target="_blank">CVE-2017-0148</a></span></p><p style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><h2 dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">5. Save the template and run a scan to identify all assets with MS17-010.</span></h2><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><h2><span style="font-size: 18pt;">Creating a Dynamic Asset Group for MS17-010</span></h2><p><span style="font-size: 12pt;">Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F" target="_blank">InsightVM</a> console, just under the search button:<br/></span></p><p><span style="font-size: 12pt;"><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66963/pastedImage_34.png"><img class="image-13 jive-image" height="118" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66963/468-118/pastedImage_34.png" style=" width: 468.099px;" width="468"/></a></span></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 12pt; font-family: Arial; color: #000000;">Now, use the "CVE ID" filter to specify the CVEs listed below:</span></p><p dir="ltr">This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.</p><p dir="ltr"><a href="https://files.slack.com/files-pri/T3V1ZDQHM-F5Q3XUAF6/pasted_image_at_2017_06_07_07_29_am.png"><img class="jive-image" height="260" src="https://files.slack.com/files-pri/T3V1ZDQHM-F5Q3XUAF6/pasted_image_at_2017_06_07_07_29_am.png" style="height: 280px; width: 815px;" width="758"/></a></p><h2 dir="ltr">Creating a WannaCry Dashboard</h2><p dir="ltr"><span style="font-size: 11.5pt; font-family: Arial; color: #303030;">Recently, Ken Mizota posted an article on how to build a custom dashboard to </span><a class="jive-link-blog-small" data-containerId="1004" data-containerType="37" data-objectId="7855" data-objectType="38" href="https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits"><span style="font-size: 11.5pt; font-family: Arial; color: #3f98d4;">track your exposure to exploits from the Shadow Brokers leak</span></a><span style="font-size: 11.5pt; font-family: Arial; color: #303030;">. If you already did that, you're good to go! If you wanted to be specific to WannaCry, you could use this Dashboard filter:</span></p><p><span style="background-color: #f6f6f6; color: #000000; font-size: 12pt; font-family: Calibri;">asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0101" OR <span style="color: #000000; font-family: Calibri; font-size: 16px; background-color: #f6f6f6;">asset.vulnerability.title CONTAINS "cve-2017-0146"</span>asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148"</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p><span style="font-size: 14pt;"><strong>Creating a SQL Query Export</strong></span></p><p>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class="jive-link-thread-small" data-containerId="2004" data-containerType="14" data-objectId="9963" data-objectType="1" href="https://community.rapid7.com/thread/9963">WannaCry - Scanning & Reporting</a></p><p style="min-height: 8pt; padding: 0px;"> </p><h2>Creating a Remediation Project for MS17-010:</h2><p>In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”:</p><p dir="ltr"><span><span><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66955/pastedImage_28.png"><img class="image-11 jive-image" height="174" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66955/758-174/pastedImage_28.png" style=" width: 988.531px;" width="758"/></a></span></span></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">Give the project a name, and under vulnerability filter type in "vulnerability.alternateIds <=> ( altId = "ms17-010" )"</span></p><p><a href="https://community.rapid7.com/servlet/JiveServlet/showImage/38-7866-66977/pastedImage_2.png"><img class="image-15 jive-image" height="473" src="https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7866-66977/758-473/pastedImage_2.png" style=" width: 767.39px;" width="758"/></a></p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. </span></p><p style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.</span></p><p style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">Using these steps, you’ll be able to quickly scan for the WannaCry vulnerability as well as ensure that the vulns are being remediated. If you have any questions please don’t hesitate to let us know!</span></p><p dir="ltr" style="min-height: 8pt; padding: 0px;"> </p><p dir="ltr"><span style="font-size: 11pt; font-family: Arial; color: #000000;">For more information and resources on WannaCry and ransomware, please visit this <a class="jive-link-external-small" href="https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F" target="_blank">page</a>. </span></p></div><!-- [DocumentBodyEnd:671843e7-7237-482e-9c1c-b149f122c46e] -->