Micro-segmentation with VMware NSX compartmentalizes the data center to contain the lateral spread of ransomware attacks such as WannaCry
On May 12 2017, reports began to appear of the WannaCry malware attacking organizations worldwide in one of the largest ransomware cyber incidents to date. The European Union Agency for Law Enforcement Cooperation (Europol) has reported more than 200,000 attacks in over 150 countries and in 27, with the full scope of the attack yet to be determined. Victims include organizations from all verticals.
WannaCry targets Microsoft Windows machines, seizing control of computer systems through a critical vulnerability in Windows SMB. It also utilizes RDP as an attack vector for propagation. It encrypts seized systems and demands a ransom be paid before decrypting the system and giving back control. The threat propagates laterally to other systems on the network via SMB or RDP and then repeats the process. An initial analysis of WannaCry by the US Computer Emergency Readiness Team (US-CERT) can be found here, with a detailed analysis from Malware Bytes here.
One foundational aspect of increasing cybersecurity hygiene in an organization to help mitigate such attacks from proliferating is enabling a least privilege (zero trust) model by embedding security directly into the data center network. The core concept of zero trust is to only allow for necessary communication between systems using a stateful firewall, assuming all network traffic is untrusted. This dramatically reduces the attack surface area.
VMware NSX micro-segmentation provides this intrinsic level of security to effectively compartmentalize the data center to contain the lateral spread of ransomware attacks such as WannaCry.
In this blog, we will focus on how NSX can help:
- Contain the spread of the malware such as WannaCry
- Provide visibility into on-going attacks
- Identify systems that are still infected
- Mitigate future risk through a micro-segmentation approach
Stages of the WannaCry cyber attack
Before we provide our attack mitigation recommendations, let us review the WannaCry ransomware attack lifecycle.
WannaCry uses the EternalBlue exploit that was leaked from the NSA to exploit the MS17-010 vulnerability in Windows. WannaCry then encrypts data on the system including office files, emails, databases, and source code, as well as network shares, using RSA-2048 encryption keys with AES-128 encryption that are extremely difficult to break with current technology. WannaCry ends the “weaponization” stage by posting a message to the user demanding $300 in bitcoin as a ransom in order to decrypt the data.
- Installation / Exploitation / Encryption / Command and Control:
WannaCry cycles through every open RDP session since it is also a worm that contains the malware payload that drops itself onto systems and spreads itself. As soon as the ransomware is dropped, it tries to connect to a command and control URL to seize control and encrypt the system. The code has both direct as well a proxy access to the internet. Next step for the worm is to install a service called “mssecsvc2.0” with display name “Microsoft Security Center (2.0) service”. The worm loads the crypto module when the service is installed and proceeds to encrypt the system.
WannaCry enters through email phishing or other means of breaching the network perimeter and scans all of the systems on the network based and spreads laterally from vulnerable system-to-system. Scans are not just restricted to systems actively communicating but also IP addresses obtained via multicast traffic, unicast traffic, and DNS traffic. Once WannaCry obtains a list of IPs to target, it probes port 445 with a randomly generated spoofed source IP address. If the connection on port 445 of a vulnerable system is successful, WannaCry proceeds to infect and encrypt the system. Additionally, it scans for the entire /24 subnet for the system (10 IP addresses at a time), probing for additional vulnerable systems.
Preventing the attack with VMware NSX
NSX can be used to implement micro-segmentation to compartmentalize the data center, containing the lateral spread of ransomware attacks such as WannaCry and achieving a zero trust network security model.
The following are recommendations in order of priority, to create a micro-segmented environment that can interrupt the WannaCry attack lifecycle.
- Monitor traffic on port 445 with the NSX distributed firewall. This would provide visibility into SMB traffic, that may include attack traffic or attempts. Once endpoint infection is determined, Allow or Block, logs from NSX can be correlated or analyzed in SIEM, log analyzer or network behavior analyzer.
- Enable environmental re-direction rules in NSX so that any traffic destined for critical systems is steered to an NSX-integrated IPS solutions to detect network indicators of this attack. Even if the perimeter did not detect the malware, east-west traffic within the environment can be analyzed to detect the attack indicators.
- Create an NSX Security Group for all VMs running the Windows Operating System, to identify potentially vulnerable machines. This is really simple to do in NSX as you can group VMs based on attributes like operating system, regardless of their IP address.
- Enable Endpoint Monitoring (NSX 6.3+ feature) on VMs that are part of the Windows operating system to detect mssecsvc2.0. If detected, verify and check what VMs it has started communicating with on port 445.
- Create a distributed firewall rule to immediately block/monitor all traffic with a destination port of 445 on the /24 subnet of any VMs that is found on that list.
- Use Endpoint Monitoring to detect if mssecssvc2.0 is running on systems that are not patched so that NSX can detect if a new attack starts.
Additional precautions include blocking RDP communication between systems and blocking all desktop-to-desktop communications in VDI environments. With NSX, this level of enforcement can be achieved with a single rule.
Architecting a secure datacenter using NSX Micro-segmentation
With NSX micro-segmentation, organizations can enable a least privilege, zero trust model in their environment. For environments utilizing NSX, the distributed firewall applies security controls to every vNIC of every VM. This controls communications between all VMs in the environment (even if they are on the same subnet), unlike the traditional firewall model in which flows within a subnet are typically not restricted, allowing malware to spread laterally with ease. With a zero trust architecture enabled by NSX, any non-approved flow will be discarded by default, regardless of what services have been enabled the VM, and ransomware like WannaCry will not be able to propagate – immediately blunting the amount of damage to data center operations and hence the organization.
But if users of NSX didn’t have a policy already set to monitor port 445, then how would it have prevented the spread of WannaCry?
How many customers would implement proper firewall policies of ‘denying all’ traffic and creating rules to ‘allow’ approved traffic? Most would deploy to ‘allow all’ and ‘deny’ specific traffic…. In fact I’m sure by default, the DFW configures an allow/any rule….
Thanks for the feedback. Part of the reason for the post is to show the importance of a zero trust, least privilege model that will potentially prevent the spread of WannaCry and other similar ransomware. Proper firewall policies are always needed for good security hygiene, and NSX features such Application Rule Manager automates creating proper least privilege firewall policies down to granular micro-segments, allowing the creation of a zero trust model to be feasible. This in turn will protect east-west traffic commonly exploited by worms such as WannaCry.