ICS Alert

Indicators Associated With WannaCry Ransomware (Update I)

Last Revised
Alert Code
ICS-ALERT-17-135-01I

Description

This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01H Indicators Associated With WannaCry Ransomware that was published May 31, 2017, on the NCCIC/ICS-CERT web site.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}

SUMMARY

This updated alert is a follow-up to the updated alert titled ICS-ALERT-17-135-01H Indicators Associated With WannaCry Ransomware that was published May 31, 2017, on the NCCIC/ICS-CERT web site.

ICS-CERT is referencing US-CERT alert TA17-132A Indicators Associated With WannaCry Ransomware to enhance the awareness of critical infrastructure asset owners/operators and to identify affected product vendors that have contacted ICS-CERT for help disseminating customer notifications/recommendations to mitigate the risk associated with the “WannaCry” ransomware.

In addition to the WannaCry ransomware, there is reporting of other malware exploiting the vulnerabilities in the Windows SMB server, identified in Microsoft Security Bulletin MS17-010. Some of these additional samples of malware identified in the reporting are UIWIX, Adylkuzz, and EternalRocks.

The ransomware UIWIX is reported to be executed in memory and terminates itself if it is able to determine that it is running in a virtual machine or sandbox, making it more challenging to detect and analyze. The Adylkuzz Trojan is malware that consumes resources of infected systems to create a botnet for cryptocurrency mining. EternalRocks is a network worm that spreads through seven exploits and does not have a malicious payload. There is also reporting that the EternalRocks campaign may have ended; however, information about EternalRocks is still useful, as the exploits utilized in this campaign could potentially be used in future campaigns.

The impacts of these additional malware have not been fully assessed; however, since they appear to be exploiting vulnerabilities in the Windows SMB server, the mitigation guidance remains the same. These additional threats further emphasize the need for the implementation of effective prevention and protection mechanisms, such as those provided in the US-CERT alert.

The following product vendors have reported that they support products that use Microsoft Windows and have proactively issued customer notifications with recommendations for users (ICS-CERT will update the list of vendors that have released customer notifications as additional information becomes available):

  • ABB:

http://search.abb.com/library/Download.aspx?DocumentID=9AKK106930A9737&Action=Launch

  • Beckman Coulter (select region and country to view):

https://www.beckmancoulter.com/wsrportal/wsr/support/WannaCry-Ransomware-Cyber-attack/index.htm

  • Becton, Dickinson and Company (BD):

http://www.bd.com/aboutbd/productsecurity/wannacry-ransomware.aspx

  • Dräger:

http://static.draeger.com/security

  • Emerson Automation Solutions:

http://www.emerson.com/documents/automation/584888.pdf

  • GE – General Electric:

https://digitalsupport.ge.com/communities/en_US/Article/GE-Security-Bulletin-Regarding-WannaCry

  • Honeywell:

https://www.honeywellprocess.com/en-US/support/Pages/security-updates.aspx

  • Johnson Controls:

http://www.johnsoncontrols.com/productsecurity

  • Johnson & Johnson:

--------- Begin Update I Part 1 of 1 --------

http://www.productsecurity.jnj.com/advisories.html

--------- End Update I Part 1 of 1 ----------

  • Medtronic:

http://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/wannacry-publicstatement-5-17-17.pdf

  • Philips:

http://www.usa.philips.com/healthcare/about/customer-support/product-security

  • Rockwell Automation:

https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1047348

  • Samsung:

http://www.neurologica.com/security-advisory

  • Schneider Electric:

http://www.schneider-electric.com/en/download/document/SEVD-2017-135-01/

  • Siemens:

https://www.siemens.com/cert/pool/cert/siemens_security_bulletin_ssb-412479.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-701903.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-286693.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-774661.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-709509.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-023589.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-354910.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-492736.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-966341.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-161640.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-408571.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-832636.pdf

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-740012.pdf

  • Smiths Medical:

https://www.smiths-medical.com/company-information/news-and-events/news/2017/may/17/wannacry-malware-infection-and-outbreak-statement

  • Spacelabs Healthcare:

https://www.spacelabshealthcare.com/wp-content/uploads/2017/05/WannaCry-Malware-Assessment-and-Compatibility-Statement_23_May_2017.pdf

  • Toshiba Corporation:

http://www.toshiba.co.jp/info/170529_e.htm

  • Toshiba Medical Systems Corporation:

http://www.toshibamedicalsystems.com/news/cyber_attack.htm

  • Tridium:

https://www.tridium.com/~/media/tridium/technical bulletins/2017/ransomware wannacry cyberattack update.ashx

In an effort to support critical infrastructure asset owners/operators, ICS-CERT has published a What is WannaCry/WanaCrypt0r? Fact Sheet.

To assist healthcare providers with mitigation efforts, ICS-CERT offers the following information regarding the patch management of medical devices, which comes directly from the FDA Fact Sheet - FDA’s Role in Medical Device Cybersecurity:

  • Medical device manufacturers can always update a medical device for cybersecurity. In fact, the FDA does not typically need to review changes made to medical devices solely to strengthen cybersecurity.
  • The FDA recognizes that Healthcare Delivery Organizations (HDOs) are responsible for implementing devices on their networks and may need to patch or change devices and/or supporting infrastructure to reduce security risks. Recognizing that changes require risk assessment, the FDA recommends working closely with medical device manufacturers to communicate changes that are necessary.

The FDA has provided recommendations to protect healthcare systems in their Cybersecurity for Medical Devices and Hospital Networks: FDA Safety Communication. The FDA recommends that healthcare providers consider taking the following steps:

  • Restricting unauthorized access to the network and networked medical devices.
  • Making certain appropriate antivirus software and firewalls are up-to-date.
  • Monitoring network activity for unauthorized use.
  • Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services.
  • Developing and evaluating strategies to maintain critical functionality during adverse conditions.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

ICS-CERT also provides a recommended practices page on the ICS-CERT web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Other