Wannacry & Qualys
As you will have read, Wannacry ransomware is taking advantage of systems which are missing Microsoft patch MS17-010 and/or Eternal flaws and propagates via SMB.
Qualys’s detections for systems vulnerable are :
- 53007 IBM Lotus Domino Remote Code Execution – Shadow Brokers (EWORKFRENZY) – Zero Day
- 87284 Microsoft Internet Information Services 6.0 Buffer Overflow Vulnerability – Shadow Brokers (EXPLODINGCAN) Zero Day
- 91345 Microsoft SMB Server Remote Code Execution Vulnerability (MS17-010) and Shadow Brokers
- 91357 Microsoft Windows SMBv1 Remote Code Execution – Shadow Brokers (ETERNALCHAMPION) – Zero Day
- 91359 Microsoft Windows Remote Privilege Escalation – Shadow Brokers (ETERNALROMANCE) – Zero Day MS17-010
- 91360 Microsoft Windows SMBv1 and NBT Remote Code Execution – Shadow Brokers (ETERNALBLUE) – Zero Day
- 91361 Microsoft Windows SMBv3 Remote Code Execution – Shadow Brokers (ETERNALSYNERGY) – Zero Day
You can create a new static searchlist in your Qualys subscription called “Wannacry Detections” for these and report against that.
Additionally Qualys has created a further detection that detects the presence of the ransomware itself. This is:
- 1029 WannaCrypt Ransomware Detected
You can create a new static searchlist in your Qualys subscription called “Wannacry Compromised” for this and report against it.
All these detections require authenticated scanning.
To monitor the situation across your enterprise you can create a new Asset View Dashboard in Qualys for Ransomware. The image shows two widgets – one for compromised machines and one for vulnerable ones. These widgets auto-update as scans complete and don’t require reports to be run. They are looking at the whole estate that is subject to Qualys scans. The image below shows how to add the vulnerable detections to the widget configuration:
I’d recommend that you create a new Option Profile called “Wannacry Scan” which uses custom vulnerability checks and includes these two searchlists, so should run faster than regular scans. It should use minimum port checking settings and Windows authentication only. Running this scan will update Qualys with the latest information.
Of course if you’re running Qualys Cloud Agent the information will already be available to your subscription (and Asset View Widgets) without the need for an extra scan.