
Cybereason XDR: Intelligence-Driven Hunting and Investigation
Threat intelligence is transparently integrated into every aspect of the AI-driven Cybereason XDR Platform to enable Threat Hunting for behavioral TTPs...
Assaf Dahan
May 17, 2017 | 1 minute read
The WannaCry ransomware attack leveraged two vulnerabilities — EternalBlue and DoublePulsar — to infect more than 200,000 Windows computers in 150 countries in the span of a few days. The Cybereason Endpoint Detection and Response platform detected and stopped the WannaCry attack using its built-in ransomware detection modules. In this post, we’ll share how Cybereason spotted the behavior of the DoublePulsar exploit in a few customer environments in Asia.
DoublePulsar, which was leaked by The Shadow Brokers, is a persistent backdoor that exploits Windows SMB protocol and functions as a malware downloader. It allows remote attackers to load and execute malware on an endpoint without the victim’s knowledge. It is currently propagating by using a very small piece of code that generates two sets of random IP addresses. One set is within the private network space, the other is in the public network space. This allows the worm to spread both internally once it gains a foothold in a network and increase its infection rate by scanning the internet for other vulnerable hosts.
Below is a description of how Cybereason detected the initial intrusion attempt of WannaCry in one of our customer environments, followed with identifying the internal network scan that would allow it to move laterally throughout the network. Here’s how this situation played out:
Cybereson observed a suspicious incoming external connection on Port 445 right before the WannaCry infection:
The “owner process” system refers to Windows’ System Process – PID 4.
When checking the connections on this listening connection, the only external connection observed was our WannaCry intrusion.
Connection used for lateral movement 17:12 – 17:14
Beginning of WannaCry payload execution at 17:14
Detection of the WannaCry ransomware by Cybereason:
Following the infection, the new victim machine initiated multiple internal connections to port 445 of other machines within the network, attempting further lateral movement.
The Cybereason platform provided a very easy to use platform for hunting such exploits, based on their behaviors. The ability to query the system in a way that it yields a clear results and to detect exploits based on patterns make it very useful for detection and response to new threats, like in the case of the WannaCry campaign.
Assaf has over 15 years in the InfoSec industry. He started his career in the Israeli Military 8200 Cybersecurity unit where he developed extensive experience in offensive security. Later in his career he led Red Teams, developed penetration testing methodologies, and specialized in malware analysis and reverse engineering.
Threat intelligence is transparently integrated into every aspect of the AI-driven Cybereason XDR Platform to enable Threat Hunting for behavioral TTPs...
The Cybereason MalOp detection engine to identify malicious behaviors with extremely high confidence levels, reducing false positives by a factor of 10...
Threat intelligence is transparently integrated into every aspect of the AI-driven Cybereason XDR Platform to enable Threat Hunting for behavioral TTPs...
The Cybereason MalOp detection engine to identify malicious behaviors with extremely high confidence levels, reducing false positives by a factor of 10...
Get the latest research, expert insights, and security industry news.
Subscribe