WannaCrypt attacks: guidance for Azure customers

Inlägg på 17 maj, 2017

Principal Engineering Manager

The recent global ransomware attack, known as WannaCrypt, has brought forward the importance of running a well secured infrastructure. Whether or not you were impacted by the recent WannaCrypt malware, we recommend all Azure customers take the following 8 steps to further protect your organization from attacks like these.

  1. This recent WannaCrypt malware exploits a Service Message Block (SMB) vulnerability (CVE-2017-0145). Customers should immediately install MS17-010 to resolve this vulnerability.
  2. Review all Azure subscriptions that have SMB endpoints exposed to the internet, commonly associated with ports TCP 139, TCP 445, UDP 137, UDP 138. Microsoft recommends against opening any ports to the internet that are not essential to your operations.
  3. Disable SMBv1 - instructions located here: https://aka.ms/disablesmb1
  4. Utilize Windows Update to keep your machines up-to-date with the latest security updates. If you are running Azure Cloud Services (Platform as a Service Web Roles and Worker Roles or Infrastructure as a Service (IaaS)) automatic updates are enabled by default, so there is no further action required.  All Guest OS versions released after March 14th, 2017 contain the MS17-010 update. You can view the update status of your resources on an on-going basis in Azure Security Center.
  5. Use the Azure Security Center to continuously monitor your environment for threats. Collect and monitor event logs and network traffic to look for potential attacks using the Azure Security Center, and check for new security alerts and quickly investigate any threats detected.
  6. Use Network Security Groups (NSGs) to restrict network access. To reduce exposure to attacks, configure NSGs with in-bound rules that restrict access to only required ports. You can use network firewalls from a range of companies for additional security. Azure Security Center provides a view of the security for all your networks in Azure, and helps you identify those with internet accessible endpoints, insufficient NSG protections, and in some cases recommends a firewall solution.
  7. Confirm that anti-malware is deployed and updated. If you are using Microsoft anti-malware for Azure or Windows Defender, Microsoft released an update last week which detects this threat as Ransom:Win32/WannaCrypt. If you are running anti-malware software from any number of security companies, you should confirm with your provider that your are protected. You can also use Azure Security Center to verify that anti-malware, and other critical security controls, are configured for all of your Azure virtual machines.
  8. Configure backups with multifactor authentication. An important part of recovery from any compromise is having a strong backup solution in place. If you are already using Azure Backup, you can recover data if your servers are attacked by ransomware. Only users with valid Azure credentials can access the backups stored in Azure. We also recommend enabling Azure Multi-Factor Authentication to provide an additional layer of security to your backups in Azure.

For a comprehensive look at the Affected Software, Vulnerability Information and Security Update Deployment, see Microsoft Security Bulletin MS17-010.

For more information about this update, see Microsoft Knowledge Base Article 4013389.

Support

For understanding your cloud security state: Azure Security Center

Help for installing updates: Windows Update FAQ

Security solutions for IT professionals: TechNet Security Support and Troubleshooting

Help for protecting your Windows-based computer from viruses and malware: Microsoft Secure