trojan81
asked on
wannacrypt movement
experts,
In regards to the wannacrypt lateral movement, how does it jump from subnet "x" that the victim is on to subnet "y" and subnet "z"?
I read that it enumerates smb connections from the victims local subnet but no mention about how it jumps to other subnets.
Assuming victims on subnet X, Y, Z do not have ANY mapped drives, can it be assumed that there is no way for this malware to propagate out of the subnet that the initial victim is on?
In regards to the wannacrypt lateral movement, how does it jump from subnet "x" that the victim is on to subnet "y" and subnet "z"?
I read that it enumerates smb connections from the victims local subnet but no mention about how it jumps to other subnets.
Assuming victims on subnet X, Y, Z do not have ANY mapped drives, can it be assumed that there is no way for this malware to propagate out of the subnet that the initial victim is on?
It's basically looking for open routes on the network. So if your network is configured with routes that span subnets, that would be its method. Otherwise, if the network is fully segmented, it would be pretty difficult, if at all possible for it to jump to another subnet.
If your SMB is patched (means ALL systems up to date) and the client has NO connections to the other subnet, any activity on the client machines will not propagate to the not-connected networks.
If the networks themselves are connected, the possibility is open
If the networks themselves are connected, the possibility is open
ASKER
FOTC, how is it looking for open routes? Where does it look within the victim machine for open routes?
John,
My question is about how the ransomware will spread to other subnets. I'm also not looking for advice on patching. Assume the victim machine is unpatched and has the ability to reach other subnets. How will the ransomware reach those other subnets if the victim machine has no Mapped network drives.
John,
My question is about how the ransomware will spread to other subnets. I'm also not looking for advice on patching. Assume the victim machine is unpatched and has the ability to reach other subnets. How will the ransomware reach those other subnets if the victim machine has no Mapped network drives.
The worm functionality in WannaCrypt allows it to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on IP addresses to find and infect other vulnerable PCs. This activity results in large SMB traffic data coming from the infected host. So basically it's performing a traditional port & network scan to spread.
Once WannaCrypt successfully infects a vulnerable machine, it uses it to hop to infect other PCs. The cycle further continues, as the scanning routing discovers unpatched computers.
Once WannaCrypt successfully infects a vulnerable machine, it uses it to hop to infect other PCs. The cycle further continues, as the scanning routing discovers unpatched computers.
If the subnets are connected, it can spread that way. Otherwise it should not
ASKER
I appreciate the responses but you're all still missing the point in my questions.
Even if the subnets are connected without a firewall in between, how is the malware still move to other subnets.
Example, the network has lots of subnets: 10.10.0.0/24, 10.10.1.0/24, 10.10.2.0/24, etc. Victim has IP 10.10.0.5. I can understand the malware trying to propagate through 10.10.0.0/24 subnet. however, how will it know about 10.10.1.0/24 and 10.10.2.0/24?
Even if the subnets are connected without a firewall in between, how is the malware still move to other subnets.
Example, the network has lots of subnets: 10.10.0.0/24, 10.10.1.0/24, 10.10.2.0/24, etc. Victim has IP 10.10.0.5. I can understand the malware trying to propagate through 10.10.0.0/24 subnet. however, how will it know about 10.10.1.0/24 and 10.10.2.0/24?
It depends on the worm and how it works.
ASKER
Can anyone with knowledge of the wannacry variants explain how it could or could not traverse to other subnets outside of the subnet that the victim is on?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.