You may have heard of the WannaCrypt (Known by many as WannaCry) ransomware that’s been hitting everyone recently. In fact, you may have heard about it directly from Microsoft, when they passed the buck onto the NSA for being the cause of the whole problem. Regardless of the politics around the origination and context of the cyber attack, Microsoft still wants its customers to be safe. In that spirit, they’ve published a post on the Azure blog to help keep people safe.
No preamble here – Microsoft just put together a checklist of things for you to do in order to keep it clean. Here it is.
This recent WannaCrypt malware exploits a Service Message Block (SMB) vulnerability (CVE-2017-0145). Customers should immediately install MS17-010 to resolve this vulnerability. Review all Azure subscriptions that have SMB endpoints exposed to the internet, commonly associated with ports TCP 139, TCP 445, UDP 137, UDP 138. Microsoft recommends against opening any ports to the internet that are not essential to your operations. Disable SMBv1 – instructions located here: https://aka.ms/disablesmb1 Utilize Windows Update to keep your machines up-to-date with the latest security updates. If you are running Azure Cloud Services (Platform as a Service Web Roles and Worker Roles or Infrastructure as a Service (IaaS)) automatic updates are enabled by default, so there is no further action required. All Guest OS versions released after March 14th, 2017 contain the MS17-010 update. You can view the update status of your resources on an on-going basis in Azure Security Center. Use the Azure Security Center to continuously monitor your environment for threats. Collect and monitor event logs and network traffic to look for potential attacks using the Azure Security Center, and check for new security alerts and quickly investigate any threats detected. Use Network Security Groups (NSGs) to restrict network access. To reduce exposure to attacks, configure NSGs with inbound rules that restrict access to only required ports. You can use network firewalls from a range of companies for additional security. Azure Security Center provides a view of the security for all your networks in Azure and helps you identify those with internet accessible endpoints, insufficient NSG protections, and in some cases recommends a firewall solution. Confirm that anti-malware is deployed and updated. If you are using Microsoft anti-malware for Azure or Windows Defender, Microsoft released an update last week which detects this threat as Ransom:Win32/WannaCrypt. If you are running anti-malware software from any number of security companies, you should confirm with your provider that you are protected. You can also use Azure Security Center to verify that anti-malware, and other critical security controls, are configured for all of your Azure virtual machines. Configure backups with multifactor authentication. An important part of recovery from any compromise is having a strong backup solution in place. If you are already using Azure Backup, you can recover data if your servers are attacked by ransomware. Only users with valid Azure credentials can access the backups stored in Azure. We also recommend enabling Azure Multi-Factor Authentication to provide an additional layer of security to your backups in Azure.
Microsoft reminds you that you can check on their security bulletin to get the official look at MS17-010, the update that’s aimed at fixing this mess. Be sure to update to MS17-010, and stay safe out there.