Protect Your Network from an Internet Worm during COVID-19

(Last Updated On: April 20, 2020)

Do you want a repeat of Wanacry? Do you want an Internet Impacting Worm in the middle of the COVID-19 Crisis? All organizations can take two steps to minimize the risk of a potential Internet worm. First, they can deploy an access-lists on the edge of their network that block TCP/UDP port 445. This can be part of your organization’s Exploitable Port Filtering. Second, organizations can monitor their network with Shadowserver’s Daily Network Report. This public benefit service provides an outside-in view of risk on your network. The Daily Network Reports provide a tool to reduce risk through action and then monitor the impact of that risk reduction.

Both services are “no-cost.” Routers on the edge of the network can deploy Exploitable Port Filtering. Shadowserver’s Daily Network Report is a public benefit supported by organizations throughout the world.

New Potential Internet Worm

March 2020 featured an “out of cycle” vulnerability disclosure form Microsoft on a wormable SMB issue. Wanacry exploited older versions of Windows. This new SMB vulnerability impacts the latest version of Windows 10. Microsoft has pushed out an “out of cycle” update in March and included it in the April “Patch Tuesday” updates. This vulnerability received the highest Common Vulnerability Scoring System (CVSS) score of 10. It does not require user authentication and could be used to propagate an Internet worm.

CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution VulnerabilitySecurity Vulnerability

Microsoft Releases Patch for Wormable Bug That Threatens Corporate LANs by Tara Seals

Details about new SMB wormable bug leak in Microsoft Patch Tuesday snafuSMB vulnerability is not patched, but now everyone knows it’s there by Catalin Cimpanu for Zero Day

A wormable vulnerability is a threat to the Internet infrastructure. Wormable threats during a time of Internet stress must alarm organizations. An Internet wormable threat during March 2020 – at the start of the COVID-19 mitigations, should cause all Carriers, Mobile Operators, ISPs, and Cloud Operations concern.

Patching is an Imperative – But Remember The Donelan Principle

Microsoft did the right thing in pushing out the “out of band” CVE-2020-0796 update along with another push for the April 2020 patch Tuesday. This will reduce the risk, but not eliminate the risk. For years, the Donelan Principle governs the industry’s characteristics for patching. The “Donelan Principle” states that for any security vulnerability, 40% of the people will patch right away, 40% will patch within the first month, and 20% will most likely never patch.FOOTNOTE: Footnote That last 20% is the challenge on any network.

Expect 40% of the potential Windows 10 systems to patch now. The next 40% will patch in the coming months. 20% may never patch. That means in April/May 2020 there is an exposure of 40% – 60% of the potential risk to the Internet.

Organizations can take action to minimize their risk through the deployment of Exploitable Port Filtering and signing up to Shadowserver’s Daily Network Report.

Action 1 – Exploitable Port Filters for Port 445

The primary mitigation (besides patching) is to block Port 445 inbound and outbound on the enterprise:

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter. – Microsoft CVE-2020-0796

For years, major Communications Sevice Providers (CSPs) have deployed port filtering on the edge of their network. Many of these filtered ports are common ports that are regularly exploited. TCP port 443 is one of the most common. Major CSPs around the world have found that they can filter port 443 (TCP and UDP) coming from the Internet to their customer and from their customer to the Internet.

This filtering all Exploitable Ports technique saved CSPs in the United States during past Internet worms. In 2017, the WannaCry ransomware used the NSA-developed EternalBlue SMB exploit to self-propagate rapidly around the world. CSPs with this filter mitigated the impact of the exploit. CSPs who did not deploy Exploitable Port Filtering, allows the “infection” to spread to their customs.

Will Exploitable Port Filtering Impact My Network?

No, we have proved Exploitable Port Filtering to be a minimal risk BCP for all ranged of organizations. Most large CSPs in the United States have deployed Exploitable Port Filtering for over a decade. Yes, there will be some ACL engineering to make sure the network equipment can handle the filtering load. Most modern routers can handle the loads from Exploitable Port Filtering.

Action 2 – Sign up or Update your Shadowserver Daily Network Report

Every day, Shadowserver sends custom remediation reports to over four thousand vetted subscribers, including nearly 100 national governments and many Fortune 500 companies. These reports are detailed, targeted, relevant and a public benefit service (i.e. free & no-cost). The network reports are an “outside-in” view of your network. They allow organizations to become better informed about the state of your networks and their security exposures. All network can subscribe to this public benefit report.

The Daily Network Reports pull in data from a diverse range of sources. Today (April 2020) there are over 77 Network Reports with more being added. New reports are added through project and service funding by Shadowserver Alliance members, sinkhole operations, and other security work. Hence, new scans, reporting, Botnet Command & Control, and other data will be added to the daily reporting. The Daily Network Reports are also used as one of the Victim Notification communications tools. New malware takedowns use the Network Report to alert the victims that systems on their network have been infected by the malware. A full list and details of each report is listed here:

Using Daily Network Report to Monitor the Risk?

Every day Shadowserver will scan the list of IP addresses and ASNs provided during the sign-up process. These reports are sent via Email. Organizations run scripts on these emailed reports. The provides a means to monitor all open 445 TCP/UDP ports on their network that is visible from the Internet. If your organization has Exploitable Port Filtering on the Edge of the Network, then there should be zero systems seen by Shadowserver. If Shadowserver sees a system exposed with port 445, then that risk can be tracked down and plugged.

For ISPs and Carriers, the Shadowserver report would provide a useful tool for the port 445 risks with their customers. We recommend it that all ISPs and Carriers deploy Exploitable Port Filtering on the Edge of the Network. Shadowserver’s Daily Network Report provides a tool to understand the risk before and after the deployment of Exploitable Port Filtering.

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at Help organizations leverage the talent around them to get started with their security activities. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the meantime, stay connected to the Senki Community to get updates on new empowerment and security insights. You can sign up to the mailing list for updates here: Stay Connected with Senki’s Updates.