1 Overview

Around 8 PM Beijing time on May 12, 2017, a large-scale WannaCry ransomware infection occurred globally, affecting computer networks (especially some intranets) across China to varying degrees. The ransomware spread rapidly by exploiting the MS17-010 vulnerability in the SMB (Social Security Business Unit) that propagates through port 445. This exploit tool was originally a cyber weapon used by the Equation Group, a subsidiary of the NSA, and was exposed by the Shadow Brokers hacking group on April 14, 2017. The attackers or groups using this cyber weapon launched this large-scale global attack.

It is important to note that the WannaCry ransomware worm only exploited the Eternalblue vulnerability in the exposed cyber weapon. The Shadow Brokers’ exposed cyber weapon also contains a series of other vulnerabilities and exploit tools that require attention and prevention. Meanwhile, Shadow Brokers issued another statement on May 16, 2017, stating that it would disclose more vulnerabilities in June. Given these reasons, it is necessary to prepare for and protect against both known and future threats.

When facing various severe security risks, in addition to building defenses through effective security design and the use of security products, we must also implement fundamental security measures such as reasonable patching strategies, port and application management strategies, and perimeter security conditions. For some internal network users with a large number of network nodes or users with high requirements for the stability and security of their business systems, a comprehensive system-wide patching strategy may not be feasible. Furthermore, the method of obtaining patches in real time is somewhat affected or limited by network isolation. Therefore, a strategy of patching critical vulnerabilities individually may be necessary. However, due to the sheer size and complexity of the entire patching system and the correlation between patches and business systems, simply patching and closing ports cannot systematically address all complex situations. For example, consider the following scenarios:

First, due to the discontinuation of system updates, some security vulnerabilities may no longer be patched by the original manufacturer after they are discovered. Users must upgrade the relevant system or application to resolve the issue. For instance, Microsoft stopped patching and upgrading Windows XP and Windows Server 2003 systems years ago, affecting these systems. Users of these systems cannot obtain official patches to fix vulnerabilities. In this case, effective security design and security products are needed for protection.

Second, each application and its open ports have specific business value. Therefore, before implementing port blocking strategies, it’s necessary to determine if the application or port is required for normal system use and whether there are alternative alternatives. For example, in a user’s business scenario, if port 80 is essential for ensuring the normal operation of the business system and cannot be closed, modified, or have its services stopped, effective system security design and security products are needed to form a comprehensive system-wide defense against attacks.

The third scenario involves a conflict between patches and the stability of the business system. In most cases, ensuring the normal operation of the business system may be necessary. In situations where patches cannot be updated, external security testing methods or replacing the existing operating system version may be required. This necessitates the introduction of specific security products for protection. 

A reasonable patching strategy is not merely an emergency response to major incidents, but a standardized work process and procedure to be established in daily security applications and maintenance. Simply patching and closing ports is insufficient to fully address network attacks; a combination of security design, passive defense, active defense, and threat intelligence is essential, relying on security products with effective protective capabilities to form a layered defense.

Microsoft’s patch package mechanism requires the installation of basic patch packages before installing subsequent patches. Therefore, Antiy recommends that ordinary desktop systems and less critical service systems install basic patch packages first, and then install the patches that cannot be installed internally, if online patches cannot be installed internally. Because basic patch packages are large, in the event of a major security incident, the large number of users downloading them may cause download failures. Therefore, network administrators are advised to stockpile basic and important patch packages in advance.

The core security risks lie in the depths of the internal network, requiring a comprehensive and in-depth security defense. Antiy’s security protection system, comprised of several security products, under the unified coordination of Antiy’s situational awareness and monitoring platform, can form a truly effective, all-weather, all-round situational awareness, providing effective protection for information assets.

Figure 1 Detailed Diagram of the Relationship Between Recently Leaked NSA Cyber Weapons, Associated Vulnerabilities, and System Versions

Figure 1-1 Brief Diagram of Recently Leaked NSA Cyber Weapons, Associated Vulnerabilities and System Versions

2. Basic Disposal Procedure

Due to the large number of vulnerabilities involved, the complexity of the affected systems and application versions, and the fact that some affected systems are no longer receiving official patches, it is necessary to assess the basic situation of the systems and select the appropriate handling plan when dealing with related issues. The specific assessment process is as follows:

Figure 2 Process for Selecting a Disposal Plan

After selecting a solution, if the system can be patched, you can install updates or upgrade the system and applications according to the table below. Patches can be downloaded from the official website via the link, or you can use the provided offline patch packages.

Vulnerability Attack Module Name	Chinese Name	Affected System or Application Name	Patch or Upgrade	Affected Ports
Easybee	易之蜂针	WorldClient 9.5, 9.6, 10.0, 10.1	Upgrade to the latest version 17.0.1	1000/3000
		Patch download address or handling suggestions: http://www.altn.com/Downloads/MDaemon-Mail-Server-Free-Trial/
Easypi	易之远控	IBM Lotus Notes ( Windows NT, 2000, XP, 2003 )	Upgrade to version 9.0.1 or higher and install the latest patches.	3264
		Patch download address or handling suggestions: http://www-03.ibm.com/software/products/en/ibmnotes https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Collaboration%20Solutions&product=ibm/Lotus/Lotus+Notes&release=9.0.1.8&platform=Windows&function=all
Eclipsedwing	日食之翼	Windows 2000, XP, 2003	KB958644	139/445
		Patch download address or handling suggestions: https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
Educated Scholar	文雅学者	Windows Vista, 2008	KB975517	445
		Patch download address or handling suggestions: https://technet.microsoft.com/en-us/library/security/ms09-050.aspx
Emeraldthread	翡翠纤维	Windows XP, Vista, 7, Windows Server 2003,2008	KB2347290	139/445
		Patch download address or handling suggestions: https://technet.microsoft.com/en-us/library/security/ms10-061.aspx
Emphasismine	地域之雷	IBM Lotus Domino 6.5.4, 6.5.5, 7.0, 8.0, 8.5	Upgrade to version 9.0.1 or higher and install the latest patches.	143
		Patch download address or handling suggestions: http://www-03.ibm.com/software/products/en/ibmdomino https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Collaboration%20Solutions&product=ibm/Lotus/Lotus+Domino&release=9.0.1.8&platform=Windows&function=all
Englishmansdentist	恐怖牙医	Outlook Exchange	Upgrade to version 2010 or later.	25
		Patch download address or handling suggestions: https://products.office.com/zh-cn/exchange/email
Erraticgopher	古怪地鼠	Windows XP SP3, Windows 2003	Upgrade to Vista or later	445
		Patch download address or handling suggestions: Microsoft has discontinued service; no patches are available. You can disable the SMB service, block port 445 in your firewall, and install endpoint protection products.
Eskimoroll	爱斯基摩卷	Windows 2000, 2003, 2003 R2, 2008, 2008 R2	KB3011780	88
		Patch download address or handling suggestions: https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
Esteemaudit	尊重审查	Windows XP, Windows Server 2003	Upgrade to Windows 7 or later	3389
		Patch download address or handling suggestions: Microsoft has discontinued service; no patches are available. You can disable the SMB service, block port 445 in your firewall, and install endpoint protection products.
Eternalromance	永恒浪漫	Windows XP, Vista, 7, Windows Server 2003, 2008, 2008 R2	KB4013389	139/445
		Patch download address or handling suggestions: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx
Eternalsynergy	永恒协作	Windows 8, Windows Server 2012	KB4013389	139/445
		Patch download address or handling suggestions: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx
Ewokfrenzy	星际流氓	IBM Lotus Domino 6.5.4, 7.0.2	Upgrade to version 9.0.1 or higher and install the latest patches.	143
		Patch download address or handling suggestions: http://www-03.ibm.com/software/products/en/ibmnotes https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Collaboration%20Solutions&product=ibm/Lotus/Lotus+Domino&release=9.0.1.8&platform=Windows&function=all
Explodingcan	爆炸之罐	Windows Server 2003 WEBDAC	Upgrade to Windows 7 or later	80
		Patch download address or handling suggestions: Microsoft has discontinued service and there are currently no patches available. Microsoft recommends upgrading your Windows 7 security and installing endpoint protection products.
Zippybeer	夺命之酒	Windows Domain	Upgrade System	445
		Patch download address or handling suggestions: Microsoft has discontinued service; no patches are available. You can disable the SMB service, block port 445 in your firewall, and install endpoint protection.
Eternalblue	永恒之蓝	Windows XP(32),Windows Server 2008 R2(32/64),Windows 7(32/64)	KB4013389	139/445
		Patch download address or handling suggestions: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx
Doublepulsar	双脉冲星	Windows Vista, 7, Windows Server 2003, 2008, 2008 R2	KB4013389	139/445
		Patch download address or handling suggestions: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx
Eternalchampion	永恒王者	Windows XP, Vista, 7, 10, Windows Server 2003, 2008, 2008 R2, 2012, 2016	KB4013389	139/445
		Patch download address or handling suggestions: https://technet.microsoft.com/zh-cn/library/security/ms17-010.aspx

Table 1 Information Regarding the Affected Systems, Ports, And Patch Urls Associated with the Vulnerability

3. Install Official Patches or Upgrade System and Application Versions

Based on the information provided in the table above regarding the systems, software, and corresponding patches for the vulnerabilities, you can patch or upgrade your system or application to the latest version using the patches provided by each system and software vendor to defend against related vulnerability attacks. The following section uses Win XP and Win7 systems as examples to specifically introduce the patch installation or corresponding procedures:

3.1 Windows 7 System Patch Installation Process:

(1) Check the system information to determine the system bitness, version, and Service Pack (SP) version.

(2) Find the corresponding patch program based on the patch address or offline patch package provided in Table 1.

(3) Download the patch or copy the offline patch.

(4) Run the patch program in the system that needs patching and click “Yes” to install the patch information.

(5) After installation, restart the system to complete the patch update.

(6) Enter the system, Control Panel -> Programs and Features -> View installed updates. If the installed patch number appears as shown in the figure, it means that the patch was installed successfully.

3.2 Security Configuration Process for Win7, Win8, and Win10

(1) Turn off the network.

(2) Open Control Panel – System and Security – Windows Firewall, and click “Turn Windows Firewall on or off” on the left.

(3) Select to start the firewall and click OK.

(4) Click Advanced Settings.

(5) Click Inbound Rules, create a new rule, taking port 445 as an example.

(6) Select port, Next.

(7) Select a specific local port, enter the port to be protected such as 139 or 445, and click Next.

(8) Select Block Connection, Next.

(9) Configuration files, select all, Next.

(10) Name: You can enter any name and then you can finish.

(11) Restore network connection.

(12) Enable automatic system updates and check for and install updates.

Note: After the system update is complete, if your business needs to use the SMB service, simply delete the firewall inbound rules set above.

3.3 Security Configuration Process for XP System

(1) Open Control Panel, Security Center, Windows Firewall, and select Enable.\

(2) Close port 139, right-click Network Neighborhood – Properties – right-click Local Area Connection – Properties – Internet Protocol (TCP/IP) – Properties – Advanced – WINS – Disable NetBIOS over TCP/IP – OK

(3) Close port 445 through the registry. Click “Start” – “Run”, enter “regedit”, and click the “OK” button to open the registry.

(4) Locate HKEY_LOCAL_MACHINE\System\Controlset\Services\NetBT\Parameters, select the “Parameters” item, right-click, and select “New” – “DWORD Value”.

(5) Rename the DWORD value to “SMBDeviceEnabled” and change its value to 0.

(6) Restart the machine and check that the 445 port connection is closed.

4. Summary

For a considerable period, the cybersecurity focus of Chinese enterprises has been primarily on website security and perceptible business nodes exposed to the internet, with a greater emphasis on higher-perceived risks such as website tampering and DDoS attacks. Insufficient attention and investment have been given to less perceptible APT attacks, such as data theft and deepfake attacks, especially cyber intrusion pre-planning by state actors. Cyberattacks from state actors, particularly superpowers, are typically highly covert and difficult to detect. Therefore, the widespread impact of the weapon-grade “EternalBlue” vulnerability when it was uncontrolled by the “WannaCry” worm is predictable.

At the April 19th Cyberspace Affairs Symposium, General Secretary Xi Jinping pointed out that “cybersecurity has a strong degree of concealment; a technical vulnerability or security risk may remain hidden for years without being discovered. The result is that ‘who entered is unknown, whether they are friend or foe is unknown, and what they did is unknown’. It lies dormant for a long time, only to erupt when something happens”. He urged us to “hear the unseen and see the unseen”, and to “perceive the cybersecurity situation around the clock and in all directions”.

Therefore, from an overall perspective, the focus of cybersecurity defense should shift from the previously superficial security of websites and exposed business nodes on the internet to a comprehensive approach targeting all information system nodes, including internal network systems, business systems, and network depth, centered around the protection of critical data assets. In summary, from Snowden’s previous revelations about the ANT (Anti-Terrorism) system to the materials released by the “Shadow Brokers” corroborating Snowden’s revelations, and the newly released vulnerability exploitation tools and attack platforms, it demonstrates the superpower’s effective penetration capabilities into the entire internal network system, especially physically isolated systems, in terms of cyberattacks. These vulnerabilities demonstrate both the ability to gain a “bridgehead” and the capability for comprehensive lateral movement after penetrating physical defenses.

Faced with such a comprehensive capability, effective products and solutions are essential. For example, in endpoint security, the traditional “black and white” approach of antivirus software is insufficient to effectively combat remote port implantation, memory loading, and browser hijacking that injects evasive malicious code. While certificate authentication ensures supply chain security, it struggles to address the theft of software vendor digital certificates and deep code implantation. Therefore, it is necessary to employ corresponding endpoint protection measures such as dual black and white control, reputation analysis, and behavioral modeling, combined with robust security configuration strategies and driver-level primary defense capabilities, to improve endpoint defense. Antiy’s Intelligent Endpoint Protection System is designed based on the above mechanisms. Leveraging Antiy’s next-generation threat detection engine’s dual black and white detection capabilities and vector analysis, it achieves comprehensive trust judgment on the content, behavior, publisher, and location of executable programs and memory objects, and performs reputation analysis based on factors such as rarity, network distribution, and scenario consistency. Antiy IEP supports more flexible group security policies. Building upon effective endpoint protection, it enables comprehensive perception, analysis, and information collection to effectively support the needs of user situational awareness systems. Antiy IEP fully considers the characteristic that internal network users may not be able to update patches in a timely manner, providing a combination strategy of basic patches and key patches, using hot patching and dynamic patch policy periods to reduce the impact of risks. Regarding ransomware, Antiy IEP takes into account the characteristic that internal network users are unlikely to update their virus databases on time. Through a multi-layered defense mechanism of detection engine + proactive defense + behavioral profiling blocking, even if heavily disguised ransomware bypasses engine detection, its file encryption behavior will still be blocked, thus effectively reducing the harm it causes.

From a traffic monitoring perspective, the past approach primarily focused on border-side traffic detection, employing single-packet, lightweight, and real-time detection methods. However, Antiy’s security practice in developing and deploying the Persistent Threat Detection System demonstrates a shift towards more granular basic traffic analysis (from 5-tuples to 13-tuples), payload reconstruction and capture, and vector-level payload analysis around network egress points and key network segments. This generates a large dataset for analysis, effectively establishing forward-looking capabilities when acquiring threat intelligence and analysis results. Based on comprehensive traffic detection and collection, behavioral profiles of endpoints, links, and users can be created, effectively revealing security risks.

Industry and enterprise networks engage in extensive daily operations, maintenance, data exchange, and file sharing, and security threats lurk within these activities, within executable and document files. The daily addition of carrier files within the network, including executable programs and corresponding document files, cannot be assessed solely by the user’s security capabilities or the network administrator’s security skills. Furthermore, it’s impractical to simply send the document files back to security vendors for analysis support. Therefore, customers must possess proprietary analytical support capabilities. Antiy Persistent Threat Analysis System is an analysis system that can be deployed in clusters on the client side. It not only possesses the dynamic analysis capabilities of a typical sandbox but also integrates Antiy’s deep static format recognition and parsing capabilities, allowing analysis to rely on the mutual complementarity and verification of dynamic and static vectors. In addition to threat detection and parsing, Antiy PTA, combined with existing blacklist and whitelist support, can directly generate threat intelligence, enabling relevant security gateways, traffic monitoring, and endpoints to effectively block resources used by attackers such as C2 servers.

Antiy’s security products can effectively obtain Antiy’s targeted threat intelligence synchronization and delivery to clients, and users can also choose to integrate with Antiy’s powerful cloud analysis capabilities and expert system for effective support.

In deep defense and confrontation, traditional “map-based” situational awareness, while able to display some threat situations, has little value in improving the actual security level of network assets. Antiy’s situational awareness system revolves around the perspectives of assets and threats, enabling asset reputation evaluation and threat recognition, fully understanding the relationship between assets and threats, and evaluating the consequences and risks of threats to assets.

At the National Security Work Symposium on February 17, General Secretary Xi Jinping reiterated the call for us to “strengthen cybersecurity early warning and monitoring, ensure big data security, and achieve all-weather, all-round perception and effective protection”. Antiy’s foundational work and product solutions over the years have revolved around the effectiveness of protection, the comprehensiveness of perception, and its continuity. Defending against heavily armed cyber attackers cannot rely on continuous revelations like those of Snowden or the “shadow broker”, nor can it be expected that attackers will leave discoverable termination conditions such as domain name switches. Assisting customers in perceiving, revealing, weakening, and blocking the most covert and sophisticated threats to achieve effective protection and realize value output is the core essence of Antiy’s products and the mission of Antiy’s team.