Taiwan Semiconductor Manufacturing Company (TSMC) is the world’s largest dedicated semiconductor and processor manufactor, manufacturing processors and other chips for the world’s largest science and technology companies including Apple, AMD, NVDIA and Qualcomm.
- In the evening of August 3, 2018, Beijing time, a technician’s improper operation during software installation caused the virus infection in the intranet, leading to production disruption in some TSMC factories.
- On August 4, 2018, Beijing time, the NSFOCUS security team had their concern on this event.
- At 14:00, August 5, 2018, Beijing time, 80% of the affected systems resumed operation.
- In the evening of August 5, 2018, Beijing time, TSMC released a statement, briefly describing the impact of the infection and expecting full recovery on August 6.
- In the afternoon of August 6, 2018, Beijing time, the production line was fully recovered.
According to TSMC, it has been determined that the infected virus is a variant of WannaCryptor (aka WannaCry).
WannaCry Attack Theory
WannaCry attacks mainly by scanning the computer’s 445 port (related to the SMB service), conducting payload attacks using the leaked NSA tool (mainly exploiting the Microsoft SMB vulnerability MS17-010), and then injecting and executing ransomware.
TAMC Reported Impacts
- Confidential information was not compromised.
- Shipment will be delayed.
- The loss is estimated to $256 million.
Detection, Prevention and Remediation
Detection and Prevention
- Since the attack exploits Microsoft’s official SMB vulnerability (MS17-010), enable Windows Firewall and disable port 445 to organize external connections, and check whether the corresponding patches released by Microsoft have been installed in the system. The patch numbers for different versions are as follows:
| System Version | Patch ID |
| Windows XP SP3 | KB4012698 |
| Windows XP x64 SP2 | KB4012598 |
| Windows 2003 SP2 | KB4012598 |
| Windows 2003 x64 SP2 | KB4012598 |
| Windows Vista Windows Sever 2008 | KB4012598 |
| Windows 7/Windows Server 2008 R2 | KB4012212
KB4012215 |
| Windows 8.1 | KB4012213
KB4012216 |
| Windows Server 2012 | KB4012214
KB4012217 |
| Windows Server 2012 R2 | KB4012213
KB4012216 |
| Windows 10 | KB4012606 |
| Windows 10 1511 | KB4013198 |
| Windows 10 1607 | KB4013429 |
If the corresponding patch is not found in the system, download and install the corresponding patch for protection. Please refer to the MS17-010 patch download list in Appendix A at the end of this document.
- Use NSFOCUS Network Intrusion Prevention System (IPS) for traffic pattern analysis and alarms. http://update.nsfocus.com/update/listIps
- Use the NSFOCUS Remote Security Assessment System (RSAS) for vulnerability scanning to identify affected host devices. http://update.nsfocus.com/aurora/index.html
Remediation
For infected hosts, isolate the hosts from the network, and determine whether to format the disk and reinstall the system, remove virus, or take other measures based on the importance of encrypted files.
- You can refer to the following steps for virus removal: kill tasksche.exe, mssecsvc.exe, and the processes related to the framed executable files.
- Remove related services
- Remove service mssecsvc 2.0 in the following path: C:/WINDOWS/tasksche.exe or C:/WINDOWS/mssecsvc.bin -m security
- Remove service hnjrymny 834 (this service may use the random name), search the response path, and remove the executive files under this path
- Clear the registry key and delete the following key values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnjrymny834 “C:\ProgramData\hnjrymny834\tasksche.exe” or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hnjrymny834
- Remove virus files, which were released to the directories: C:\Users\All Users\hnjrymny834 and C:\Users\All Users\hnjrymny834
- Delete executive files of the virus as well: C:\WINDOWS\tasksche.exe; C:\ProgramData\hnjrymny834\tasksche.exe and C:\Users\All Users\hnjrymny834\tasksche.exe
For a more specific solution, please refer to the Manual of Handling WannaCry Blackmail released by NSFOCUS at:http://blog.nsfocus.net/wannacry-blackmail-event-disposal-handbook/
Suggestions for Industrial Control System(ICS) Security Solution
- From the perspective of management, enhance security management and cultivate personnel’s security awareness.
- From the perspective of technology, introduce data security procedures, ensuring network and data trustability
- From the perspective of network, set network boundaries, ensuring high IT trustability and OT availability.
- Establish an emergency response system to detect and resolve problems timely and reduce the impact brought by security incidents.
- Establish an own or partner with a third-party security operation team, to handle enterprise network and information security issues.
- From the perspective of systematic solution, build up an all-in-one control security solution combining vertical encryption and horizontal isolation.
- Back up critical data periodically to reduce the loss caused by data corruption.
Appendix A
The following table lists system versions, corresponding patches, and download URLs
