Brief Analysis and Solution | Virus Infection Shuts Down TSMC Factories

Brief Analysis and Solution | Virus Infection Shuts Down TSMC Factories

agosto 13, 2018 | Adeline Zhang

Taiwan Semiconductor Manufacturing Company (TSMC) is the world’s largest dedicated semiconductor and processor manufactor, manufacturing processors and other chips for the world’s largest science and technology companies including Apple, AMD, NVDIA and Qualcomm.

  • In the evening of August 3, 2018, Beijing time, a technician’s improper operation during software installation caused the virus infection in the intranet, leading to production disruption in some TSMC factories.
  • On August 4, 2018, Beijing time, the NSFOCUS security team had their concern on this event.
  • At 14:00, August 5, 2018, Beijing time, 80% of the affected systems resumed operation.
  • In the evening of August 5, 2018, Beijing time, TSMC released a statement, briefly describing the impact of the infection and expecting full recovery on August 6. 

  • In the afternoon of August 6, 2018, Beijing time, the production line was fully recovered.

According to TSMC, it has been determined that the infected virus is a variant of WannaCryptor (aka WannaCry).

WannaCry Attack Theory

WannaCry attacks mainly by scanning the computer’s 445 port (related to the SMB service), conducting payload attacks using the leaked NSA tool (mainly exploiting the Microsoft SMB vulnerability MS17-010), and then injecting and executing ransomware.

TAMC Reported Impacts

  1. Confidential information was not compromised.
  2. Shipment will be delayed.
  3. The loss is estimated to $256 million.

Detection, Prevention and Remediation

Detection and Prevention

  • Since the attack exploits Microsoft’s official SMB vulnerability (MS17-010), enable Windows Firewall and disable port 445 to organize external connections, and check whether the corresponding patches released by Microsoft have been installed in the system. The patch numbers for different versions are as follows:
System Version Patch ID
Windows XP SP3 KB4012698
Windows XP x64 SP2 KB4012598
Windows 2003 SP2 KB4012598
Windows 2003 x64 SP2 KB4012598
Windows Vista Windows Sever 2008 KB4012598
Windows 7/Windows Server 2008 R2 KB4012212

KB4012215

Windows 8.1 KB4012213

KB4012216

Windows Server 2012 KB4012214

KB4012217

Windows Server 2012 R2 KB4012213

KB4012216

Windows 10 KB4012606
Windows 10 1511 KB4013198
Windows 10 1607 KB4013429

If the corresponding patch is not found in the system, download and install the corresponding patch for protection. Please refer to the MS17-010 patch download list in Appendix A at the end of this document.

Remediation

For infected hosts, isolate the hosts from the network, and determine whether to format the disk and reinstall the system, remove virus, or take other measures based on the importance of encrypted files.

  1. You can refer to the following steps for virus removal: kill tasksche.exe, mssecsvc.exe, and the processes related to the framed executable files.
  2. Remove related services
  • Remove service mssecsvc 2.0 in the following path: C:/WINDOWS/tasksche.exe or C:/WINDOWS/mssecsvc.bin -m security
  • Remove service hnjrymny 834 (this service may use the random name), search the response path, and remove the executive files under this path

  • Clear the registry key and delete the following key values HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnjrymny834 “C:\ProgramData\hnjrymny834\tasksche.exe” or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\hnjrymny834
  • Remove virus files, which were released to the  directories: C:\Users\All Users\hnjrymny834 and C:\Users\All Users\hnjrymny834
  • Delete executive files of the virus as well: C:\WINDOWS\tasksche.exe; C:\ProgramData\hnjrymny834\tasksche.exe and C:\Users\All Users\hnjrymny834\tasksche.exe

For a more specific solution, please refer to the Manual of Handling WannaCry Blackmail released by NSFOCUS at:http://blog.nsfocus.net/wannacry-blackmail-event-disposal-handbook/

Suggestions for Industrial Control System(ICS) Security Solution

  • From the perspective of management, enhance security management and cultivate personnel’s security awareness.
  • From the perspective of technology, introduce data security procedures, ensuring network and data trustability
  • From the perspective of network, set network boundaries, ensuring high IT trustability and OT availability.
  • Establish an emergency response system to detect and resolve problems timely and reduce the impact brought by security incidents.
  • Establish an own or partner with a third-party security operation team, to handle enterprise network and information security issues.
  • From the perspective of systematic solution, build up an all-in-one control security solution combining vertical encryption and horizontal isolation.
  • Back up critical data periodically to reduce the loss caused by data corruption.

Appendix A

The following table lists system versions, corresponding patches, and download URLs

System Version Patch ID Download URL
Windows XP SP3 x86 KB4012598 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-chs_dca9b5adddad778cfd4b7349ff54b51677f36775.exe
Windows XP SP2 x64 KB4012598 http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe

http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-jpn_9d5318625b20faa41042f0046745dff8415ab22a.exe

Windows XP Embedded KB4012598 http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-embedded-custom-chs_41935edbcd6fa88a69718bc85ab5fd336445e7f9.exe
Windows Server 2003 x64 KB4012598 http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-chs_68a2895db36e911af59c2ee133baee8de11316b9.exe
Windows Server 2003 x86 KB4012598 http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-chs_b45d2d8c83583053d37b20edf5f041ecede54b80.exe
Windows Vista Service Pack 2 KB4012598 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Vista x64 Edition Service Pack 2 KB4012598 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows Server 2008(32-bit)(Service Pack 2 KB4012598 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Server 2008(64-bit)Service Pack 2 KB4012598 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows Server 2008 (for Itanium system)Service Pack 2 KB4012598 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-ia64_83a6f5a70588b27623b11c42f1c8124a25d489de.msu
Windows Server 7 (32-bit)Service Pack 1 KB4012212 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu
Windows Server 7 (64-bit)Service Pack 1 KB4012212 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu

 

Windows Server 2008(64-bit)Service Pack 1 KB4012212 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
Windows Server 2008 R2(64-bit)Service Pack 1 KB4012212 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-ia64_93a42b16dbea87fa04e2b527676a499f9fbba554.msu
Windows 8.1( for 32-bit system) KB4012213 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x86_e118939b397bc983971c88d9c9ecc8cbec471b05.msu
Windows 8.1(64-bit) KB4012213 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu

 

Windows Server 2012 KB4012214 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu
Windows Server 2012 R2 KB4012213 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x86_e118939b397bc983971c88d9c9ecc8cbec471b05.msu

 

Windows 10( for 32-bit system) KB4012606 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x86_8c19e23de2ff92919d3fac069619e4a8e8d3492e.msu
Windows 10(64-bit) KB4012606 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu
Windows 10 version 1511( for 32-bit system) KB4013198 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x86_f997cfd9b59310d274329250f14502c3b97329d5.msu
Windows 10 version 1511(for 64-bit system) KB4013198 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x64_7b16621bdc40cb512b7a3a51dd0d30592ab02f08.msu
Windows 10 version 1607( for 32-bit system) KB4013429 http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x86_8b376e3d0bff862d803404902c4191587afbf065.msu
Windows 10 version 1607(for 64-bit system) KB4013429 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu
Windows Server 2016(64-bit) KB4013429 http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu