Big Ransomware Outbreak Today - Be Vigilant

[dpoverlord]

So is right to assume our friends we know who are still stuck on Windows 7 without the latest updates due to not wanting "Telemetry" will now be forced to do a full update?

I am right on that one right? I have a slew of friends who are probably way back on windows updates on their win 7 Ent machines just for not wanting malware.

What do we tell those friends? Sarcasm aside, would really like someones opion since I have a bunch of friends like that,.

 

[MrGuvernment]

Does anyone know of a powershell script to scan all servers for windows features, specifically SMB1.0/CIFS File Sharing Support. I used to have one that i could specific windows features but can not find it. I am pretty sure we do not have this enabled on any servers but I do not feel like going through 152 servers one by one..

 

[Mchart]

Damn this shit is spreading like wildfire. I'm all for keeping the government in check with wikileaks but they have to be careful in what they leak. Some things that are highly disruptive could instead be leaked via articles instead of the actual programs.

Shits been patched for two months.

I'll also point out that it's funny people want to blame NSA for this when -

A.) The flaw was patched even before the leaks

B.) It wasn't the NSA that leaked their own tools - It was a likely Chinese/Russian nation state actor that leaked the NSA tools.

The only people to blame here are lazy and/or underfunded IT departments, and the Chinamen who made the leaks to begin with.

 

[Schtask]

Shits been patched for two months.

I'll also point out that it's funny people want to blame NSA for this when -

A.) The flaw was patched even before the leaks

B.) It wasn't the NSA that leaked their own tools - It was a likely Chinese/Russian nation state actor that leaked the NSA tools.

The only people to blame here are lazy and/or underfunded IT departments, and the Chinamen who made the leaks to begin with.

I have a feeling that vulnerability and patch management will have quite a few job openings next week.

 

[MrGuvernment]

As long as you got this, your good:

March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us...thly-quality-rollup-for-windows-7-and-2008_r2


March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2

https://support.microsoft.com/en-us...up-for-windows-8-1-and-windows-server-2012-r2

 

[DF-1]

quick question: If i have a win10 EDU and have deferred updates, am i vulnerable?

thanks!

 

[dandirk]

As long as you got this, your good:

March 2017 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1
https://support.microsoft.com/en-us...thly-quality-rollup-for-windows-7-and-2008_r2


March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2

https://support.microsoft.com/en-us...up-for-windows-8-1-and-windows-server-2012-r2

Or Aprils... or Mays which was just released.

Some complain about cumulative updates... And this made it easy for me to tell leadership we are covered on the workstations.

 

[Ranulfo]

B.) It wasn't the NSA that leaked their own tools - It was a likely Chinese/Russian nation state actor that leaked the NSA tools.

Uh, if the NSA could not keep their tools secret, they are at fault.

 

[MrGuvernment]

Exactly, the NSA had this knowledge and DID not share it with MS, instead exploited it, and now it leaked out, so yes NSA is responsible as they had knowledge of this.

 

[cyclone3d]

Yeah. It's ransomware with worm functionality. Not been done before. New class of malware. Proliferation occurred on it's own... Not via a phishing campaign or waterhole.

Maybe not ransomeware.. but there are other things that have been phishing in the past that then was able to proliferate across a network.

Running an improperly secured network and something like this is put out and it infects one machine and you are screwed 7 ways till Sunday.

Using SMB to do this is pretty ingenious.

 

[Ebernanut]

So is right to assume our friends we know who are still stuck on Windows 7 without the latest updates due to not wanting "Telemetry" will now be forced to do a full update?

I am right on that one right? I have a slew of friends who are probably way back on windows updates on their win 7 Ent machines just for not wanting malware.

What do we tell those friends? Sarcasm aside, would really like someones opion since I have a bunch of friends like that,.

Well there's always the option of manually installing just the security updates. They make them hard to find these days but I found this list of manual security updates for 7/8.

 

[cyclone3d]

If Microsoft didn't have a shitty updater (period) perhaps people would update their PC's.

The updater has been just fine since Windows XP.

You can set an update schedule, set it to not reboot automatically, set it to only do updates when you tell it to, etc.

 

[B00nie]

So ... the US Government is now an accessory to unauthorized access of a protected computer, unauthorized access with intent to defraud, damaging a computer or computer information, and threatening to damage a computer under the Computer Fraud and Abuse Act right? Who's gonna take the fall for this one? Not to mention any laws or civil penalties involving lack of responsible disclosure.

If Microsoft didn't have as shitty a reputation and a major trust problem, maybe folks would update their PCs.

That and probably a few deaths resulting from the NHS computers being infected. Of course it's down right criminal to have hospital computers running Windows in the first place.

 

[B00nie]

The updater has been just fine since Windows XP.

You can set an update schedule, set it to not reboot automatically, set it to only do updates when you tell it to, etc.

Which you know fully well is not true for any consumer versions.

 

[Mchart]

Exactly, the NSA had this knowledge and DID not share it with MS, instead exploited it, and now it leaked out, so yes NSA is responsible as they had knowledge of this.

Do you people bother reading at all before making comments like this?

It was patched by Microsoft before the leaks ever happened. This would indicate that at some point the NSA knew before the public that they lost control of the exploit, and let Microsoft know. It was then patched.

None of these systems would be screwed if they had a two month old patch applied.

 

[ChadD]

The updater has been just fine since Windows XP.

You can set an update schedule, set it to not reboot automatically, set it to only do updates when you tell it to, etc.

You would think even the die hard windows people by this point would have used some modern device that updated itself properly.

There should be zero need to schedule updates >.< As a long time Linux user let me tell you one thing most Linux heads have in common is we LOVE updates. They always have cool presents and improvements... they don't force us to reboot (unless we change kernels), things update in place quietly in the background. (on a 5 year old machine today I did 1gb of updates in under 10 min including the download) When I see updates pop up I don't hit wait.... no Linux distro EVER has coded a drop down box with a Remind me in X number of minutes, or anything so silly.

No doubt next springs major update will be titled "Return of the Creators update" Or perhaps they will go with Revenge of the creators update. MS will continue piling on more shitty features most people are going to complain about and hunt for registry hacks to a remove... or turn off updates to avoid (and then get hit with some 2018 ransom ware). What they need to do instead is follow Apples lead... and DUMP their terrible file system and replace it with something modern, that will allow them to update running programs and not require reboots. Then roll out a new update system... one that would rarely require reboots, nor take insane amounts of time to patch relatively small amounts of data. If they really wanted to impress people they could fix their install system at the same time, and create a proper Windows Software Manager that people would enjoy using. If they really wanted to win some good faith they could even give users back some control over their updates, make security updates mandatory fine... if the system was smooth and didn't interrupt users, things like this ransom ware would never really happen.

 

[B00nie]

The next update is the malware creators update.

 

[Schtask]

Maybe not ransomeware.. but there are other things that have been phishing in the past that then was able to proliferate across a network.

Running an improperly secured network and something like this is put out and it infects one machine and you are screwed 7 ways till Sunday.

Using SMB to do this is pretty ingenious.

Yes. Just wait till they start running multiplatform with mutating pointers to change signatures on hit... Or maybe they incorporate a user mode root kitt that gets dropped with a backdoor and dropper for new enumeration packages with persistence. Maybe... Just maybe... They get a working VM Escape going and completely compromise security research teams. The mind wanders.

 

[BulletDust]

As a long time Linux user let me tell you one thing most Linux heads have in common is we LOVE updates. They always have cool presents and improvements...

I looove updates! I click that check for updates button just hoping for something new!

Sadly that's no joke....

 

[daglesj]

Ahh well, fully patched up, running a Standard account for day to day and running Cryptoprevent on max settings.

Have been this way for a couple of years now.

I should make a tidy sum sorting out the mess over the next week or so though.

 

[harsaphes]

I swear to god, if Stacey from Accounting tries to open another god damned Excel document attached to an email labeled 'UR INVOICES R RDY'.........

I actually think she's working for us now.

 

[naib]

I looove updates! I click that check for updates button just hoping for something new!

Sadly that's no joke....

gcc-7.1 just appeared in my stream so bam update, and new inkscape!!!

 

[BulletDust]

I actually think she's working for us now.

Of course the bigger issue is that Excel is one of the misused Office applications on the planet. The shear number of instances people use Excel when they should have used something more suitable for the task is flat out laughable.

 

[BulletDust]

gcc-7.1 just appeared in my stream so bam update, and new inkscape!!!

Deluge and Libre Office just updated for me...

 

[Shintai]

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Hotfixes for XP and 2003 have been created.

 

[pgaster]

Just saw this:


https://www.theguardian.com/technol...tch-to-stop-spread-of-ransomware-cyber-attack


'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack

An “accidental hero” has halted the global spread of the WannaCry ransomware, reportedly by spending a few dollars on registering a domain name hidden in the malware.

The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying. The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second.

“They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.



MalwareTech
@MalwareTechBlog

"I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental."

 

[BulletDust]

So as a result of the apparent need to run Office, how many lives have been put in danger or lost as a result of a Windows 'weakness' with a name like 'EternalBlue' and a terrible updating system?

 

[Raxiel]

Also, because of the damage to the Health System in the UK, have any patients died because of this? Was reading a lot of reports of doctors not being able to access their patients files & having to turn away patients, all from other news websites of course, so I don't know what's true and what isn't.

Obviously it's still serious even if it were just one hospital affected, but given the scale of the NHS it seems like it's a relatively small number of machines infected. That said it's still impacting the whole service because clean systems have been locked down until they can be sure they are no longer vulnerable.

Source: I live next to a major hospital, talking to people there it's 'business mostly as usual, just a bit slower'.

 

[Shintai]

So as a result of the apparent need to run Office, how many lives have been put in danger or lost as a result of a Windows 'weakness' with a name like 'EternalBlue' and a terrible updating system?

You can blame the NSA for keeping the exploit a secret for so long until they got owned themselves.

Its not like Linux, OSX etc is free of exploits.

 

[BulletDust]

You can blame the NSA for keeping the exploit a secret for so long until they got owned themselves.

Its not like Linux, OSX etc is free of exploits.

Linux isn't free of exploits on the scale of this one? Really? The codes open source, can you show me the exploits?

Furthermore, what came first? The NSA or the exploit? Chances are we'll never know.

 

[Shintai]

Linux isn't free of exploits on the scale of this one? Really? The codes open source, can you show me the exploits?

Furthermore, what came first? The NSA or the exploit? Chances are we'll never know.

You can look up exploits for Linux and other OSes. Being open source is not any kind of safety.

And you cant be serious about asking what came first. NSA used it as a tool called Blue Eternal.

 

[The Cobra]

Kudos to Microsoft for releasing a patch for non supported operating systems.

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

 

[BulletDust]

You can look up exploits for Linux and other OSes. Being open source is not any kind of safety.

And you cant be serious about asking what came first. NSA used it as a tool called Blue Eternal.

You made the claim that Linux isn't free of exploits on this scale, I didn't make the claim. If you're prepared to make such a claim and you believe open source isn't more secure, than I ask you to show me where in the code these exploits are?

We know the tool used by the NSA was called Eternal blue, what we don't know is whether the apparent 'weakness' in Windows was just something the NSA stumbled over or whether it's something the NSA had Microsoft insert into the Windows source code.

 

[Shintai]

You made the claim that Linux isn't free of exploits on this scale, I didn't make the claim. If you're prepared to make such a claim and you believe open source isn't more secure, than I ask you to show me where in the code these exploits are?

The code, just as on Windows gets patched. But do I even have to mention something like OpenSSL, GHOST or the Dirty Cow exploit? Both been there for ages despite opens source.

 

[geok1ng]

i am crazy to state that eternalblue was a backdoor bulit into all MS OSs over the last decade that would be left unpatched forever if it was not leaked?

 

[Shintai]

i am crazy to state that eternalblue was a backdoor bulit into all MS OSs over the last decade that would be left unpatched forever if it was not leaked?

MS wouldn't allow it. NSA simply found or bought the exploit and kept quiet.

 

[BulletDust]

The code, just as on Windows gets patched. But do I even have to mention something like OpenSSL or the Dirty Cow exploit? Both been there for ages despite opens source.

OpenSSL and Dirty Cow were patched before they really did any damage, they were nothing compared to the scale of this attack. You said there are vulnerabilities in Linux like there's vulnerabilities on the scale of this one that haven't been discovered yet, I'm asking you to show me where they are.

 

[Shintai]

OpenSSL and Dirty Cow were patched before they really did any damage, they were nothing compared to the scale of this attack. You said there are vulnerabilities in Linux like there's vulnerabilities on the scale of this one that haven't been discovered yet, I'm asking you to show me where they are.

This attack was patched 2 months ago.

Funny how your open source claim went dead and now the goalpost change. Now I have to show you unpatched exploits while you dont accept this was patched 2 months ago? LOL!

DROWN attack worked for a good month or more with OpenSSL.

 

[BulletDust]

i am crazy to state that eternalblue was a backdoor bulit into all MS OSs over the last decade that would be left unpatched forever if it was not leaked?

Not at all, that's my belief. Hence the reason for me asking, what came first? The NSA or the weakness?

 

[BulletDust]

This attack was patched 2 months ago.

The Windows updater is complete shit, quite obviously, due to this fact, there were a large number of machines in important usage scenarios that weren't patched at all.

As was not the case with Heartbleed and Dirty Cow.