Big Ransomware Outbreak Today - Be Vigilant

Shintai

Supreme [H]ardness
Joined
Jul 1, 2016
Messages
5,678
The Windows updater is complete shit, quite obviously, due to this fact, there were a large number of machines in important usage scenarios that weren't patched at all.

As was not the case with Heartbleed and Dirty Cow.

That's your own statement. Seems to work just fine.

Those not patched tend to be a decision not to patch yet or software that is not supported from long ago. But why be bothered about any facts.
 

WorldExclusive

[H]F Junkie
Joined
Apr 26, 2009
Messages
11,419
This shit is crazy. I wonder how long this type of operation took to coordinate?

I hope they find these bastards, some how.

Check here first

d0UbVAj.png
 

BulletDust

Supreme [H]ardness
Joined
Feb 17, 2016
Messages
6,057
That's your own statement. Seems to work just fine.

Those not patched tend to be a decision not to patch yet or software that is not supported from long ago. But why be bothered about any facts.

The Windows updating system is universally known to be one of the most painful processes this side of iTunes. Quite obviously if this wasn't the case we wouldn't have had a worm of this magnitude, doing this much damage that was only stopped completely by accident.

Hell, the only effective way to stop driver updating in Windows 10 Home is to disable the updater altogether! Even Microsoft's own driver blocking 'tool' never works as intended and quite often Microsoft's attempt to copy Linux regarding driver updates breaks more than it fixes! How is this in any way 'a good updater with no issues?'
 

Shintai

Supreme [H]ardness
Joined
Jul 1, 2016
Messages
5,678
The Windows updating system is universally known to be one of the most painful processes this side of iTunes. Quite obviously if this wasn't the case we wouldn't have had a worm of this magnitude, doing this much damage that was only stopped completely by accident.

Hell, the only effective way to stop driver updating in Windows 10 Home is to disable the updater altogether! Even Microsoft's own driver blocking 'tool' never works as intended and quite often Microsoft's attempt to copy Linux regarding driver updates breaks more than it fixes! How is this in any way 'a good updater with no issues?'

So now you complain that the updater updates too much. Oh the irony.
 

BulletDust

Supreme [H]ardness
Joined
Feb 17, 2016
Messages
6,057
So now you complain that the updater updates too much. Oh the irony.

Where did I complain the updater updates too much? Now you're just making shit up to substantiate your futile argument. I stated, with very good reason, that the updater lacks much needed control. I stated that the idea that forcing the user to update actually increases the issues surrounding the Windows updating process as users disable it completely as that's the only control they've got and I stated that Microsoft's attempt to automatically update drivers is a laughably flawed process that results in more issues than it resolves.
 

Jim Kim

2[H]4U
Joined
May 24, 2012
Messages
3,892
That's your own statement. Seems to work just fine.

Those not patched tend to be a decision not to patch yet or software that is not supported from long ago. But why be bothered about any facts.
Play devils advocate all you want but your "seems" to work is not based on facts or reality.
Windows update was crippled on Windows 7 for months and required workarounds.
Besided if it was a flawless system sys admins would set their systems to autoupdate, no testing required.
 

jamesrb

[H]ard|Gawd
Joined
Jul 29, 2004
Messages
1,051
So, what is the domain for the kill switch? A lot of companies would need to add it to white-list proxies for it to do any good.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,346
That's your own statement. Seems to work just fine.

Those not patched tend to be a decision not to patch yet or software that is not supported from long ago. But why be bothered about any facts.

How about the fact that MS knew about this in November 2016? They ignored the security researcher. His name is Laurent Gaffie. So after 90 days he dropped the Proof of Concept. MS didn't patch this just because Vault7 was leaked. Vault 7 came after the SMB was actually known about by them and they fucking ignored it.

They could have patched it long before the Enternal Blue tool was released. They could have patched it in December.

Here's the guys proof of concept: https://github.com/lgandx/PoC/blob/master/SMBv3 Tree Connect/Win10.py

So yes I blame MS quite a bit for this. I also blame the NSA for not responsibly disclosing this to MS. We actually have no idea how long the NSA even knew about this. I also blame Microsoft's roll-up patches. They make it far harder for IT admins to patch mass amounts of systems as more testing is now required for patches.

I blame the IT admins at these places for not pushing these updates. I blame the IT admins at these places for not putting protections in place. I blame the security teams at these places for not screaming and yelling about how bad this bug is. There's plenty of blame to go around but one could argue that MS is more to blame than others simply because it ignored this bug when it was responsibly disclosed to them.

If you wanna go full on tinfoil you could say MS didn't patch it because they were working with the NSA! :eek:
 

Shintai

Supreme [H]ardness
Joined
Jul 1, 2016
Messages
5,678
How about the fact that MS knew about this in November 2016? They ignored the security researcher. His name is Laurent Gaffie. So after 90 days he dropped the Proof of Concept. MS didn't patch this just because Vault7 was leaked. Vault 7 came after the SMB was actually known about by them and they fucking ignored it.

They could have patched it long before the Enternal Blue tool was released. They could have patched it in December.

Here's the guys proof of concept: https://github.com/lgandx/PoC/blob/master/SMBv3 Tree Connect/Win10.py

So yes I blame MS quite a bit for this. I also blame the NSA for not responsibly disclosing this to MS. We actually have no idea how long the NSA even knew about this. I also blame Microsoft's roll-up patches. They make it far harder for IT admins to patch mass amounts of systems as more testing is now required for patches.

I blame the IT admins at these places for not pushing these updates. I blame the IT admins at these places for not putting protections in place. I blame the security teams at these places for not screaming and yelling about how bad this bug is. There's plenty of blame to go around but one could argue that MS is more to blame than others simply because it ignored this bug when it was responsibly disclosed to them.

If you wanna go full on tinfoil you could say MS didn't patch it because they were working with the NSA! :eek:

EternalBlue is a SMBv1 exploit with remote code execution.

The one you link may at best give a BSOD or just a DoS

You cant even get your stuff right.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,346
EternalBlue is a SMBv1 exploit with remote code execution.

The one you link may at best give a BSOD.

You cant even get your stuff right.

And it's all related. The SMB exploit I posted is why the February patch was cancelled. It was patched in March. MS claims yesterdays exploit was patched it March. So I have my stuff right. You don't.

Bottom line is MS knew there was an issue with their SMB implementation back then regardless of version and they ignored it. You can throw around versions all you want but in the end all that matters if that MS knew they had problems with SMB and ignored it.
 
Last edited:
  • Like
Reactions: naib
like this

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
And it's all related. The SMB exploit I posted is why the February patch was cancelled. It was patched in March. MS claims yesterdays exploit was patched it March. So I have my stuff right. You don't.

Bottom line is MS knew there was an issue with their SMB implementation back then regardless of version and they ignored it. You can throw around versions all you want but in the end all that matters if that MS knew they had problems with SMB and ignored it.
simply put, MS needs to be fined, fined a lot, fined by multiple gov'n to discourage this reckless disregard to security
 

Jim Kim

2[H]4U
Joined
May 24, 2012
Messages
3,892
simply put, MS needs to be fined, fined a lot, fined by multiple gov'n to discourage this reckless disregard to security
You do know that Microsoft released a patch for this exploit. What exactly is your reasoning for fining them and how do you equate releasing a patch as a reckless disregard to security.
 

elation

Gawd
Joined
Feb 4, 2003
Messages
792
White listing tools are going to become an essential staple right up there with AV and FW software. AppSense Application Manager (Ivanti Application Control), Bit9 Parity, CarbonBlack (think they bought out Bit9), and no doubt plenty of others. Parity hashes everything and if it's not white listed, it doesn't run. It's a severe PITA to manage but it can save your bacon. No solution is perfect especially when it's a security vulnerability but anything to mitigate damage is a plus. So many scummy people in the world... it's disheartening.
 
D

Deleted member 93354

Guest
Shits been patched for two months.

I'll also point out that it's funny people want to blame NSA for this when -

A.) The flaw was patched even before the leaks

B.) It wasn't the NSA that leaked their own tools - It was a likely Chinese/Russian nation state actor that leaked the NSA tools.

The only people to blame here are lazy and/or underfunded IT departments, and the Chinamen who made the leaks to begin with.

Umm no

Nsa created this flaw. Nsa failed to engage proper safeguards to keep this from being released in the wild.

I got news for you. If I build a pool (exploit) which is a fun target for the neighborhood kids (internal traitors or state actors) and they get in that pool and harm occurs I can still be sued for negligence for not having proper safeguards in place.

Nsa tried to plug the bursting dam with a finger and duck tape when they realized they got f'd up the ass. They let all relevant vendors (ie Microsoft ) know of the defects. They can't claim their hands are clean at that point because they know that a number of machines would go unpatched. That's like claiming they tried putting all the controls down on a nuclear reactor that was already in an out if control chain reaction. They are still at fault.

And instead of admitting personal fault they will go , "but we are protecting the country". You know when someone works for government and a political hack? When the personally avoid responsibility and blame the other fucking guy. Then they go on with business as usual. And that my friends is why our government is broken.
 
Last edited by a moderator:

AthlonXP

Fully [H]
Joined
Oct 14, 2001
Messages
20,483
White listing tools are going to become an essential staple right up there with AV and FW software. AppSense Application Manager (Ivanti Application Control), Bit9 Parity, CarbonBlack (think they bought out Bit9), and no doubt plenty of others. Parity hashes everything and if it's not white listed, it doesn't run. It's a severe PITA to manage but it can save your bacon. No solution is perfect especially when it's a security vulnerability but anything to mitigate damage is a plus. So many scummy people in the world... it's disheartening.

Yeah I have been pushing my company to adopt AppSense. Right now we are leveraging applications with LANDesk (Ivanti).
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
You do know that Microsoft released a patch for this exploit. What exactly is your reasoning for fining them and how do you equate releasing a patch as a reckless disregard to security.
They released the patch in March, the flaw was public in nov 2016. Total disregard for security. That should have been patch that day.
 

Derangel

Fully [H]
Joined
Jan 31, 2008
Messages
19,923
They released the patch in March, the flaw was public in nov 2016. Total disregard for security. That should have been patch that day.

Unfortunately, with massive corps nothing can get done that day. There are too many channels to go through and too much red tape to try and cut that nothing happens fast. Everything I've heard about how horribly mismanaged MS is makes me more surprised that the exploit got patched at all before all this shit happened.
 
D

Deleted member 93354

Guest
The Windows updating system is universally known to be one of the most painful processes this side of iTunes.

Last I checked updates occur automatically once a month by default on win 7. Doing it manually is two clicks...check for updates and download and install

If you can't do that you shouldn't be on a computer.
 

maxius

2[H]4U
Joined
Dec 17, 2001
Messages
3,376
Huge organizations with customized windows installs have to test and validate these patches. though honestly that practice should be cut and all patches should get a 0-day push period
 

Hagrid

[H]F Junkie
Joined
Nov 23, 2006
Messages
9,147
Last I checked updates occur automatically once a month by default on win 7. Doing it manually is two clicks...check for updates and download and install

If you can't do that you shouldn't be on a computer.
If you think that every computer system in the world works just like that with no problems, then you must of just been born.....

I do think that updates should be done automatically with the option for it to do nothing. The people who can pretty much just turn on a computer won't have to worry as much about security. It is sad that people still just open emails
without a thought to where it came from. Maybe business's need to have meetings every now and then about computer security?(with all employees)
 
D

Deleted member 93354

Guest
They released the patch in March, the flaw was public in nov 2016. Total disregard for security. That should have been patch that day.

As someone who deals with massive code trunks and branches I can tell you code merges regression and integration test take time. Our best time for even the smallest patches takes a week.

There's unit test, dev test, qa regression and integration , product owner test to make sure the item functions as marketing requires. And that is just one product that stands largely independent. I think Microsoft's test standards are exponentially more complex given how many products can be affected.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Last I checked updates occur automatically once a month by default on win 7. Doing it manually is two clicks...check for updates and download and install

If you can't do that you shouldn't be on a computer.

Sure it is easy if you trust Microsoft to never install spyware or auto install Win 10 or to have fully tested all the updates before pushing them out. Since they have failed all of those in the past, a lot of folks have turned auto update off, especially since Microsoft has switched to the rolling cumulative all or nothing 'trust us' update system.
 

T_A

Limp Gawd
Joined
Aug 4, 2005
Messages
492
I`m nearly finished updating all my server (i usually do it twice a year on local holidays but ... ) most had February update.

also
i just read MS released a patch for Windows XP , so you know shit is getting real
 

Nathan_P

[H]ard DCOTM x3
Joined
Mar 2, 2010
Messages
3,463
Obviously it's still serious even if it were just one hospital affected, but given the scale of the NHS it seems like it's a relatively small number of machines infected. That said it's still impacting the whole service because clean systems have been locked down until they can be sure they are no longer vulnerable.

Source: I live next to a major hospital, talking to people there it's 'business mostly as usual, just a bit slower'.

According to the news its 4.7% of machines in the NHS have been affected, some connected to legacy systems, one example being MRI scanners that only work with windows XP. Bizarrely the UK govt cancelled its £5.5m extended support contract for xp at the end of 2015, yes they probably shouldn't be running XP but if they are £5.5m is pocket change lost behind the sofa for the govt budget
 

Xrave

Supreme [H]ardness
Joined
Jun 29, 2004
Messages
7,587
I'm not super familiar with SMB access and firewalls. What port numbers need blocking?
 

naib

[H]ard|Gawd
Joined
Jul 26, 2013
Messages
1,289
According to the news its 4.7% of machines in the NHS have been affected, some connected to legacy systems, one example being MRI scanners that only work with windows XP. Bizarrely the UK govt cancelled its £5.5m extended support contract for xp at the end of 2015, yes they probably shouldn't be running XP but if they are £5.5m is pocket change lost behind the sofa for the govt budget
The gov'n cancelled it and put the onus on each trust as each trust started having piecemeal upgrade process. Some upgrade, some are upgrading, some chose not to. Birmingham QE upgraded to win7 something like 6mo ago

The NHS is run as a private venture
 
D

Deleted member 93354

Guest
Bou
new version in the wild. no killswitch


Bound to happen. But this hacker is stupid unless he's part of a crime organization, he's going having a hard time spending all that money without drawing attention.
 

geok1ng

2[H]4U
Joined
Oct 28, 2007
Messages
2,130
Nsa created this flaw.

NOPE. it was built-in windows since at least Vista. it has ALL the landmarks of a purposefully built backdoor:

1- comes out as a new tech solution for an older, safer protocol
2- behaves like a legit traffic inside a network
3- stays in place after many new versions of the tech solution are put inside newer OS
4- is shamelessly used by the government to spy on its honest citizens

what are the odds of a random software bug to survive that long, not only escaping abuse by more conventional cybercriminals but also being kept in place in 32 and 64 bits Os over more than a decade?
 

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
34,055
I'm not super familiar with SMB access and firewalls. What port numbers need blocking?

In most cases, your router/ISP blocks these by default.

In fact, most routers block all ports by default, so it requires some configuring to be exposed to the wan.

The ports for SMB/CIFS are 139 and 445 though.
 
  • Like
Reactions: Xrave
like this

Ranulfo

2[H]4U
Joined
Feb 9, 2006
Messages
2,830
Last I checked updates occur automatically once a month by default on win 7. Doing it manually is two clicks...check for updates and download and install

If you can't do that you shouldn't be on a computer.

Indeed, this is why yesterday an older win7 laptop that hadn't been updated in a while took 7 hours to locate the needed files, download and install updates via win update. I think it was about 6 hours just for the updater to list what it needed to update. If I had cared more I would have used wsus offline updater to hopefully speed up the process or gone and found again the special patch one needs to fix the problem (if it hasnt been broken again). It is well known that win 7 and 8 update have been bugged for a couple of years now. Last year I had one system literally using 20-40% of cpu power for several hours trying to find updates. 50w of excess power wasted because of MS's incompetence (or desire to force people to upgarde to 10).
 

BulletDust

Supreme [H]ardness
Joined
Feb 17, 2016
Messages
6,057
Indeed, this is why yesterday an older win7 laptop that hadn't been updated in a while took 7 hours to locate the needed files, download and install updates via win update. I think it was about 6 hours just for the updater to list what it needed to update. If I had cared more I would have used wsus offline updater to hopefully speed up the process or gone and found again the special patch one needs to fix the problem (if it hasnt been broken again). It is well known that win 7 and 8 update have been bugged for a couple of years now. Last year I had one system literally using 20-40% of cpu power for several hours trying to find updates. 50w of excess power wasted because of MS's incompetence (or desire to force people to upgarde to 10).

It can't be a desire to force people to Windows 10, Windows 10's updater is even worse!
 
Top