Microsoft released information what can be done to protect against WannaCry[1] which includes deploying MS17-010 if not already done (March patch release)[2], update Windows Defender (updated 12 May)[3] and if not using SMBv1 to disable it available here. Microsoft has provided a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Note: If you are running Windows 10, you are not targeted by this attack. A live map of the infection is available here. Update 1: There is additional information including hashed, C&C sites as well as the file type it will encrypt and samples located here. US-CERT released the following information of Indicators Associated With WannaCry Ransomware here. Update 2: There are reports that indicate that WannaCry VERSION 2 has been released and the kill switch that had been activated by a security researcher has been removed. If you haven't already applied MS17-010 and blocked inbound SMB traffic, you can still fall victim of this Ransomware. [1] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks
----------- |
Guy 523 Posts ISC Handler May 13th 2017 |
Thread locked Subscribe |
May 13th 2017 5 years ago |
The interesting part is: Microsoft published patches for Windows XP, Windows Server 2003 and Windows 8, versions gone out of support quite some time ago!
|
Anonymous |
Quote |
May 13th 2017 5 years ago |
It's the least they can do after leaving the back door open for the NSA toolkits. It's only when exploits get released to the public that MS considers them dangerous and patch-worthy.
|
Anonymous |
Quote |
May 13th 2017 5 years ago |
Can you provide the sources for Update 2, please? Do you have references describing the Version 2 of WannaCry?
Thank you in advance! |
Anonymous |
Quote |
May 14th 2017 5 years ago |
The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally.
Has anybody seen anything other than "self-inflicted victims doing stupid stuff"? The real advice should have been short and direct: STOP PUTTING SERVERS DIRECTLY ON THE INTERNET! https://www.shodan.io/host/213.4.198.40 inetnum: 213.4.198.0 - 213.4.198.255 netname: TelefonicaGlobalTechnology descr: TELEFONICA GLOBAL TECHNOLOGY S.A. descr: Internet Public Addresses 80 137 - NetBIOS 443 - Subject Alternative Name: DNS:sip.telefonica.com, DNS:ap.telefonica.com, DNS:extcsweb01.telefonica.com, DNS:extowaweb01.telefonica.com, DNS:lync.tap.telefonica.com, DNS:lync.telefonica.com, DNS:lyncdiscover.tap.telefonica.com, DNS:lyncdiscover.telefonica.com, DNS:sip.tap.telefonica.com, DNS:tap.telefonica.com, DNS:webcon.telefonica.com, DNS:extcsweb02.telefonica.com, DNS:telefonica.com 445 - SMB 1434 - Microsoft SQL ServerVersion: 12.0.2000.8 - ServerName;ESTGVCSP011;InstanceName;RTCLOCAL;IsClustered;No;Version;12.0.2000.8;tcp;49178;; 3389 - RDP CN=ESTGVCSP011.europe.telefonica.corp 4443 - CN=MADJCCSEDGE01.europe.telefonica.corp 5985 8081 - says "McAfee Product Logs" |
Anonymous |
Quote |
May 14th 2017 5 years ago |
Quoting Anonymous:The interesting part to me is that I have not seen anyone post a note about the initial infection vector. Right now I'm leaning towards a server directly on the Internet getting compromised via SMB and spreading the infection internally. This is one possibility: all (not so) "smart" users who connect their unpatched Windows systems (patches were available for ALL versions except Windows Server 2003) to the Internet should have read not just Microsoft's advice "Block the ports for SMB at the perimeter". The real initial infection vector are but emails with executable attachments. Thanks to Microsoft's enormous fault made about 25 years ago all files created on Windows NT[FS] are executable. To stop your unsuspecting users from executing arbitrary files, either add the NTFS ACE "(D;OIIO;WP;;;WD)" to the NTFS ACL of every "%USERPROFILE%". Use <https://msdn.microsoft.com/en-us/library/aa374928.aspx> to decode this to "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories". Better use SAFER alias Software Restriction Policies and deny execution in every path unprivileged users can write. See <https://skanthak.homepage.t-online.de/SAFER.html>, plus <https://skanthak.homepage.t-online.de/appcert.html> and <https://support.microsoft.com/en-us/kb/2532445> to patch the loopholes. |
Anonymous |
Quote |
May 14th 2017 5 years ago |
Does anyone know how reliable could be removing Wcry from a infected system?
According to Microsoft [1], Windows Defend or Windows Safety Scanner are able to detect and remove this threat from the system. We know that this isn't the best way, but for those dealing with thousands of infected machines, this could be a fastest way. [1] https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt Thanks. Renato Marinho |
Renato 1 Posts |
Quote |
May 14th 2017 5 years ago |
Here is the link thehackernews.com/2017/05/…
|
Guy 523 Posts ISC Handler |
Quote |
May 14th 2017 5 years ago |
While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well...
|
dogbert2 21 Posts |
Quote |
May 14th 2017 5 years ago |
There are reports of users clicking on Email links or attachments but I can find no article/cert that gives one such example of an email or the attachment. It leaves me to think this is only spreadable by worm action. I'm happy to be proven wrong!
|
Anonymous |
Quote |
May 15th 2017 5 years ago |
Quoting dogbert2:While I can understand perhaps not being up to date on MS17-010, it would seem appalling that ports 135, 137-139, 445, and other known ports should be filtered at the edge router and additionally at the firewall...Looks like ransomware types have already disabled the kill switch as well... OUCH! If you don't need (to access) network shares on your Windows machines, just shutdown and DISABLE the server (a.k.a. LanManServer) service! NET.exe STOP Server SC.exe Server Start= Disabled This is the vulnerable component the worm uses to propagate. On Windows Vista and later, it's sufficient to only disable SMBv1 for the server service ... and restart it or reboot the machine: REG.exe Add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /V "SMB1" /T REG_DWORD /D 0 /F JFTR: this doesn't help if your users get the malware per mail and execute it! SAFER/SRP and AppLocker help then. |
Anonymous |
Quote |
May 15th 2017 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!