Secret Character
Member
This is correct. At my company, we've moved away from SMB1 a long time ago. This, compounded with the fact that the security patch has been out since March gives a lot of places no real reason to be getting hit.
-
Hey, guest user. Hope you're enjoying NeoGAF! Have you considered registering for an account? Come join us and add your take to the daily discourse.
Cyberattacks using leaked NSA hacking tool reported in 12 countries
- Thread starter Spoiled Milk
- Start date
This is correct. At my company, we've moved away from SMB1 a long time ago. This, compounded with the fact that the security patch has been out since March gives a lot of places no real reason to be getting hit.
Anyone running an enterprise IT infrastructure that isn't moving to containerized VMs for basically everything(certainly for everything connected to the network) at this point shouldn't have a job.
If you have legacy software you need to use an insecure version of windows for, you spin up an instance just for that purpose. Something gets infected, it makes no difference(assuming you have proper controls in place to stop data exfiltration), because you get a fresh instance on reboot.
As everyone should have years ago. It's a 30 year old protocol that never even really worked that well to begin with.
If you have legacy software you need to use an insecure version of windows for, you spin up an instance just for that purpose. Something gets infected, it makes no difference(assuming you have proper controls in place to stop data exfiltration), because you get a fresh instance on reboot.
As everyone should have years ago. It's a 30 year old protocol that never even really worked that well to begin with.
The vulnerabilities were patched before the leak even hit.
This is why you patch your shit.
And if you don't patch...then keep those machines on a private network, isolated from the Internet and the public. Hell, even my apartment building has its security system on an isolated network.
This isn't advanced network design. This is basic stuff.
Wouldn't be surprised if the guys who did this got off Scott free. Ransomware can be hard to trace.
Eppy Thatcher
God's had his chance.
So funny. Our infosec and BAS teams are running around pushing out a patch to our entire environment today for this. Talked about it when the exploit was sealed up by MS months ago but it was shelved as a "small fire" because of other work we had to do that was more important...
like pushing out new wyse units to nursing stations and updating our Citrix client :-D :-D
so of course they are lining up their dominos so they can flick the first one, start pushing software then go home for the weekend.
It's rough because you are usually far behind everyone else in the biz when it comes to fundamentals because everyone wants to spend millions on better EMR or remote access or modules for EPIC or whatever the hell is big that year. Everything lags behind for version and security because there will always be some piece of garbage Glucose monitor software or remote window access or nurse med/scheduling web portal that is woefully behind in updates and so needs to be on IE9 or can't have this or that critical update. It's a shit show half the time and a sprinting race the other half.
We are also a great target for ransomware because in the end - when it comes to EMR and Patient Data - a hospital that can afford it and is successfully attacked will definitely pay to get that information back/unlocked. It's a PSA issue and therefore beyond pride and shit. Just get it back - there are operations to be had.
like pushing out new wyse units to nursing stations and updating our Citrix client :-D :-D
so of course they are lining up their dominos so they can flick the first one, start pushing software then go home for the weekend.
It's rough because you are usually far behind everyone else in the biz when it comes to fundamentals because everyone wants to spend millions on better EMR or remote access or modules for EPIC or whatever the hell is big that year. Everything lags behind for version and security because there will always be some piece of garbage Glucose monitor software or remote window access or nurse med/scheduling web portal that is woefully behind in updates and so needs to be on IE9 or can't have this or that critical update. It's a shit show half the time and a sprinting race the other half.
We are also a great target for ransomware because in the end - when it comes to EMR and Patient Data - a hospital that can afford it and is successfully attacked will definitely pay to get that information back/unlocked. It's a PSA issue and therefore beyond pride and shit. Just get it back - there are operations to be had.
Heh.
Did they never learn "You don't push to prod on Friday afternoon?"
Anyone who is dealing with this now, is working through the weekend.
User Name Here
Member
This is some supervillian shit.
Eppy Thatcher
God's had his chance.
3 members of the hospitals change board team were just informed they needed to be on site - not for the weekend mind you. Not even LATE in the day. Just be here. On a Friday. Aaaaaand they promptly threw a fit lol
Goddamn. This would be one of the first cases of physical injury due to cyberattacks, right?
One of the banks my company works with requires us to use IE to do any and all transactions. Total pain in the ass to troubleshoot, so I get what you mean.
This happens way more than you think. Not to mention countries have sabotaged each other via cyber attacks for decades. A few people probably died during those.
This is what I don't get, my understanding is that ransomware is more effective in small doses, if you as an attacker attract too much attention you are going to get a lot of eyes on you, even if you are using Bitcoin you don't want that many people, police offices and governments looking into your operation, or is Bitcoin really that untraceable? This is headlines in every major newspaper around the world, it's a major incident, is not some poor student that pays up to recover their thesis.
AzureSkies
Member
My mom's small dental office was affected by this.
Fortunately, they have daily backups of all computers on their system, so they could revert back.
This must be horror for the NHS or any larger corporation though.
Fortunately, they have daily backups of all computers on their system, so they could revert back.
This must be horror for the NHS or any larger corporation though.
TheLaughingStock
Member
Holy shit!
As mentioned upthread, it's apparently not the NSA's fault this time.
Wikileaks being agents of Russia is not hyperbole. They are trash.
I assumed that they were involved given the multiple posts posting about it since I couldn't recall the details of it. If they're not, sure, ok. Doesn't make them not terrible.
Bitcoin is untraceable by design. Investigating a cybercrime is like any crime, the longer it takes to investigate, the colder the trail gets. Not to mention that in order to repair the damage, you're essentially destroying evidence.
If the attacker is smart (which they probably are considering they got their hands on this) then they have covered their tracks well enough that they won't be found, even by the government.
A lot of companies have the mentality of "if it ain't broke don't fix it" when it comes to IT, no matter how much we plead with them. Or they'll just cheap out because they don't take IT seriously.
I work in the NHS, in development actually. From our point of view, in our region, some of the biggest effect has been self inflicted really, but out of self defence. We have a geographically localised network covering various trusts, drop in centres, GPs, business partners etc. Some VMs are located with cloud service providers, and there's also a national backbone that I believe much of NHS England is connected to. So we heard first that Blackpool NHS Trust was affected, we also heard St Barts in London had been affected, and then we also found a couple of infected machines within our own Trust. The whole network was taken down as a precaution and to contain it. I wouldn't want to be on any of the network or desktop support teams this weekend. Of course, there are consequences for electronic patient record and electronic pharmacy which is why we had doctors and nurses going back to pen and paper today.
Not being able to do any work and seeing the news break on BBC News, seeing them read the tweet the comms officer I work nearby to had penned only minutes earlier, was just surreal. It completely knocked Jeremy Corbyn and Theresa May off the news for a while.
I hope this firmly puts a firm foot down on the talk of ISPs and chat providers giving government back doors to encryption, this just shows the kind of awful power exploits have in the wrong hands.
Not being able to do any work and seeing the news break on BBC News, seeing them read the tweet the comms officer I work nearby to had penned only minutes earlier, was just surreal. It completely knocked Jeremy Corbyn and Theresa May off the news for a while.
I hope this firmly puts a firm foot down on the talk of ISPs and chat providers giving government back doors to encryption, this just shows the kind of awful power exploits have in the wrong hands.
ThreePiMatt
Member
My company has had a few emails about this, mostly warnings about not opening attachments, stray USB drives, etc.
This is not true at all.
Bitcoin is basically the opposite of untraceable. The entire history of all transactions are public.
It is easy to make additional addresses though, so it has strong psuedonymity, and the low transaction cost makes it easy to launder by passing it through a number of transactions and different addresses making it hard to prove that the person who ends up spending the bitcoin was the one who did the crime.
SuperBowser
Member
I work in one of the affected London hospitals. Annoying day to work. Can't check blood results, can't check scans, can't see previous histories, can't use emails. They've also shut down the CT and MRI machines in case they get affected too. Basically can't do anything that involves a computer.
I feel bad for anybody working tonight; it's going to be a mess.
I feel bad for anybody working tonight; it's going to be a mess.
My role requires me to talk to numerous IT personnel and you'd be surprised 1.) how obstinate IT personnel are in getting their security up to snuff 2.) how moronic CFO/finance dept are in being convinced that backups and security are essential aspects of a business (regardless of how small) and 3.) how idiotic people in general can be in retiring old shit instead of using containers or using P2V tools to make them into VMs. Just... ugh. You guys probably think a lot of medical and enterprise organizations have their backend well put together. LMAO. Those companies are usually the worst.
Pokemaniac
Member
This is why you don't just sit on vulnerabilities or just unleash them on the public. The NSA bears quite a lot of blame for hiding these in the first place, but whoever released these to the public did so in the most damaging way possible. Unless you're looking to cause widespread chaos, the first step is always private disclosure.
HappehLemons
Member
Why do I feel like this is not clear at all. How does this ransomware get on a device to begin with? word document macros? I understand how it spreads, but how does the initial infection happen. Does anyone have a clear answer to this?
hanspampel
Banned
My Version of Windows 10 does not even have SMB1 anymore
is that recent, or when did they ditch that?
SMB direct is not activated
is that recent, or when did they ditch that?
SMB direct is not activated
Eh, there's evidence in code, sometimes these people leave clues, intentionally or otherwise. Purchases done with the bitcoin accounts associated with this malware will probably be heavily scrutinized (even though I hear at least one account is shared with many users, that's not going to be enough this time).
Also, again if your reading comprehension is suffering, getting their 'hands on this exploit' was as easy as visiting a website that was a national news item. There was no challenge in actually getting the exploit, and implementing it with a preexisting malware was certainly relatively trivial. This is no king of malware writing, it was a relatively crude attempt at exploiting a public vulnerability.
Had this been a sophisticated attacks (and for all we know those have been in place for some time), you'd see much more advanced exploitation, espionage. You could embed in vulnerable systems and work your way into accounts and eventually reap tens of millions, if not more, user accounts. Hell, this might have been / may still be a gateway to nuclear secrets...
it's still there on mine on the list of Windows features I can enable. Maybe because I upgraded from Windows 7?
jellies_two
Member
Apparently the malware had a kill switch in it, it won't continue to propagate if a certain domain is up and responding, and a security company registered the domain last night.
New infections should be falling like a rock.
New infections should be falling like a rock.
Spoiled Milk
Banned
lol, that's extremely easy to detect. Why would they put a killswitch on it?
jellies_two
Member
Well, that sounds like sophistry.
Because in reality, it isn't traced. Nobody that uses these ransomware schemes gets caught out through blockchain tracing.
With local bit coin trading, you can find people in any city who will happily hand you cash for your bitcoins, without ID, if you forgo a 10% margin on the price. There are therefore many exits in any currency for bit coins with no ID checks.
Since those people are active, and have been for years, nobody taking possibly tainted funds is getting any blowback from traces to their wallets..
jellies_two
Member
Learning on the job.
Trial run.
Didn't think it would spread so fast and receive so much attention.
can't think of any other reasons right now.
just reading that. this guy registered the domain and accidentally stopped the attack.
makes you wonder why it's there. Maybe a test that got out of hand? Those NSA tools don't fuck around.
My last boss was like this. Had us using an outdated version of the consumer version of Malwarebytes as our anti-malware solution that was automatically installed via a login script (which I'm guessing violates the EULA), and I was never able to update it. And even after the entire company got infected, he still didn't have us switch to a better solution. All this because he wanted to save a few bucks instead of having a proper anit-malware and anti-virus solution.
hanspampel
Banned
could be
but what is your build version?
mine is 15063.296
by attacking ancient OS via ransomware?
Unknown Soldier
Member
Because at some point the ability to immediately stop it seems like a really useful feature to have in case things get out of hand for the people who made it.
Medical organizations are pretty well known for having some of the worst IT around. This is why ransomware attacks frequently target hospitals and have for years, because hospitals love running Windows XP on critical systems and not having backups and so when it's ransomware time they always pay up because of how fucked they are. People don't realize just how bad the systems their lives depend on are when it comes to medical organizations.
nephilimdj
Member
Same way neogaf ads some times open google play store on mobile.
Always is some shitty loophole.
So those weren't the NSA's tools?
From what's been said this is not true, is it?
This runs counter to what what's already known about the SMBv1 vulnerability covered in MS17 010. Ransomware can be spread by phishing, as always, but this seems to be particularly virulent because it spread via a known exploit. Everything I've read suggests that a vulnerable (unpatched or unpatchable) workstation with SMBv1/CIFS File Sharing support enabled could become infected without the user doing anything.