back to article Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem. The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out …

WTF?

Cyber sex in action

Here we go again. So many systems getting well and truly screwed all around the world!

Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?

Viz: "These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates."

4
40

Re: Cyber sex in action

Viz: "These cyber-weapons attack vulnerabilities patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates."

I too had hard time understanding this sentence. I read it as:

- if you patched MS recently, NotPetya will propagate by finding credentials in the RAM

- if you did not patch, it will used the unpatched vulnerabilities.

41
0
Silver badge

Re: Cyber sex in action

At some point in the article it said the Ram Raid ( hehe ) dosent work on w10 so the sentence would mean:

It tries the vulns patches issued earlier (smb) , which may work if still not yet applied , and tries the Ram raid , which is usually more successfull as not yet patched on W7 , but wont work on w10.

6
0
Gold badge

Re: Cyber sex in action

I agree with that reading, but would add...

"- if you patched MS recently, NotPetya will propagate by finding credentials in the RAM"

...which, if you are logged in as a normal user rather than a pseudo-admin, won't be sufficient to go any further. Perhaps.

12
0
Anonymous Coward

Re: Cyber sex in action

MS have been criticised for their ASLR.

https://en.wikipedia.org/wiki/Address_space_layout_randomization#Microsoft_Windows

Seems to me like some old software has become a conduit. Perhaps those companies need to upgrade and invest in more up to date systems.

Besides, like Wannacry, this is an exercise to raise awareness of bitcoins & crypto currencies to a lessor extent.

Wannacry targeted national institutions, and this one is just targetting more high profile entities but still raising the profile of bitcoins.

Satoshi must be worth getting on for $2billion now, not bad for a few years work, an idea and then letting the public run with it with Govt & media backing.

I still think this is a side show though and believe there are many many more systems already pwn'ed waiting to be activated, if you want to know more, that will cost you £10k per day! :-)

In the mean time, can MS come up with some major fixes to prevent an exodus from Windows?

Its a bummer when all the original talent who built windows have long since gone.

2
8
Silver badge

Re: Cyber sex in action

Nobody pushing out the read-only file yet? (See first page.)

Luckily I have local admin privileges so I could do it on my computer.

Yes, I am aware of irony (or whatever it is) of that.

8
0
Bronze badge

Re: Cyber sex in action

"Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?"

Pretty sure the answer is no.

If machines are patched against the NSA backdoors and SMBv1 is disabled, other propagation routes if the user has local admin access to the PC. i.e. lsadump for any cached credentials on the PC and then psexec/WMIC using those credentials in an attempt to access other machines via C$/Admin$ shares. Your MBR is also re-written and after 20-40 minutes your PC is restarted and a "chkdsk" run that encrypts your hard disk. Prior to the reboot, a boot from CD and re-writting the MBR allows to you to recover from this.

Also considering blocking SMB access between workstations via Windows firewall for end user devices if there isn't a compelling reason not too (i.e. in offices where a local PC is the "server" or some dumb app) or at least reducing access to just the hosts or subnets that need access to reduce your exposure.

If you don't have local admin access to allow the hash dump AND you are patched against the NSA issues across your network, files matching a list of extensions are encrypted.

If you haven't been infected yet, you best protection is ensuring AV and patching is up-to-date and reviewing your usage of privileged accounts (both at domain level and local PC level) to ensure you understand the potential for propagation across your network. Changing passwords for privileged to prevent cached hashs from being usable is also a good step.

6
1
Silver badge

Re: Cyber sex in action

"Am I correct in understanding that this happens (in part) quicker in systems patched by Micro$oft?"

Exactly the inverse.

The main SMB1 vulnerabilities used for propagation were patched back in April (which kept a lot of us safe from Wannacry, too), so as long as you're actually running a decent patching schedule you were immune. The admin credential harvesting from local RAM would also be fairly ineffective if basic security hygiene was followed (in other words, MS's own best practice, as outlined in pretty much every level of MS training).

Oh, and Win 10 was effectively immune - it doesn't have the SMB flaw, and doesn't allow the creds to be harvested. Which must be very frustrating for everyone who was hoping to use this as another excuse to attack Win 10.

20
4
Silver badge
Alert

Re: Cyber sex in action

Seems other sources say the file is not called C:\Windows\perfc.dat but C:\Windows\perfc.

0
0
Silver badge

Re: Cyber sex in action

is that because the are hiding file extensions (default)?

8
0
Silver badge

Re: Cyber sex in action

No, one that I read specifically mentioned that you had to show file extensions to be able to create the file.

Edit: I've just searched Google and it seems there's an even split between with .dat and without .dat.

Bloody Internet and fake news.

Best to create both.

7
0
Silver badge

Re: Cyber sex in action

"Luckily I have local admin privileges so I could do it on my computer."

If that's in a corporate setting, you should be using a separate user account for those....

0
0
Silver badge

Re: Cyber sex in action

"can MS come up with some major fixes to prevent an exodus from Windows?"

Like Windows 10 you mean where none of this works on an updated PC?

6
3
Silver badge

Re: Cyber sex in action

"logged in as an admin or domain admin into running a booby-trapped email attachment"

What sort of shoddy organisation allows admin accounts to have email and be used for general purpose access?!

9
1

This post has been deleted by its author

Silver badge
Windows

Re: Cyber sex in action

What sort of shoddy organisation allows admin accounts to have email and be used for general purpose access?!

The one that expected everybody to do that by default?

2
0

Re: Cyber sex in action

Well, I was in IT in a bank several years ago (in the U.S.). One of the major companies for bank software needed to have users logged in as administrators for their software to work properly. Coworkers and I spent many hours after each new version of software was released to find out what permissions needed to be changed in program files and registry entries so users could be logged in as a standard user instead of an admin. Very frustrating, but too often the tech support answer from software providers was to "just have users login as administrators". I'm retired now, so I don't know if things are better. It was very frustrating at the time.

6
0
Silver badge

Re: Cyber sex in action

Sage tech support regularly demand to have domain admin access in order to do support on our systems. I regularly tell them where they can stick it.

6
0
Bronze badge

Re: Cyber sex in action

@Richard Rose

Talent?

0
0
Anonymous Coward

Of Course

It could be the Ukrainians themselves who set this loose to try and blame their enemies.

False flag operations are a favourite trick of numerous national governments worldwide, particularly if there is an election coming up.

7
59
Anonymous Coward

Re: Of Course

While I would not go as far as false flag, the primary malware production facilities in the ex-USSR are presently in Ukraine and the war zones bordering it - Donetsk and TransDnestr. It used to be all over Russia. Not any more - they started getting in the way of legitimate business so the police got pressured by banks and businesses to start paying attention.

So it was probably written in Ukraine. Now, who paid for the kids to write it - that is a different story. We are least likely to know that any time soon. Investigating the organized criminal industry in Ukraine (or the politicians related to it) always finishes with a bomb under your bonnet, a bullet in the back of your head or your head cut off and sent to your wife. I am not going to quote the actual examples - they are in the news going as far back as Kuchma's government.

13
13
Anonymous Coward

Re: Of Course

TransDnestr is in Moldova, not Ukraine. It's not a "war zone" since the 1990s, albeit still a trouble zone because the pro-Russia illegal government takes advantage of the situation to gain from a lot of illegal activities...

17
4
Silver badge

Re: Of Course

"It could be the Ukrainians themselves who set this loose to try and blame their enemies."

More to the point, has MeDOc let anyone go recently and failed to delete their accounts and change any passwords they may have known? Because this is getting t sound like a bigger and better version of https://www.theregister.co.uk/2017/06/26/engineer_imprisoned_for_hacking_exemployer/ (for some values of better).

6
0
Anonymous Coward

The real blame goes to..

Okay, so I get everyone wants to blame Russia or North Korea etc.

But the way I see it, the true people to blame is in fact the Americans, more specifically, the NSA.

Why? Simple these attacks are using exploits NSA have known about for years which is ironic when you think about the fact they claim to keep them in the name of "National Security" - Had they just found the exploits, and reported them to Microsoft (or whatever application developer has the bug) this would of been prevented years ago.

But instead the NSA chose to harbour these security bugs, refusing to fix them and instead have them for their own malicious intents. The fact remains had these bugs been fixed instead of used then none of these attacks such as WannaCry would of been as effective as they are now.

Personally, I think the NSA should stand up and admit it did wrong by harbouring the bugs and apologise to the effected businesses.

That's not to say the creators of the malware are not responsible, which of course, they are. But to me the NSA still had a hand it in it all.

87
7

Re: The real blame goes to..

Speaking of NSA, let's remind ourselves about the first great Internet/Arpanet worm.

From Cliff Stoll - The Cuckoo's Egg

I knew Bob Morris was on his computer at 6:30 A.M. Thursday morning. I could see him logged into NSA's Dockmaster computer. After posting a message to that machine, I called him on the phone.

"Hi, Bob. We've got troubles. A virus is spreading over the Arpanet, and it's infesting Unix computers."

"When did it start?"

"Around midnight, I'd guess. Maybe earlier-I just don't know. I've been up all night trying to understand it."

"How's it spread?"

"Through a hole in the Unix mail program."

"You must mean Sendmail. Hell, I've known about that for years." Bob Morris might have known, but he had never told me.

37
0
Silver badge

Re: The real blame goes to..

Wasnt that his son ? or was that later?

4
0

Re: The real blame goes to..

Affirmative, it was his son.

4
0

Re: The real blame goes to..

Fully correct. Global Security is harmed mainly by Security Services (every major intelligence org is doing it) in multiple ways.

1) They create incentive to find security problems AND keep them secret by buying them on the black market.

2) They then hoard these problems to transform them into attack weapons against state-actors, terrorists and criminals alike.

3) Defenders (OEMs and Anti-Virus companies) are intentionally kept in the dark in order to not de-value the attack waepons.

This system is fully conentrated on each actor's ability to attack, not to defend.

So there is a global incentive for the Security Services to keep potential targets on each side vulnerable.

So when ( not if ) the weapon cache is breached, as soon as the thieves learn to control the weapons, they are able to do harm on a global scale.

I understand the thinkiung behind collecting attack vectors - but in effect the Security Services do NOT raise the global security level, they lower it to dangerous levels.

Time to change this system.

Otherwise NSA, GCHQ, BND, FSB et al will become responsible for a major hit against the global infrastructure. It's just a matter of time.

47
1
Anonymous Coward

Re: The real blame goes to..

But the way I see it, the true people to blame is in fact the Americans, more specifically, the NSA.

The problem I have with this blame attribution, is it isn't quite true, all it would have done is meant us having this discussion X years ago as companies failed to apply the patches and malware skiddies reverse engineered them enough to exploit the vulnerabilities.

Worryingly (because I am strongly against harbouring vulnerabilities), it could be argued that the NSA protected the business world by keeping it a secret. This chaos never happened as a result of a parallel discovery, it was only after Shadowbrokers popped the NSA and released the files. If they had kept them secret properly, this wouldn't have happened.

4
35
Silver badge

Re: The real blame goes to..

"it could be argued that the NSA protected the business world by keeping it a secret."

This is an argument for security through obscurity. The main problem with this is that you have to maintain the obscurity for ever. By far the best approach is for the vulnerabilities to be notified back as soon as discovered, fixed and the fixes incorporated in future products and in updates to existing ones.

38
0
Bronze badge

Re: The real blame goes to..

> The problem I have with this blame attribution, is it isn't quite true ...

Correct and a little perspective is useful here - at least four months since Microsoft patched anything from the NSA that has been used in this attack. Plenty of references to the timelines (toolkit compromised last year, MS patches in Feb, toolkit dumped public April/May, first 'public' exploit mid-May).

Do the spooks have form in using any weakness to attack perceived enemies of their respective state with little concern for moral/legal scruples? Yes. Are they responsible for the failure of commercial organisations to implement basic, proper IT maintenance when the necessary defenses have been in the public domain for months? No.

Whether the motivation behind NotPetya turns out to be criminal or political will be far more interesting than ideological blame games (although a definitive answer on motive seems like it will be challenging to confirm).

6
6
Silver badge

Re: The real blame goes to..

"This is an argument for security through obscurity."

Exactly this. And security through obscurity is almost certainly not actually secure.

There's a basic rule in sigint which should always be followed:

Always assume the other guy is smarter than you.

This is the basic foundation of modern security infrastructure, and has been since World War 2. Basically, the Nazis assumed that they were smarter than their opponents, and so that the Enigma code was invulnerable. But it turned out the Allies were working on stuff that the Germans hadn't even begun to imagine, and so they were able to break the code in ways that the Axis assumed would be impossible. The Allies knew where the Axis were going to attack within hours of the order being issued, but the Germans remained convinced that Enigma was unbreakable.

This is why, since the end of the war, whenever we come up with a new encryption method we publish it and invite people to have a go at cracking it. Because the assumption is that someone out there is smarter than you and will figure it out even if you think it's unbreakable. It's effectively the same many-eyes principle which works in Open Source; if everyone is working on the problem and still can't crack it, then it's probably securer than if you're the only person working on it and hoping that some combination of obscurity and your own genius makes it uncrackable. This is one of the problems many infosec researchers have with Apple's walled garden; it's a bad philosophical approach to security even if you do a very good job of implementing it, and when someone smarter does decide to target it the result will be devastating.

The assumption should always be that the Bad Guy - whomever they happen to be at a given moment - knows your movements, has access to all your information, has slightly better resources than you do, and can do a bit more than you can at any given time. That makes hording exploits directly equivalent to arming your enemies.

31
0
Anonymous Coward

Re: The real blame goes to..

Security through obscurity is never a proper solution.

The primary problem with security agencies keeping them private is that when their toolkit is leaked it's not just one exploit to be fixed, it's multiple which makes it enough that it can be used together to take complete control of a system before a fix is created.

Where as if they played nice and reported those bugs to developers when they found them then it would (should) be fixed before the public was made aware of it.

You see, a single bug release, complete with patches is far better and safer than a huge pack of exploits leaked leaving systems insecure and vendors scrambling to fix the bugs.

Then you have the second issue, what about when you've found a bug, decided to keep it for your own use, and someone else with ill intent finds it and uses it also? You could of stopped that from happening but you chose not to.

Whichever way you spin it, harbouring bugs is bad.

19
0

@ Rob D Re: The real blame goes to..

>> The problem I have with this blame attribution, is it isn't quite true ...

> Correct and a little perspective is useful here - at least four months since Microsoft

> patched anything from the NSA that has been used in this attack.

Well, as I understand it that is not precisely correct...

It seems that actually M$ have published patches for the exploits that have been SEEN IN THE WILD and notified through the usual bug report channels. Nowhere have I seen/heard any suggestion that NSA have told M$ and other software vendors what was stolen so that PROACTIVE patching was possible - it's all still reactive as the exploits surface.

And that is why infrastructure managers are buying coffee, sitting uncomfortably and not sleeping well at present.

8
3
Silver badge

Re: The real blame goes to..

"Had they just found the exploits, and reported them to Microsoft (or whatever application developer has the bug) this would of been prevented years ago."

While I agree with the sentiment that hoarding vulnerabilities in the name of national security is rather stupid, the above isn't really true in this case since MS have patched the vulnerabilities in question. If this had happened last year when the NSA new about the bugs but MS didn't it might have been a good point, but when malware is exploiting bugs that were patched months ago it hardly makes sense to complain that they weren't patched even earlier - at this point if you don't have the patches it's neither the NSA's nor Microsoft's fault, it's yours.

3
3

Re: The real blame goes to..

If the replies on this thread are given by people working in the IT industry, and who are responsible for working IT systems, then it shows a) why these things happen and b) It won't go away any time soon.

Conclusion: It is anybodies fault, but not Microsofts or the people responsible for the architecture of resilient IT infrastructure in companies.

So better stop whining about NSA and others, since they are just guys doing their job and laughing their *ss off from all this lemming like behave in corporate IT that makes their lives so easy.

And besides that, if the boss asks some questions, tell him it was the ant virus tool not recognizing the virus attack :).

1
14
Anonymous Coward

Re: at this point if you don't have the patches it's your fault

Rather ironic that the problem in this case is both failing to deploy updates (Microsoft ones), and deploying updates (the hacked accounting software one). We just can't win.

8
0
Silver badge

Re: The real blame goes to..

"MS have patched the vulnerabilities in question."

Only very belatedly. They were embarrassed into having to patch XP after its EoL. If the problem was known during XP's lifetime, shouldn't it have been patched then? If it was known during 7's development should it ever have been in 7?

There are reasons other than indolence why stuff doesn't get patched or at least patched promptly and doesn't get replaced (see TFA and also the frequent posts about the effects of enforced updating of 10).

NSA have no excuses whatsoever for sitting on this stuff and letting it become a global problem. Countries which have experienced serious infrastructural problems should have been calling US ambassadors into their foreign affairs ministries for a good talking to.

9
5
Anonymous Coward

Re: The real blame goes to..

I agree with blaming the Americans, but not the NSA... if Microsoft had done their homework well, none of this would be possible! Let's not forget that the attack vectors are all Microsoft's doing. IF they wold concentrate on putting out better software instead of shiny software or bloated software, none of this would occur. Yes, this would slow down the pace of innovation in the software industry, but it is getting to a point that we need less innovation/new features and more stability/security. We have become too accustomed to the quick release-fix it in an update cycle. These are the consequences.

2
7
Silver badge

Re: The real blame goes to..

"This chaos never happened as a result of a parallel discovery, it was only after Shadowbrokers popped the NSA and released the files."

I think I'd rather each vuln was discovered and patched ASAP rather than the situation we have now with multiple serious vulns all being dropped at the same time.

5
0
Silver badge

Re: The real blame goes to..

... none of this ... ... none of this ...

That's an extremely optimistic view.

Even OpenBSD, with its focus on security first, second and third, tends to have an occasional bug to fix.

5
0
Bronze badge

Re: The real blame goes to..

"... all it would have done is meant us having this discussion X years ago ..."

In fact the discussion WAS being held years ago. As early as the early '90s at least. Many pointed out the hazards of monocultures, systems where a single "organism" is the primary foundation for a complex overstory. Attack that foundation and and the entire system can be brought down. Mathematically the internet and an ecosystem are very similar. The opposition offered the lame argument that computers and operating systems are not biological. There were Engineers at the helm; Great Geniuses were protecting us all; immense multinational corporations "knew" what they were doing. Besides, open source or some means of auditing critical code bases would risk trade secrets and patents. Besides, all us peons were just consumers (cash cows).

5
1
Linux

Re: The real blame goes to..

The real blame goes to... people continuing to use Windows.

But please, do continue so that we can enjoy Linux tranquillity... because you know what happens when there are too many Linuxes like Android: malware, viruses, etc...

I'm so glad Linux desktops keeps around 2% so that not to attract too many attention!

2
6
Silver badge

Re: The real blame goes to..

Microsoft released patches for currently supported operating systems two months before the WannaCry exploit. Unless things have changed dramatically since the middle of 2012, outward facing US DoD systems were patched well before a month after patch release - the requirement then was to patch Category I vulnerabilities within 15 days of patch availability. EternalBlue unquestionably was a Category I vulnerability. So was use of an unsupported software product like Windows XP, although there is no remediation for that, not even application of a patch for the vulnerability; Windows XP would have been disallowed within the DoD as of April 30, 2014.

Use of SMB version 1 might or might not have been as severe a vulnerability, but it would have been one beginning when Microsoft deprecated it, and at worst ought to have been discontinued within 180 days, which would have been before the end of 2014.

The DoD is a far from perfect organization in IT as in other things. But the outlines of their information assurance standards are not that hard to understand or, in principle, to implement. Their implementation is tedious, annoying, expensive in terms of staffing, and all too often disruptive to the operations the IT staff support.

Many organizations, including the DoD agency that employed me, do not consider IT part of their core mission. For some, not including my agency, that result in treating it as a cost center to be starved of staff and funds to the maximum possible extent, taking heedless of the potential cost and damage that inattention to security patching and configuration can bring.

Blaming the NSA may have some merit, but their behavior in retaining some vulnerability knowledge was approved at the highest level in the executive branch and certainly is not meaningfully different from that of similar agencies in other countries. At least as much blame is due the management of organizations victim to these recent attacks.

1
0
Silver badge
Thumb Up

Re: The real blame goes to..

I understand the thinkiung behind collecting attack vectors - but in effect the Security Services do NOT raise the global security level, they lower it to dangerous levels.

The old addage, if you can find a backdoor so can someone else (paraphrased obviously). I believe I first heard it in military terms, physical access to a bunker etc.

Would be nice if the NSA were made to pay for the damage, out of the personal bank accounts of those who made the decision to keep this stuff secret. Same for equivalents in other nations. They've brought some real pain into people's lives by their decisions, they should be made to pay.

2
0
Silver badge

Re: The real blame goes to..

While I agree with the sentiment that hoarding vulnerabilities in the name of national security is rather stupid, the above isn't really true in this case since MS have patched the vulnerabilities in question. If this had happened last year when the NSA new about the bugs but MS didn't it might have been a good point, but when malware is exploiting bugs that were patched months ago it hardly makes sense to complain that they weren't patched even earlier

Not everything can be patched easily. When XP and intranet pages etc exploded into the business world, a lot stuff was written to work with technologies that only existed IE61. I'm sure the writers assumed these things would continue but they didn't, for whatever reason the tools were not supported in IE7 and onwards. But there was the issue that a hell of a lot of stuff considered "business critical" was written for IE6 and would not work on 7 or later. People could not upgrade to a more secure browser because of this. I assume there's still many places where 6 has to be used even today.

A lot of other systems were developed around older tech, which can be hard to update as has often been discussed in these forums.

The question I am wanting asked is.. How long did NSA know of this particular flaw? DId it date back to pre-XP versions of Windows? Did the NSA know about it before Vista? Before XP SP3? When? Because the longer they sat on it, the more systems were built using the flaw, and the more systems became vulnerable; ie if they know about it pre-Vista and had told MS then, then MS could've had Vista and onwards fixed, and only the XP systems to worry about. Had the NSA told MS before XP SP2 then XP would've been fixed back then, and probably very few systems would've been vulnerable - the lot probably fixed before the first real bits of ransomware came around.

at this point if you don't have the patches it's neither the NSA's nor Microsoft's fault, it's yours.

As you should well know, there are systems that are difficult to patch for various reasons. Had MS been alerted to and fixed these bugs a couple of years ago, some of those machines wouldn't be a problem now. Had it been a decade or more ago, even most XP systems would've been fine.

Yes, those who have refused to patch because "I don't wanna" are largely to blame for their own misery. Those who cannot patch because of other more technical reasons, however, may have the NSA to thank for their misery. Depending on how long ago the NSA knew of this stuff (probably in an article I haven't read or have forgotten).

1 If I got the wrong version of IE, please mentally substitute the correct one.

1
0
Silver badge

Re: The real blame goes to..

Let's not forget that the attack vectors are all Microsoft's doing. IF they wold concentrate on putting out better software instead of shiny software or bloated software, none of this would occur.

You can only patch bugs you know about. You can only know about bugs by discovering them during testing, or by someone else discovering them and telling you about them. MS did patch this stuff once they learned of the problem, but the NSA should've spoken up the moment they found the flaws. The NSA, as I understand it, is an organisation with a job to protect the data security (and the interests of) US citizens and corporations. By covering up this flaw, they've failed in this regard in many ways, not the least being the amount if ill-will that has increased towards the US and her citizens as a result of their actions.

MS could've done better, sure - but their closed-source doesn't quite have the benefit of well-intentioned interested parties looking over it for things to improve, which is a big help at times to those in the Open Source camps. Every programmer leaves bugs in their code, many found because they stop compiling, many more found because of an obvious flaw during execution, and some that lie hidden for decades because a) no one thinks of the test that would find them and b) nothing happens in the wild to trigger the flaw.

Writing software is difficult. Fixing bugs is difficult and a pain. But building test rigs that can catch every bug? That's incredibly hard, and no one has managed it yet. Though that said, I understand some basic testing tools would've found the flaw in SMB1?

it is getting to a point that we need less innovation/new features and more stability/security. We have become too accustomed to the quick release-fix it in an update cycle. These are the consequences.

That I agree with you on. I'd much rather computing be a few years behind where we are now, with the advantage that some of the painful talks I've had to have with people over lost data (eg kids photos) would never have happened.

1
0
Silver badge

Re: The real blame goes to..

Same as child porn.

People who pay for child porn create the incintives for kids to be exploited.

So the intelligence services provide exactly the same incentives as child porn buyers.

All of this damages the population, and creates thousands of millions in damages. That economic damage translates into lack of money for hospitals, improving roads, etc. That means people die because of this.

2
0

Re: The real blame goes to..

Not really.

First, this malware only uses EternalBlue as a last resort to spread.

Second, whoever wrote EternalBlue did not create the vulnerability, they just found it and wrote an exploit for it (Every persistent threat organization out there has zero days like this in their pocket it isn't like this was a unicorn).

Third, Microsoft released a patch for this over a month ago and it is obvious that a large number of entities are not applying patches in a timely manner. When I do penetration tests on networks using Metasploit, the first exploit I throw is MS08-067 because 50% of the time, it wasn't patched properly. that is an exploit that was REPORTED publicly in 2008. It is almost 10 years old and you can still find machines vulnerable to it in the wild.

Why not blame ShadowBroker for releasing the exploit?

Why not blame shoddy Information Security practices that don't train users to use a little internet hygiene before they start clicking on links in emails they aren't expecting?

Why not blame network engineers that deploy their networks in a flat topology so that any machine can reach any other machine?

Why not blame software companies that don't secure their networks and allow malicious actors to plant malware in their patch catalogs?

Why not blame system administrators that don't disable password caching so that administrator hashes aren't left behind on a machine when the administrator logs out?

There is plenty of blame to go around. Have some.

1
0

Re: The real blame goes to..

"The real blame goes to... people continuing to use Windows."

Oh, how cute. A Linux fanboi in the wild.

Just this month a South Korean ISP had 150 Linux servers hit with ransomware and paid over a million dollars to get their data back.

https://www.onthewire.io/south-korean-isp-nayana-pays-1m-ransom-to-decrypt-servers/

So much for not attracting attention.

Nothing to see here, move along.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017