This was - of course - inevitable and it only shows how effective the NSA is at undermining everyones security.
Miscreants have launched a ransomware worm variant that abuses the same vulnerability as the infamous WannaCrypt malware. Danish firm Heimdal Security warned on Sunday that the new Uiwix strain doesn't include a kill-switch domain, like the one that proved instrumental in minimising the harm caused by WannaCrypt last week, …
If back doors ever become a reality and the key is ever stolen (it will be), there will be no need for "ransomware". The crims will simply help themselves to your bank account or whatever else they want. You won't have to open a dodgy email or click a bad link. Best yet it won't matter what OS you use. And then, goat farming in the hills begins to look attractive.
The present"back door" would be through compromise of Apple's (or Microsoft's) code signing key(s) or use of the keys to sign bogus software. Is there really reason to suppose that their security protections are fundamentally superior to those at the NSA? Would they not be subject in a similar way to vulnerability from disloyal or planted employees or accidents that expose them in environments less protected than planned.
Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows.
The real issue here is that Microsoft stopped has patching XP and Vista systems in an attempt to force users to upgrade - that's where the real money is in these vulnerabilities. So who's going to make out like a bandit from WannaCry et al? Expect Microsoft Win 10 share to increase over the next few months - they are the real winners here.
Yes. If they're selling their operating system to clients for use in everything from medical equipment to warships and that equipment has an expected lifetime of decades, then the operating system should be supported for that lifetime.
Microsoft have made billions upon billions from the taxpayers. Supporting the stuff they have sold isn't much to ask. No-one is asking for new features or upgrades, only critical security updates.
Debian derivatives are used in dozens of pieces of equipment around my office -- when there is a flaw who is the one responsible for getting all of the that equipment updated? Should Public Interest be blamed for a unpatched hole in a 10 year old router and expected to fix it -- even when newer versions that fixed the flaw have already been shipped? Of course not.
So why should Microsoft be blamed for the same situation? They sold operating system, but they aren't the one putting it in medical equipment. That was done by the manufacturer of the equipment, which, by the way, as an OEM assumed all ongoing support. The end-of-life date on the OS was well known before it was installed. It is the equipment manufacturer that screwed you over, not Microsoft.
The systems integrator that put Windows on Warships is the one who made the claim of fitness for purpose, not Microsoft. THEY are the one who should be held accountable. If that integrator needs to go back and pay Microsoft for ongoing support that's their problem -- they made the choice to integrate Microsoft and they have the live with the results of their decisions.
Don Bly, The Ian bloke from the name Deb-Ian died. Apparently committed suicide. That's how spooks die. Don't be so sure they don't have a backdoor into Linux. The FreeBSD people think Linux is not hardcore enough which is why it's not very popular. If you want cool things in Linux it's going to have backdoors.
Sure, I'm blaming them - I know that the way of the world here is that when you buy stuff these days it's actually supported for a year or so ... and then it's junk?
The next time you take a journey, check the age of the aircraft, train, car, bike etc. - if it's 13 years old then maybe it will crash and the manufacturer will tell you that it's your fault?
The fact is that Microsoft actually had a fix for this vulnerability but they were only releasing it if you had a continuing support contract - sure, Windows isn't very secure but why? Because it's not built for security, it's built to be cheap and disposable.
It's designed to be required to be replaced because that's where the money is - and this applies to whatever ever of Windows you are running today - it's going to be vulnerable tomorrow.
Implying that Windows (H)8, and Windows X are better than an unmaintained Windows XP SP3 Installation. Which can still do it's job. Probably better than those other Two numbskull OSs. Assuming Microsoft were kind enough to continue supporting it. But, alas that way only madness lay. As XP does not contain Tracker's, and (Cr)App Stores to take your Moneyz.
Last night on BBC Radio 4 news I head that the NHS IT organisation warned trusts of the risks if they did not deploy the patch to protect them against this very thing; they were arned, but why the hell are people still opening attachments and clicking on links? My mother made this mistake once, in 1998, and has not done so since. If someone of her age can be immune so can NHS staff.
When said OS is used with systems that cannot be upgraded, yes.
(because it would make expensive hardware unusable.)
But also the people who made and OKed the decision to purchase such unsuitable systems should be held to account.
Why would anyone buy a jack of all trades system, with a life of a decade or so to run expensive equipment meant to last thirty years with a specific requirement?
"Why would anyone buy a jack of all trades system, with a life of a decade or so to run expensive equipment meant to last thirty years with a specific requirement?"No alternative. Hospitals use hundreds of devices "monitoring equipment, alarms, compounders, radiology, things of those nature" that were designed to specifically run with XP. There are zero or close to zero that run on other OSs. You can't purchase what doesn't exist.
In my experience with embedded systems there is nothing particularly fancy about the way the PC talks to the special hardware. There is nothing that says it can't be upgraded to say 32 bit Windows 7 or even rewritten for Linux. Much of the code is written in C or Delphi. It would take a bit of work but not impossible.
The problem is that like Microsoft the manufacturers have moved on. They are playing with their next big thing and have forgotten about that old stuff.
What is needed is a commitment from the manufacturers to either support the gear for 30 years or share the code and the schematics. Obviously a consideration would be required from the buyer, I don't see why they should do that for free.
The easiest thing would be to keep XP going and Microsoft will do that if you pay them. The next thing would be to fit each XP system with a hardware firewall. Don't expect XP to protect itself, put a packet sniffing firewall in between.
The easiest thing would be to keep XP going and Microsoft will do that if you pay them. The next thing would be to fit each XP system with a hardware firewall. Don't expect XP to protect itself, put a packet sniffing firewall in between.
Firstly, from the way MS behaved around the time of XP's EOL, it was clear they had zero intention of keeping XP going - MS wanted to make a break with the past, even if that break could hurt them commercially. Additionally, given the size of payments they received from user organisations, such as the UK government, for the extended support service MS reluctantly did offer, I suspect given MS were already committed to maintaining XP POS until 2019, it received sufficient monies to more than cover the costs of maintaining the XP support team for 10 years; extending XP's EOL to 2024; yet they haven't.
Secondly, how would a hardware packet sniffing firewall given any protection against WannaCrypt, given the initial infection vector was believed to have been a poisoned email attachment and if you were running SMB the relevant ports would be open.
"blaming a commercial company for not patching a 13 year"
I think blaming and criticising a company that sold you buggy vulnerable crap and refuses to fix bugs because someone else didn't find and advise them of them soon enough is entirely justified.
I have some compilers from a company with a policy that finding a bug in an obsolete unsupported version of the compiler entitles you to a free upgrade to a current supported version. That would be the policy of a decent company (which Microsoft clearly isn't). Of course Microsoft's current supported version being a piece of shit that no one wants would stymie such a policy.
Actually technically they haven't stopped. (Vista yes).
BUT THE PATCHING IS NEARLY IRRELEVANT!
Like most other spam borne "attacks" this would be totally mitigated by
1) User training and common sense.
2) Better configured systems.
XP use by NHS is a red herring.
Even if EVERYONE used Linux* and it was updated daily, it will NOT stop this until the USERs are better trained and use email properly.
[*Because all the spam based attacks would be aimed at Linux]
If the NSA/GCHQ/etc. really want to read what's on your computer, they will. Don't kid yourself otherwise. This has been the case since you got that first 33.6 kbps dialup modem.
But they're unlikely to encrypt the contents and demand bitcoin from you. That's not their MO. Far too revealing, for one thing.
* Microsoft realised that the security in XP was grossly inadequate, so recruited crackers and other experienced security staff for a new OS, re-built for security, thus the poor 1st attempt in Vista, and the usable 2nd attempt in Windows 7.
* The version of SMB (Windows Networking) supported by XP has pathetic security, especially with increasing computer processing power, and I was shocked to see the pathetic default Samba client levels in Mint and no GUI to fix this easily!!!
* Microsoft provided ample advance warning of EOL for XP/2003, and only offered escalating cost post-EOL support as a _temporary_ stop-gap, because XP is not worth supporting for security reasons, so organisations have no excuses to still be using it, especially on the Internet!
* Yes, the NSA is criminal for making these immoral and unlawful cyber weapons, but crackers were already attacking the inadequately secured XP.
* The public leak of these cyber weapons at least makes most of the threats publicly known so that they can be combated en-mass now, including by Microsoft, rather than the much harder work to identify/combat hidden black hat criminal uses.
* Organisation and other users of XP, and suppliers of equipment requiring XP which have not already implemented/provided an upgrade to at least Window 7 are frankly negligent and should be humiliated/sued; they don't deserve any sympathy.
The Swift (inter-bank payments service) must also be heavily-pressured/humiliated/sued to get its act together, because it reportedly still requires the only slightly less dated Vista version of Windows to run their client software in banks, which is probably one reason why several Swift client banks have been virtually bank robbed! Swift should really be using a secure *BSD OS for this, let-alone any version of Windows!
Your Comment: "Yes, the NSA is criminal for making these immoral and unlawful cyber weapons..."
Unlawful? By what law, specifically? (NOTE: Title 10 and Title 50 authorities directly - and legally - trump certain US laws.) As an analogy - It's not "illegal" for a policeman to speed to catch up to a criminal. It's not "illegal" for the NSA to create tools to compromise computers.
You can argue all day as to whether it is illegal to DEPLOY tools, once created, against CERTAIN computers, but I don't think you have a leg to stand on calling the fact that NSA *creates* such a tool - if they even did create one themselves - in any way an illegal act.
Well in the UK, the police (and,bulance/fire tenders) can be prosecuted for their actions while speeding. It does not happen very often but not unknown. As to GCHQ, much of what they have done has been shown to be unlawful it is just that successive government have not pursued them (simply hangs legislation and given retrospective blessings.
"Don't blame the NSA - anyone could have discovered this issue and weaponized it. Certainly the NSA should have reported it to Microsoft but they apparently didn't ... who knows."
It's clear the NSA intended to not inform Microsoft at all as this was part or their arsenal, a secret tool on their version of a Bat Belt. We must blame the NSA as they developed it, hoarded it and then lost control of it when it got out. This should be an example of how such organisations should not be using such methods.
The only way Microsoft knew about this and patched this was because the NSA lost control of the code to ShadowBrokers who then reported it to Microsoft giving them enough time to roll out a patch before a public release.
As you correctly say, anyone could have developed code that exploits the flaw. But who detected that flaw first? So who should have the social responsibility to improve the "cyber" defense of at least their own nation by disclosing such a flaw?
The NSA found it. Kept it secret, then lost the code due to real humans making mistakes or breaking in who discover a pot of "hacker gold" runnable and mature from the fist double click.
For this very reason Apple, correctly, refused to create a version of iOS that could be installed on an iphone to weaken the pin entry screen to allow the FBI entry. Apple knew they could not simply trust that this hacked version of iOS could be kept under control.
Microsoft became aware of the particular vulnerability soon enough to develop and issue a remedial patch for the vulnerability more than five weeks before its first reported use in malware. The notion that ShadowBrokers reported the vulnerabilty to them is much less plausible than the more common presumption that the NSA did so. The patch was marked "critical" and that should have informed anyone paying attention of the need for prompt action. US DoD rules require deployment of these items within 10 days of availability, and while they do not always meet that, those who do not have to report often and in detail on the deployment until it is complete.
The firmware the FBI wanted from apple, contrary to repeated claims, was not installable on "an iphone" in the general sense. The order required it to be specific to the iPhone described in detail in the court order and required that it not be usable for other iPhones. That is something that Apple certainly could have ensured since the code would need to be signed by them. Apple certainly would have been ordered to provide similar firmware in other cases. However, if the cryptographic implementation was secure and Apple continued to control the signing process, release of any or all copies of such firmware would not have been able to compromise untargeted iPhones.
You could look at an event such as that of the last few days as the Internet's version of a wildfire. In the short run some damage is done but in the long run the fire's job is to clear out dead wood and enable the regrowth of a stronger, healthier ecosystem. Short term pain for long term gain.
"We've installed the MS security patch, we've restored from back-up. Everything's OK now".
Papworth NHS Trust has had something like 16 of these ransomware attacks in the last 12 months, and hasn't done anything. It is going to take a lot more than this to change management attitudes.
No, because very few organisations and users will learn the real lessons.
Patching and AV inevitably often is bolting the stable door after horses gone for the first hit. Yet proper user training and proper IT configuration mitigates against almost all zero day exploits. I struggle to think of any since 1991.
Firewalls, routers, internal email servers (block anything doubtful), all superfluous services and applications removed, no adhoc sharing. users not administrators, and PROPER training of users.
In the short run some damage is done but in the long run the fire's job is to clear out dead wood
I wish! The idiots who think it's fine to run XP are paid ten times more than me and they'll still be in the same role this time next year. They'll be no getting rid of dead wood, just more winging it and forcing underpaid Techies to work more weekends after more screw ups.
> someone in Nigeria has been hit
Yes, my uncle. A Nigerian Prince desperately trying to get his money out of the country. With his computer out he is now looking for an honest soul who can help him for a 10% cut of the funds. Due to the nature of his finances the money can only be moved to a credit card account. If someone would be so kind as to send him theirs...
Its surely incredible that a lone pizza stuffed actor could get immediate access to the worm and spend a night before he spotted the 'call home' vector? Is that really that hard? And beat the best resourced detection agencies worldwide?
Surely every IT detective agency including GCHQ would have sandboxed it on first sight, thrown their best at it if only to beat their friends across the pond, to save Jeremy Hunt & Mother Theresa's bacon just ahead of a new funding opportunity (aka new government).
It all smells not only of pizza but planted news. And if it is genuine what on earth are we paying this organisation and every anti-virus firm for?
Not that surprising, I've been deleting WannaCry and it's ilk from the mail-server quarantine forever and in my younger days (at his age) all we had to disassemble were things like CP/M, BDS C, and Wordstar ... and I did it for fun. He sounds genuine to me - I can see myself in his shoes at that age.
Went to the doctor's surgery this morning. All the computers were down. I queried if they'd been hit with the malware, but apparently it was as a preventative measure as their main NHS trust has been badly hit, so couldn't bring up any records or even know what the wife's blood test was supposed to be for. Next I'm expecting the wife's hospital appt to be canceled due to the chaos it is causing.
I wonder if we can get a go-fund-me page set up to hire someone to track down this hacker scum and take out a hit on them? A bullet to the brain may give other scumbags something to think about.
"I wonder if we can get a go-fund-me page set up to hire someone to track down this hacker scum and take out a hit on them? A bullet to the brain may give other scumbags something to think about."
Michael S. Rogers is the current head of the NSA, https://www.google.co.uk/search?q=head+of+nsa
I went to mine as well, except that their system is less than 12 months old and was fine. The local NHS trust is saying the same about their systems.
The old system that the GP used, (mandated by the relevant authority) was a real bag of nails, it had longer outages than working periods and the support package appears to have been provided by a corpse on Prozac. The Lead GP threatened to wall up the next support person who failed to fix it after a two day and counting outage . So far so good with the new one.
The answer is not to avoid Windows. It's for our so-called security agencies to get to understand that they are not supposed to be a dirty tricks department collecting weapons for use against others, but that they are supposed to work on our national security - which includes public and private services and businesses as well as the Civil Service.
The fact that May and Rudd seem totally unable to get what could go wrong post-Snowden suggests that when one of them became PM, a school somewhere missed the bullet of a particularly anal retentive geography teacher.
Windows 10 is unaffected.
Also there was a lot of criticism of Microsoft forcing updates on users with Windows 10 - will that criticism now end? Users need protected from themselves. We all know people who ignore all the updates their computer or device is asking to install.
"Customers running Windows 10 were not targeted by the attack today."
Interesting statement/conclusion given the attack vector was an email attachment and the vulnerability being exploited was in SMBv1 that is also present in Windows 10 and my understanding is that if you hadn't applied the March updates it was vulnerable.
Perhaps MS are assuming all Win10 systems will have been patched in March and so an attack in May would have failed against these systems and thus we can conclude Win10 wasn't a target...
'Windows 10 was effected'
It was affected. To effect is to put something into operation - as in 'effective'. To affect is to change or influence someting.
Pedantic, I know. But it's one of those errors that actually hurts when I read it.
Windows 10 STILL has SMBv1 needlessly enabled by default. Should either be disabled by default or removed all together. Wonder when someone will find another exploitable weakness. Staying secure means turning off protocols you don't need.
I have a dual boot laptop that has not booted to Windows since before March - I need to review what services it has enabled to make it a bit more secure before I connect it to the Internet to download latest patches.
Patching and anti-virus software take time to apply after a vulnerability has been discovered. That can be too late.
"I need to review what services it has enabled to make it a bit more secure before I connect it to the Internet to download latest patches."
Are you suggesting that the "internet" can get to your laptop's open ports - have you no router/firewall etc ?
>Are you suggesting that the "internet" can get to your laptop's open ports - have you no router/firewall etc ?
A lot of people (including myself) use their laptops in various locations. I prefer the "only enable services and applications that you need" approach. If there's a vulnerability in a service, you use that service, and that service is therefore enabled, then a firewall won't help you.
It's certainly worth considering enabling services only at the point where you need them. But it won' solve everything.
And, in you World everyone's a dolt that refuses to run Windows Update... (Assuming you can get it to work!,) Once a Month is just that great of a burden then? Well it wouldn't be if the damned thing would just work.... Looking at you Windows 7.
Some people do not have any choice. When the X-ray machines in the affected hospital trusts were bought using Windows XP (or even 2001) imaging software, that was state of the art. The issue is that the life of a piece of equipment like this vastly exceeds the lifespan of the OS that was used for the control system. On top of that, quite often these cannot be patched as the software is written so badly that it will work only with a specific patch-level of the core OS.
That CAN and SHOULD be mitigated by:
0. Considering each and every one of those a Typhoid Mary in potentia
1. Isolating such the Typhoid Mary in-potentia on a separate subnet
2. Preventing any communication except essential management and authentication/authorization going out
3. Providing a single controlled channel to ship out results to a location which we CAN maintain and keep up to date.
Instead of that, criminally stupid idots at NHS IT in the affected trusts as well as other enterprises which were hit:
1. Put these unpatchable and unmaintainable machines in the same flat broadcast domain with desktop equipment. There was no attempt at isolation and segmentation whatsoever.
2. In some cases allowed use of unrelated desktop applications (at ridiculously ancient patch-levels) such as Outlook or even Outlook Express.
3. Opened file sharing on the machines in question.
Each of these should be a sackable offense for the IT staff in question.
It's more than incompetent IT people and way worse and virtually impossible to fix.
There is a lot of niche or specialist custom software used in the nhs that can only work on XP and ie 6 period. Most of the people who wrote are dead or retired etc
Systems vendors to the nhs are borderline criminal. In pharmacy, there are only 1 of 4 mandated systems vendors you can choose. The 3 desktop based ones have so much legacy crap etc that they still only work on windows 7. They also insist on bundling in a machine to just a stupid high cost to a tech illiterate customer base - generally a cut down crappier version of something you could by uin argos for 300 quid they will charge over a grand for. Their upgrade cycles are a f**king joke and their business model makes their customers very reluctant to do so as they have fork out silly money
for a new shit machine just cos their vendors tells they have to .. our superdupa crap shit fuck software will only work on a machine we provide. Emis/proscript have alot to answer for ..
Lots of the staff and their employers are basically proud of being a digital numbskull. "I am healthcare professional, why should i have to know anything about this" and the drones are so poorly paid / bitched at incessantly about everything they just have an" i dunno i just work here, that's not my job attitude" I have to screenshare to train people how to use our websites .. this means i have to get them stick a url into their browser, that's it ... you have no idea how many can't do that .. then get all offended when i ask them what browser they are using .. "i don;t know, why should i know that, i just use google" is always the response .. when half the nhs work force doesn't know what a f**king browser is and peversely proud of the fact they can't type a url into a brower address bar, how on earth are we ever going to hav any sunnvbnf0ijgogjrnb;vzjnav;kjnnf;kqgfnjv;jnf;jjvn;w
Data Security has turned into one of these tick box things, everyone has dire warning, you will be fined loads of money for doing something wrong that you don't understand and actively don't want to understand so no one gives a f**k as long as they can say they ticked the right boxes.
I know this is going to get lost in a sea of 'replies' to the ongoing post, but, I can't agree with you enough.
I work in IT in healthcare, not the NHS, but close by.
So many of our users seem proud of the fact that they can barely switch on a computer without assistance, it's scary. But of course, like you say, their comeback is, 'but I'm a healthcare professional, i cant be expected to know about this'.
While I do understand to an extent, because I can't be expected to provide end of life care to our patients, but, I am a first aider. There has to be give and take on both sides.
I keep hoping that the younger generation of HCP's that have grown up around and using computers will be better, but it doesn't seem to be the case, it's all, 'oh, at home we have a mac' or 'my partner works in IT, he said it would be fine'.
Yep because other OS are safe, not: https://www.theregister.co.uk/2017/05/15/qnap_malware/
Sadly there is a predilection for people who believe a false 'truth' to not be swayed by actual facts to the contrary, it actually entrenches their incorrect beliefs. Even though *nix has lots of fixes each month for vulnerabilities it remains perfect in the eyes of its believers. Apple has its share as well so really there is no safe OS.
Off-the-shelf NAS are a rip-off for decent capacity, are under-powered (ARM or crappy Atom), and I'd guess a lot of NAS run proprietary Linux dist.s, so have poorer patching.
A FreeNAS box is much better value for decent capacities; it uses commodity, parity RAM, x86 64bit hardware, and uses packaged recent versions of designed-to-be-secure FreeBSD, with easy to apply OS and component updates, and regular ZFS snapshots allow selective or complete roll-back protection against unwanted NAS file modification by Samba clients e.g. an infected Windows box, or user mistake.
@OP Maybe you need to call them up and let then know about this magical OS your are using which has zero vulnerabilities in it.
Do you know what's more dangerous than running an OS that you know most likely has vulnerabilities in it? Running one that you believe has none!
Now, I would *hate* to start an internet rumour... but didn't the USA promise a retaliation? :-)
Yupp, there was some collateral damage amongst their allies, but thats the new normal.
Anon because I might be right ;-)
"Anon because I might be right"
Firstly, a state actor attack would be far better targeted. Stuxnet, for example, actually checked the serial numbers of the centrifuges it targeted to ensure that it only hit ones created in the right date span to impact only those bought by Iran. The vector on this attack, on the other hand, literally just spammed itself out to every available IP address that had port 445 open.
Second, US retaliation would almost certainly involve using a few zero-days. If you want to prove that you have vastly more power than your opponent, then you want to do something that literally resembles friggin' magic from his point of view. You want to show him that he can do nothing whatsoever to defend his critical infrastructure from your attacks. This did not; nothing in this hadn't already been discovered and patched. If the best thing the US can throw at Russia could be taken out by just switching on your WSUS server in the past three months, then there's no point even doing it because it would make them look weak, not strong.
Thirdly, and most importantly, most of the original bits of this were actually quite shittily written. Oh sure, there was a genuine bit of high-tech NSA code in there from the shadow broker leak... but there was also a fair load of primitive crap there too. It's a bit like an 16 year old came into possession of an F-16; it was destructive as hell but he didn't really know how to fly it.
I've just finished in a webinar on the incident, and there's literally 5 different layers of my SMB's security that blocked this (patching, permissions, firewall, commercial AV, VLANs). And we're not exactly cutting-edge - just running best practice.
In short, if this was state-backed, then the state in question would have to be somewhere like Honduras, not one of the big-league infosec powers.
In other words, if this REALLY were a State attack, they'd be going for the jugular: using as as an inroad to permanently borking all the hardware in the machines to make them nuke-proof.
And THEN they'd let them lay low. Perhaps remove the original vector to make things look all hunky-dory.
And then, after a while, start having the borked hardware exfiltrate useful stuff, a bit at a time, encrypted, hidden in actual traffic. Perhaps even to legitimate destinations that have been secretly subverted so they can sniff the packets out in transit or whatever.
IOW, a State attack is one you wouldn't even know it ever happened.
I can't help thinking that announcing the discovery of the kill switch might not have been a good idea.
And you should see the number of downvotes I got in another thread for suggesting exactly that.
Another commentator stated (if I understood him correctly) that the "public announcement" was more or less irrelevant because security experts' chatter on blogs would have given the game away anyway.
In turn that made me think along the lines of "FFS what sort of security experts swap notes on blogs that may be / almost certainly are open to being read by the hackers"
I think I despair... if the above is true then there is simply no hope.
"In turn that made me think along the lines of "FFS what sort of security experts swap notes on blogs that may be / almost certainly are open to being read by the hackers" "
Agree, if the security experts haven't managed to build their own secure dark web for the exchange of security intelligence...
But then looking at all the various security researchers, it does seem that many are freelance and so need and to some extend deserve the publicity for their efforts.
the code is not proxy aware and the kill switch would not work in well structured environments where the only access to the net is via a configured non transparent proxy.
Enterprises will need to think a bit harder about how they ensure the kill switch is effective this time. The miscreants wont make this same mistake next time.
Talking about the kill switch is good, wouldn't have taken the miscreants long to work out something was not right anyway.
As the Malwaretech blog entry here:
points out, it was quite possibly not an intentional kill switch.
Some malware probes for the existence of a selection of randomly generated domains. Some sandbox VMs respond to all DNS lookups by providing back the IP address of the sandbox VM instance. If the malware sees a positive response to the DNS lookups (which should fail), then the logic is that it is probably running in a sandbox VM, which may well be being used to analyse/investigate the malware, so the malware stops running.
The single lookup of the unusual domain name was possibly a poor implementation of this technique.
Alternatively, it is an intentional kill switch, used during development, with a local DNS server on the malware developer's LAN, the function of which was to prevent infection of other devices on the same LAN. If anyone keeps records of DNS lookups, it might be interesting to see where the first lookups came from.
@Norman Nescio : "...The single lookup of the unusual domain name was possibly a poor implementation of this [sandbox detection] technique."
I read the Malwaretech log (excellent description of why you'd look for a nonexistent domain to determine if you're sandboxed) and thought:
OK, so the virus writer should check a randomly generated domain, instead of a fixed one. That way, they can't all be registered, your virus can't be kill-switched the way this one was, and your virus can still tell if it's being run in a sandbox.
Except the folks creating sandboxes might take the precaution of checking the domain. Instead of returning a valid result for any garbage domain, check to see if it's been registered first. Suddenly, the virus can no longer tell that it's running in a sandbox.
Except then, the virus author checks four or five valid domains; if they all return identical results, you know you're running in a sandbox. (Reading further, I see that this method is actually used in some cases.)
Except that _then_, the sandbox authors do some revisions so that seemingly accurate results are returned that are actually remapped by the sandbox code.
This is all outside my area of expertise. Still, I could see a nearly endless cycle of fix/counter-fix going on here.
I've spend the whole morning fire fighting a executive management that are in abject panic over this. Despite the facts that we
1) Have no windows XP left
2)Patched MS17-010 over a month ago
3)Have tweaked the security appliances to catch this stuff
4) Issues alerts on Friday and primed the helldesk
and ultimately, we've had no fucking incident!
It's almost like they're upset nothing has happened. FFs we had more bother with the emotet version the week before. This didn't even register it was a non-event.
And I must say how much I'm enjoying every department in the company trying to climb on the infosec bandwagon all of a sudden. It's almost like they can smell resources and influence or something. Strangely they're nowhere to be seen when it's risk assessment or PIA time.
Well done for preventing an incident and doing your job properly.
I assume PIA time is performance review and hence pay review related. All those that prevented their organisation from suffering should remind everyone that is why you deserve more. How many will get pay rises because they "saved" the firm when really they failed to prevent the incident?
I'm sorry for you. Now management will think you won't need whatever you will ask in the future for security, nor you don't deserve a raise/promotion because the systems were already secure.
A true BOFH would have set up a stage to tell how the whole IT department heroically fought the almost invincible ramsomware during all the weekend, and how close was the company to lose everything (including the porn stored on executive machines), until the kill switch was activated. So you need $$$$$$ in the future to increase security, and a promotion for the big overtime effort.
That's, at least, what salesdroid/marketdroid/executive would have done....
It would seem that missing from your action list was a consideration of possible outcomes, thus you missed an opportunity for management to throw some money at you to do something about security: attend a few courses, gain a certificate or two, implement that new disruptive security policy etc.
I recommend adding such considerations to your management panic mitigation checklist.
<Black Helicopter Icon>
Ransomware usually works on a relatively widespread basis but usually SMB, and domestic users. Big organisations and governments, generally are defended (although clearly some well publicised exceptions)
The beneficiaries are usually relatively safe as law enforcement cannot usually be bothered to investigate and the cash rolls in for the most desperate victims.
In this case, knowing there are a number of nation state backed cyber defence teams looking into this... they either a) have balls big enough to need a wheelbarrow and believe that they wont get caught no matter what and cyber defence is really too hard to deliver effectively, regardless of backers. or b) that they are insanely stupid and greedy and are not following the news...
Or is this already a state backed exercise from somewhere and is simply a global experiment at our expense? The fact the original flaw was used by the NSA is not really relevant, it simply got it publicity but was clearly available for a long time.
Given that the only safe/undetected way of laundering the bitcoins will be to buy drugs or guns or other such illegal goods on the darkweb and then turn that into cash by selling it on then the perps are as you say both greedy and insanely (criminally) stupid. No doubt they'll have their comeuppance shortly - without being "caught" by any nation state backed cyber defence team - probably up some dark alley being stiffed by gangbangers.
Probably just some kid :-(
I'm well aware of the old saw about the cobblers children having no shoes, so I spent a few hours auditing my systems over the weekend. Making sure all machines were up-to-date on windows updates, turning off SMB1 everywhere, checking all anti malware, and making sure on and offline backups working. Most was fine anyway, but I'm glad I did as malwarebytes blocked an attempt to access port 445 while I was checking. Nasty little sods out there...
Even better, users really need training. Stop opening stupid attachments/clicking links etc in email and then clicking OK!
Any business user ought to have their OWN on site email server/Gateway (even if it's only using POP3 & SMTP to an ISP pretending to be a client). Then:
1) Internal email isn't on the Internet and works if you lose internet.
2) Links & attachments can be sanitised, deleted, quarantined).
3) Disable all <a href="http://www.wattystuff.net/2014/03/dont-panic/>Server related services on Workstations</a>. Yes, that's XP but basically relevant to Win7, Win8 & Win10. There are some extra services to disable now and some are renamed. REMOVE file & Print sharing from every network interface on every workstation. Use a NAS, cheap Linux box, print server or whatever to share printers / files if you can't afford a Windows Server.
I was setting up stuff like that with cheap SW on a Windows server 20 years ago, then even better quality on Linux 12 years ago with free software.
In light of this threat I just got around to patching a somewhat neglected Windows 7 PC. And now it's got a message from Microsoft (falsely) saying it's not genuine. It may not be registered but it's certainly a legitimately purchased copy. So far it's just a tiny message in the corner of the screen but who knows what else it'll do. I don't have time for this. Guess I'll roll back the update and take my chances.
This bullshit is what I blame more than anything, even the NSA, for outbreaks like this. If Microsoft had an update channel for security patches only, not unwanted features and M$'s own brand of malware, people would but alot more inclined to stay up to date.
Yeah, saw this coming about one second after reading the original El Reg description of the killswitch.
Perhaps if the bright young thing that found it had not been so hungry for fame we might have caught some breathing space.
Next up: Why the government can be trusted with your encryption keys and why they should have a proper back door into your computer that only they can ever use.
The scum are obviously in hiding - either on a luxury yacht on the Black Sea or in a basement somewhere. I'd hazard a guess it is the latter. There must be other scum in the same racket who know who the are. I wonder if they have earned any street creds for what they did?
- chaos (not really)
- financial bonanza (nope)
- media attention (big win)
- shit disturbing (yep - mostly stirred the NSA and Microsoft)
- rattle some chains (mostly IT departments)
- peer envy (I doubt it)
Their reward beyond the $30K they collected will be prison (blackmail and extortion are felonies).
This is a fairly typical ratio of realized proceeds of crime to cost of crime and prevention measures. The economic case for crime reduction is overwhelming. But it's easier said than done. People are creative, even (especially?) criminals.
"The only evil ones I'm seeing is MS for not supporting this OS and NSA for doing such a shitty job of securing their shit. "Er... MS has supported XP and issued a patch for the vuln as recently as March 2017. A bit harsh to blame MS when it's lusers opening attachments with a payload that cause the problem.
Its a sign of the times that no government is actually interested in Universal security, for the greater good of human kind. We're at a point where everything is now based online, and everyone in the world is connected.
The internet has removed the idea of 'borders' in the traditional sense!! I don't have to get on a plane to Italy, to see Italy. I can log onto remote cameras and a host of other online services, which mean I can be in the country without having to physically be in the country!
The NSA wasn't even bothered about protecting their own country... They didn't release this data, to allow the problem to be solved. If I were American I would be Pissed that my own government has been complicit in this entire debacle by keeping this quiet, and didn't release the information to the wider security community when they found the holes!!
If your doctor found you had terminal cancer, but they had a product that would guaranteed slowing of the cancer or entire removal of the disease then you would expect them to tell you wouldn't you?! But when the shady NSA finds a potentially life threatening exploit, they keep it to themselves?!... the middle letter of NSA stands for SECURITY for effs sake!!
There is no such thing as trust anymore between so called 'allies' as the NSA has just proved. It has also proved that life is worthless to them. This is clearly due to their inability to see the bigger picture of what they have A. Created, and B. Allowed to be released into the wild!!
Yes someone in their bedroom could have found the exploit, but that's a bedroom hacker/cracker. But you put pretty much unlimited resources and man power behind a department, then they are clearly going to come up with the exploit a billion times faster than a sole agent. Or even a collective of agents separated over the globe.
So all this stupidity that the NSA shouldn't be held accountable should be rethought. Because they CLEARLY are at fault here, for NOT DISCLOSING THE INFORMATION LAST YEAR!!!
"If your doctor found you had terminal cancer, but they had a product that would guaranteed slowing of the cancer or entire removal of the disease then you would expect them to tell you wouldn't you?! But when the shady NSA finds a potentially life threatening exploit, they keep it to themselves?!... the middle letter of NSA stands for SECURITY for effs sake!!"
Unless, of course, there are SIDE EFFECTS. What if said doctor forgot to mention the treatment in question only has a 50% survival rate, for example? NOW is it worth blurting out?
Biting the hand that feeds IT © 1998–2019