CrAKeN Posted May 17, 2017 Share Posted May 17, 2017 No one should be letting their guard down now that the WannaCry ransomware attacks have been relatively contained. Experts intimately involved with analyzing the malware and worldwide attacks urge quite the opposite, warning today that there’s nothing stopping attackers from using the available NSA exploits to drop more destructive malware. The key is to patch vulnerable Windows machines while there is a downtime, ensure offline backups are secure and available, and that antimalware protection is running and current. Kaspersky Lab researcher Juan Andres Guerrero-Saade and Comae Technologies’ Matt Suiche said today during a webinar, below, that the EternalBlue exploit targeting a SMBv1 flaw could be fitted with payloads ranging from banking Trojans to wiper malware that destroys a computer’s hard disk. “Absolutely,” Guerrero-Saade said when asked if this could have been a wiper attack rather than ransomware. “We’re talking ring0 access (via the DoublePulsar rootkit installed by the EternalBlue exploit). It would have just come down to a matter of implementation at that point.” Accelerating the researchers’ anxiety about what could be next was yesterday’s ShadowBrokers announcement that it would begin in June a monthly dump of new exploits—including Windows 10 attacks—and stolen data. The ShadowBrokers’ leak in April of EternalBlue and other Windows attacks handed attackers not only the exploits but also documentation that lowered any barrier to entry for using these attacks. “This is really worrying because we’ve seen the impact of what those files out in the wild can do,” Suiche said. The attacks also exposed the shortcomings associated with patching, despite experts for more than a decade stressing the importance of keeping operating systems, browsers and third-party software up to date. MS17-010, the patch that addressed the SMB vulnerabilities leaked by the ShadowBrokers in April, has been available since March. Microsoft rated the security bulletin as critical and experts cautioned that this patch was to be prioritized, and that SMB port 445 on Windows machines should not be exposed to the internet. Yet, Rapid7 today said its scans have found more than 1 million internet-connected devices exposing SMB over 445 with more than 800,000 of those devices running Windows. Rapid7 said it’s likely that a large percentage of that number includes vulnerable versions of Windows with SMBv1 enabled. “Beyond the prevalence of what these exploits might be, but it really has been a test on the industry and defenders as well,” Guerrero-Saade said. “What we saw here was not the super secret zero-day situation you can’t save yourself from. It was a test of how well we’re implementing the solutions and recommendations that have been out there a very long time that everybody touts every single day. We were asked to put our money where our mouth is with this WannaCry infection.” The biggest mitigating factor in slowing down the WannaCry outbreak was the discovery of a so-called killswitch that was likely an evasion technique by the malware to check whether it was running in a sandbox. The malware called out to a hard-coded URL, and if it responded, the malware would not execute. The speculation is that getting a response back from the killswitch domain indicated the malware might be executing instead in a sandbox. Researcher Marcus Hutchins of the MalwareTech blog registered the domain coded into last Friday’s version of WannaCry while Suiche registered a second and third killswitch domain found in subsequent variants, shutting down most infections in the wild. Guerrero-Saade said his concern is that the next version likely won’t have a killswitch, and could contain a more dangerous and costly payload. “We have essentially bought time with the killswitches. That’s something where we got incredibly lucky that was even involved in the development of the malware,” Guerrero-Saade said. They also touched on the shared code between an early WannaCry version found in February and a sample from the Lazarus APT from February 2015. Lazarus is the North Korean group alleged to be behind the Sony hack, which featured wiper malware and damaging data leaks, as well as the SWIFT attacks against banks in Bangladesh, Poland and Mexico. The attacks against financial organizations, experts said during the Kaspersky Lab Security Analyst Summit, were performed by an internal Lazarus splinter group called Bluenoroff in an attempt to help fund the APT’s other activities. Google’s Neel Mehta found the same code in both samples, which was confirmed by Kaspersky Lab and Suiche later. Guerrero-Saade, who worked on the Lazarus research and on separate research on APTs and their use of false flags, said today that this was not an attribution claim that Lazarus was behind WannaCry, but instead a clustering claim. “What we’re talking about is what cluster of activity this fits into, what threat actor fits the bill for this,” he said. The linkage between the SWIFT attacks and Lazarus, made by BAE Systems researchers, was based off similar code re-use of a wiper function in a Lazarus attack and the Bangladeshi attack. “The amount of proof grew over times and we laid to rest the concerns about whether the SWIFT attackers are actually part of the Lazarus group. “Having only had WannaCry for five days, I think it’s important to understand that this is only a lead, and not a simple lead,” Guerrero-Saade said. “It’s not necessarily easy to just replicate a very specific function of code from a very obscure piece of malware from two years ago that you only put into version 1.0 and then removed. That’s not a false flag, that’s too subtle. No one would have noticed it if not for Neel Mehta doing fantastic work. “I understand that while it’s important to have some healthy skepticism, in this particular case, I think we’re just catching a bit of code re-use. The claims aren’t necessarily bigger than they are, but they aren’t quite as hard to stomach when you look at the code itself.” Source Link to comment Share on other sites More sharing options...
steven36 Posted May 18, 2017 Share Posted May 18, 2017 The best thing people who own a business can do is do all there updates regardless if they can protect you are not, you can't be held liable for not doing them if you do them . Because people who run there mouth about not doing updates can be sued for having poor cyber security . I read over on Kaspersky's blog yesterday they said there is no reason to be using Windows XP anymore and they dont even recommend using Windows 7 they recommend you use Windows 8.1 or Windows 10. I dont be on Windows all the time but I been using Windows 8.1 since 2013 and have 1 PC with Windows 10 still ' Quote I’m running Windows XP – how can I protect myself? First of all, stop running Windows XP. It is a 16-year-old operating system which is no longer officially supported by Microsoft. We recommend you upgrade to Windows 8.1 or 10. If you absolutely need to run Windows XP, you can download the emergency patch from Microsoft here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598 However, prepare for a rough ride ahead, as other vulnerabilities will most likely remain open and leave you vulnerable in the future to other attacks. https://securelist.com/blog/research/78411/wannacry-faq-what-you-need-to-know-today/ Link to comment Share on other sites More sharing options...
SPECTRUM Posted May 18, 2017 Share Posted May 18, 2017 4 hours ago, steven36 said: However, prepare for a rough ride ahead, as other vulnerabilities will most likely remain open and leave you vulnerable in the future to other attacks. not really, because you can enable POSReady 2009 in XP and continue receiving security updates until 2019 at least. Link to comment Share on other sites More sharing options...
pc71520 Posted May 18, 2017 Share Posted May 18, 2017 9 hours ago, CrAKeN said: there’s nothing stopping attackers from using the available NSA exploits to drop more destructive malware. Of course...would you expect a different way? Link to comment Share on other sites More sharing options...
Holmes Posted May 18, 2017 Share Posted May 18, 2017 The posready is for windows xp embedded not regular windows xp. I recommend you dont use the POS registry tweak to get security updates for windows xp you could cause your windows xp to crash. There is a disclaimer on the website that says: ATTENTION: Use it you own risk! These updates are not tested on a regular XP system and could damage your system There not tested because there not intended for regular windows xp. Link to comment Share on other sites More sharing options...
tao Posted May 18, 2017 Share Posted May 18, 2017 6 hours ago, pc71520 said: Of course...would you expect a different way? And no matter what someone says: Future is unpredictable. Link to comment Share on other sites More sharing options...
straycat19 Posted May 18, 2017 Share Posted May 18, 2017 15 hours ago, steven36 said: Because people who run there mouth about not doing updates can be sued for having poor cyber security Really? And what part of your ass did you pull that comment from? I don't do updates, I run old versions of windows, and I have 0 infections on over 26,000 systems under my control. In the last 3 years I have had one system that logged onto our network that was infected with malware and that happened because she took the laptop home, violated policy and was subsequently fired. Link to comment Share on other sites More sharing options...
tao Posted May 18, 2017 Share Posted May 18, 2017 The Ass: In a field where the dew lay cold and deep I met an ass, new-roused from sleep. I stroked his nose and I tickled his ears, And spoke soft words to quiet his fears. [...] But the ass had far too wise a head To answer one of the things I said, So he twitched his fair ears up and down And turned to nuzzle his shoulder brown. ~ C. S. Lewis Link to comment Share on other sites More sharing options...
steven36 Posted May 18, 2017 Share Posted May 18, 2017 1 hour ago, straycat19 said: Really? And what part of your ass did you pull that comment from? I don't do updates, I run old versions of windows, and I have 0 infections on over 26,000 systems under my control. In the last 3 years I have had one system that logged onto our network that was infected with malware and that happened because she took the laptop home, violated policy and was subsequently fired. My ass ? I didn't say it legal experts did . unlike you i dont make stuff up from the top of my head , If you was a IT at my work Id fire you if you didn't patch the systems what good are you? , some of family who have do there work on the computer all the time ITs called there work and told them they had patched there systems and to not be answering no emails unless they were expecting them. the department of homeland security issued out a warning .. Quote "Using outdated versions of Windows that are no longer supported raises a lot of questions," said Christopher Dore, a lawyer specializing in digital privacy law at Edelson PC. "It would arguably be knowingly negligent to let those systems stay in place.” Vernick said businesses that failed to update their software could face scrutiny from the U.S. Federal Trade Commission, which has previously sued companies for misrepresenting their data privacy measures. http://www.reuters.com/article/us-cyber-attack-liability-idUSKCN18B2SE If you didn't do updates on someones PC they just been lucky as is all , One day they going get infected and take you too court it just means you're client did not meet some of the conditions to catch it and were lucky is all. You was lucky was all something didn't happen and you are not being held liable is all. just like most people in the USA was lucky but other countries was not as lucky . Having good cyber security and sheer luck is 2 different things! Regardless if updates can protect you are not if you don't do hem and you're a business you can be held labile and if you're a business that trades with the USA you can still be held labile they could cancel there contracts with you. The government uses old PCs but they pay out millions of dollars to Microsoft each year for updates a luxury most can't afford . But Microsoft is not labile because you agree there not when you install there software ..You are responsible for you're own cyber security.. Link to comment Share on other sites More sharing options...
Sylence Posted May 18, 2017 Share Posted May 18, 2017 1 hour ago, straycat19 said: Really? And what part of your ass did you pull that comment from? I don't do updates, I run old versions of windows, and I have 0 infections on over 26,000 systems under my control. In the last 3 years I have had one system that logged onto our network that was infected with malware and that happened because she took the laptop home, violated policy and was subsequently fired. one of the targets of the new tech and IT is to let employees work in places other than the office, like at home, on the way etc, that's why different kinds of devices other than stationed computers were made and are integrated to close the gap and give more flexibility. if the security of your work place can be in danger by simply taking a laptop home and back then you are in a deep trouble. Link to comment Share on other sites More sharing options...
steven36 Posted May 18, 2017 Share Posted May 18, 2017 People in the USA are sue happy anyway when i younger I use too have a friend that i use go out and drink with this was before i stopped drinking .. If he got in a car with you and you was drinking and wreaked he played like he was hurt and he would sue you and get a lot of money . Hes made so much money from doing this hes set for life. Same as if you caused some business to lose control and there was a update to prevent it . Not only would you lose you're job , you may get heavily fined , and if you worked in some place were its life or death and someone died you could be facing jail time, If you're own beliefs get in the way of you're job you're not qualified to do the job too began with. Every job i ever worked if you had a boss they make the rules not you . And I been right up under a owner of a business before were i was the boss of everyone but him and I still had to do what he said or I would lose my job. If you worked in Nukes and half the world died because of you not doing a update you most likely would get the firing squad . It could be a really serious matter it just depends in what filed you're in. Hackers being able to access and take over networks because of a ITs negligence is no joke . you better leave that I hate Microsoft and don't do updates BS at home were no one cares if you're system goes down. Link to comment Share on other sites More sharing options...
SPECTRUM Posted May 18, 2017 Share Posted May 18, 2017 4 hours ago, Holmes said: The posready is for windows xp embedded not regular windows xp. I recommend you dont use the POS registry tweak to get security updates for windows xp you could cause your windows xp to crash. There is a disclaimer on the website that says: ATTENTION: Use it you own risk! These updates are not tested on a regular XP system and could damage your system There not tested because there not intended for regular windows xp. nah, those risk of crash are mostly for XP x64 only, because XP x64 is based in Windows Server 2003 which is a different kernel, but in XP x86 the Kernel is the same that POSReady 2009 version so there is no risk, I'm using this since late 2014 in several older XP machines and everything is still working fine. Link to comment Share on other sites More sharing options...
steven36 Posted May 18, 2017 Share Posted May 18, 2017 16 hours ago, SPECTRUM said: not really, because you can enable POSReady 2009 in XP and continue receiving security updates until 2019 at least. Any business caught doing that if audited would get charged with warez ..Breaking copyright is illegal in many countries , Even the U.S Air Force got caught for warez . But I don't see what this has too do with anything if they was using the POSReady reg hack to began with this Wanna Cry would of never been a problem . It was patched back in march and one of the Members here said he patched in a post back in March . But the reason 1000s got infected was because they didn't do updates even some who were on Windows who still got updates who had them turned off got infected. You can lead a horse to water and that dont mean he will drink. And you can tell people too break the law but just because you do it dont mean they will . Any business if they make a profit should be able too buy used or new PCs that still get updates. I read over at BleepingComputer were one guy server got infected because he stop doing updates he didn't say how long but it had to be 3 patch tuesdays ago and he was trying get rid of Wanna Cry. After the smoke cleard there was still many left infected there is no decryption key unless you payed. and i'm not sure if paying even worked in this case . It seem they done it just too mess the world up.. All it took was one PC to get infected say if you had 500 pcs and one got infected it was a worm it was spread too all of them. Some smart people just reformatted who had backups if you was smart about it and done backups you could of fixed it and kept you're mouth shut about it. Just because they was infected don't mean they would report it too the FEDS. Most likely it was many that never reported it. Link to comment Share on other sites More sharing options...
steven36 Posted May 18, 2017 Share Posted May 18, 2017 Quote Attack vector Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017. WannaCrypt’s spreading mechanism is borrowed from well-known public SMB exploits, which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available. The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack. We haven’t found evidence of the exact initial entry vector used by this threat, but there are two scenarios that we believe are highly possible explanations for the spread of this ransomware: Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit Infection through SMB exploit when an unpatched computer is addressable from other infected machines Dropper The threat arrives as a dropper Trojan that has the following two components: A component that attempts to exploit the SMB CVE-2017-0145 vulnerability in other computers The ransomware known as WannaCrypt The dropper tries to connect the following domains using the API InternetOpenUrlA(): www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com If connection to the domains is successful, the dropper does not infect the system further with ransomware or try to exploit other systems to spread; it simply stops execution. However, if the connection fails, the threat proceeds to drop the ransomware and creates a service on the system. In other words, unlike in most malware infections, IT Administrators should NOT block these domains. Note that the malware is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80. The threat creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system: Service Name: mssecsvc2.0Service Description: (Microsoft Security Center (2.0) Service)Service Parameters: “-m security” WannaCrypt ransomware The ransomware component is a dropper that contains a password-protected .zip archive in its resource section. The document encryption routine and the files in the .zip archive contain support tools, a decryption tool, and the ransom message. In the samples we analyzed, the password for the .zip archive is “WNcry@2ol7”. When run, WannaCrypt creates the following registry keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\<random string> = “<malware working directory>\tasksche.exe” HKLM\SOFTWARE\WanaCrypt0r\\wd = “<malware working directory>” It changes the wallpaper to a ransom message by modifying the following registry key: HKCU\Control Panel\Desktop\Wallpaper: “<malware working directory>\@[email protected]” It creates the following files in the malware’s working directory: 00000000.eky 00000000.pky 00000000.res 274901494632976.bat @[email protected] @[email protected] @[email protected] b.wnry c.wnry f.wnry m.vbs msg\m_bulgarian.wnry msg\m_chinese (simplified).wnry msg\m_chinese (traditional).wnry msg\m_croatian.wnry msg\m_czech.wnry msg\m_danish.wnry msg\m_dutch.wnry msg\m_english.wnry msg\m_filipino.wnry msg\m_finnish.wnry msg\m_french.wnry msg\m_german.wnry msg\m_greek.wnry msg\m_indonesian.wnry msg\m_italian.wnry msg\m_japanese.wnry msg\m_korean.wnry msg\m_latvian.wnry msg\m_norwegian.wnry msg\m_polish.wnry msg\m_portuguese.wnry msg\m_romanian.wnry msg\m_russian.wnry msg\m_slovak.wnry msg\m_spanish.wnry msg\m_swedish.wnry msg\m_turkish.wnry msg\m_vietnamese.wnry r.wnry s.wnry t.wnry TaskData\Tor\libeay32.dll TaskData\Tor\libevent-2-0-5.dll TaskData\Tor\libevent_core-2-0-5.dll TaskData\Tor\libevent_extra-2-0-5.dll TaskData\Tor\libgcc_s_sjlj-1.dll TaskData\Tor\libssp-0.dll TaskData\Tor\ssleay32.dll TaskData\Tor\taskhsvc.exe TaskData\Tor\tor.exe TaskData\Tor\zlib1.dll taskdl.exe taskse.exe u.wnry WannaCrypt may also create the following files: %SystemRoot%\tasksche.exe %SystemDrive%\intel\<random directory name>\tasksche.exe %ProgramData%\<random directory name>\tasksche.exe It may create a randomly named service that has the following associated ImagePath: “cmd.exe /c “<malware working directory>\tasksche.exe””. It then searches the whole computer for any file with any of the following file name extensions: .123, .jpeg , .rb , .602 , .jpg , .rtf , .doc , .js , .sch , .3dm , .jsp , .sh , .3ds , .key , .sldm , .3g2 , .lay , .sldm , .3gp , .lay6 , .sldx , .7z , .ldf , .slk , .accdb , .m3u , .sln , .aes , .m4u , .snt , .ai , .max , .sql , .ARC , .mdb , .sqlite3 , .asc , .mdf , .sqlitedb , .asf , .mid , .stc , .asm , .mkv , .std , .asp , .mml , .sti , .avi , .mov , .stw , .backup , .mp3 , .suo , .bak , .mp4 , .svg , .bat , .mpeg , .swf , .bmp , .mpg , .sxc , .brd , .msg , .sxd , .bz2 , .myd , .sxi , .c , .myi , .sxm , .cgm , .nef , .sxw , .class , .odb , .tar , .cmd , .odg , .tbk , .cpp , .odp , .tgz , .crt , .ods , .tif , .cs , .odt , .tiff , .csr , .onetoc2 , .txt , .csv , .ost , .uop , .db , .otg , .uot , .dbf , .otp , .vb , .dch , .ots , .vbs , .der” , .ott , .vcd , .dif , .p12 , .vdi , .dip , .PAQ , .vmdk , .djvu , .pas , .vmx , .docb , .pdf , .vob , .docm , .pem , .vsd , .docx , .pfx , .vsdx , .dot , .php , .wav , .dotm , .pl , .wb2 , .dotx , .png , .wk1 , .dwg , .pot , .wks , .edb , .potm , .wma , .eml , .potx , .wmv , .fla , .ppam , .xlc , .flv , .pps , .xlm , .frm , .ppsm , .xls , .gif , .ppsx , .xlsb , .gpg , .ppt , .xlsm , .gz , .pptm , .xlsx , .h , .pptx , .xlt , .hwp , .ps1 , .xltm , .ibd , .psd , .xltx , .iso , .pst , .xlw , .jar , .rar , .zip , .java , .raw. WannaCrypt encrypts all files it finds and renames them by appending .WNCRY to the file name. For example, if a file is named picture.jpg, the ransomware encrypts and renames the file to picture.jpg.WNCRY. This ransomware also creates the file @[email protected] in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below). After completing the encryption process, the malware deletes the volume shadow copies by running the following command: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet It then replaces the desktop background image with the following message: It also runs an executable showing a ransom note which indicates a $300 ransom in Bitcoins as well as a timer: The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese. The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files. Spreading capability The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel, as shown below. The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers. When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems. Protection against the WannaCrypt attack To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. We recommend customers that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface: Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running. Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware. Monitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook. Resources Download English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64 Download localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64 MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx Customer guidance for WannaCrypt attacks: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx Indicators of compromise SHA1 of samples analyzed: 51e4307093f8ca8854359c0ac882ddca427a813c e889544aff85ffaf8b0d0da705105dee7c97fe26 Files created: %SystemRoot%\mssecsvc.exe %SystemRoot%\tasksche.exe %SystemRoot%\qeriuwjhrf b.wnry c.wnry f.wnry r.wnry s.wnry t.wnry u.wnry taskdl.exe taskse.exe 00000000.eky 00000000.res 00000000.pky @[email protected] @[email protected] m.vbs @[email protected] @[email protected] 274901494632976.bat taskdl.exe Taskse.exe Files with “.wnry” extension Files with “.WNCRY” extension Registry keys created: HKLM\SOFTWARE\WanaCrypt0r\wd https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/ Quote The National Health Service (NHS) said 16 organizations had been affected by the cyber attack but said it had not been specifically targeted. “Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows”. Security researchers say in this case the infection seems to be deployed via a worm-a program that spreads by itself a network of computers rather than relying on humans to click on a spam mail or infected attachment. Two security firms – Kaspersky Lab and Avast – said they had identified the malware behind the attack in upward of 70 countries, although both said the attack has hit Russian Federation hardest. The hacking tool was originally posted online by a cybercrime group called Shadow Brokers, which dumps stolen NSA files. http://pppfocus.com/2017/05/13/major-cyber-attack-hits-companies-hospitals-schools-worldwide/ Link to comment Share on other sites More sharing options...
tao Posted May 18, 2017 Share Posted May 18, 2017 3 hours ago, saeed_dc said: one of the targets of the new tech and IT is to let employees work in places other than the office, like at home, on the way etc, that's why different kinds of devices other than stationed computers were made and are integrated to close the gap and give more flexibility. if the security of your work place can be in danger by simply taking a laptop home and back then you are in a deep trouble. "if the security of [our] work place can be in danger by simply taking a laptop home and back then [we] are in a deep trouble." Well said! Those who give up their freedom for a bit of security become prisoners of their own minds bound with chains of insecurity. Link to comment Share on other sites More sharing options...
SPECTRUM Posted May 18, 2017 Share Posted May 18, 2017 3 hours ago, steven36 said: Any business caught doing that if audited would get charged with warez ..Breaking copyright is illegal in many countries , Even the U.S Air Force got caught for warez . But I don't see what this has too do with anything if they was using the POSReady reg hack to began with this Wanna Cry would of never been a problem . It was patched back in march and one of the Members here said he patched in a post back in March . well, if you are not doing a modification to system files or something related, then is not illegal, also adding a new registry key is not ilegal too, because the OS allow it, so is just an option. Link to comment Share on other sites More sharing options...
steven36 Posted May 18, 2017 Share Posted May 18, 2017 2 hours ago, SPECTRUM said: well, if you are not doing a modification to system files or something related, then is not illegal, also adding a new registry key is not ilegal too, because the OS allow it, so is just an option. Yes it is illegal because because there is some companies who pay millions of dollars for updates on enterprise xp still . Many companies who buy volume from Microsoft get audited by Microsoft themselves I remember a patch for xp were you could just push the patch and it would activate it I guess you will tell me that's legal too? Fact is those updates are for those who bought a POS Ready License so if you use XP home or XP Pro you're updating without a valid License that others pay millions of dollars a year to get. There is no more legal updates on xp since 2014 expect for the one Microsoft gave users for wanna cry the other day period so stop thinking like a pirate lol. That hack makes windows illegal (it violates license agreement) People were making illegal WGA cracks when Windows XP still got updates to get updates for 14 years . You always been able to hack Windows XP updates but that don't make it legal! The point is no one cared if they done any updates or not and they got hacked and you hardly hear anything about that reg hack since 2014 just here and there some pirate on a forum will bring it up. They dont even be posting isos anymore with the latest POS ready updates on warez forums. Quote What is the difference between Windows Embedded POSReady 2009 and a standard Windows XP Pro OS? IronMew Information of great importance to almost nobody 2 points 5 months ago Trivial, mostly to do with licensing - of little worry to those who use POSReady for home systems, given that no consumer license for POSReady exists which in turn implies such installs are invariably pirated. In fact, a simple registry hack will effectively turn windows xp into embedded POSReady 2009 so it will download security updates. https://www.reddit.com/r/NoStupidQuestions/comments/5ehkda/what_is_the_difference_between_windows_embedded/ So really you're no longer running XP you're running a pirated.version of Embedded POSReady 2009 WSUS does not use this trick or do they support it ! Quote The problem is, that it is not allowed to use this trick. As discussed in viewtopic.php?f=5&t=4287 wsusou will not support this trick as it hurts Microsofts EULA. Quote There is no need for WSUSOU to support the registry hack. Do support WinXP (POSReady 2009) in WSUSOU until April 9th 2019, that's all we need Quote Correct. POSReady is not a Windows version a normal user will ever be able to get legally. Likewise, XP doesn't take the updates without the (equally illegal) registry hack. You need to walk that path alone I'm afraid. http://forums.wsusoffline.net/viewtopic.php?f=6&t=4289 So WTF does you're comment got too do with 1000s of PCs that got hacked that was mostly business who had there server plugged into the modem without a wifi and didn't do updates in lest 4 months? Sorry too go off topic with this POS Ready BS but if you're a Pirate it can help you. Maybe ill test on my old xp box that's not been online since the dial up days besides the time i had linux in it and it was too slow to see do it still work since it would only be for experimental testing at home still 2019 is not very long off so it would be not worth the bother since I have all kinds of pcs with windows and Linux that still get updates the legal way. Link to comment Share on other sites More sharing options...
SPECTRUM Posted May 19, 2017 Share Posted May 19, 2017 2 hours ago, steven36 said: Yes it is illegal because because there is some companies who pay millions of dollars for updates on enterprise xp still . Many companies who buy volume from Microsoft get audited by Microsoft themselves I remember a patch for xp were you could just push the patch and it would activate it I guess you will tell me that's legal too? Fact is those updates are for those who bought a POS Ready License so if you use XP home or XP Pro you're updating without a valid License that others pay millions of dollars a year to get. There is no more legal updates on xp since 2014 expect for the one Microsoft gave users for wanna cry the other day period so stop thinking like a pirate lol. That hack makes windows illegal (it violates license agreement) People were making illegal WGA cracks when Windows XP still got updates to get updates for 14 years . You always been able to hack Windows XP updates but that don't make it legal! The point is no one cared if they done any updates or not and they got hacked and you hardly hear anything about that reg hack since 2014 just here and there some pirate on a forum will bring it up. They dont even be posting isos anymore with the latest POS ready updates on warez forums. https://www.reddit.com/r/NoStupidQuestions/comments/5ehkda/what_is_the_difference_between_windows_embedded/ So really you're no longer running XP you're running a pirated.version of Embedded POSReady 2009 WSUS does not use this trick or do they support it ! http://forums.wsusoffline.net/viewtopic.php?f=6&t=4289 So WTF does you're comment got too do with 1000s of PCs that got hacked that was mostly business who had there server plugged into the modem without a wifi and didn't do updates in lest 4 months? Sorry too go off topic with this POS Ready BS but if you're a Pirate it can help you. Maybe ill test on my old xp box that's not been online since the dial up days besides the time i had linux in it and it was too slow to see do it still work since it would only be for experimental testing at home still 2019 is not very long off so it would be not worth the bother since I have all kinds of pcs with windows and Linux that still get updates the legal way. using crack or a patch that modify system files of course is illegal. but adding a registry key which is allowed by the own OS and that does not require any modification in system files, is not illegal, of course this method is not officially supported by Microsoft, but that does not means you are doing something illegal, even if you read the contract, if does not says anything about enabling hidden features of the OS or something like that. Link to comment Share on other sites More sharing options...
steven36 Posted May 19, 2017 Share Posted May 19, 2017 1 hour ago, SPECTRUM said: using crack or a patch that modify system files of course is illegal. but adding a registry key which is allowed by the own OS and that does not require any modification in system files, is not illegal, of course this method is not officially supported by Microsoft, but that does not means you are doing something illegal, even if you read the contract, if does not says anything about enabling hidden features of the OS or something like that. Its the same thing as injecting a serial into the reg it dont modify no software files ether but it still activates the program. It's just like I use trial reset for some programs after used over the trial period its no longer legal. when you put that in the REG you're activating POS Ready updates Microsoft is closed source you dont own those updates they do, so you're stealing them without permission . Updates have expired for you you're key is no longer valid to get updates. Once you updated it did change the files too it modifies explorer on every update. They can just look at explorer.exe and other files and see you're running POS Ready even if you removed it from the reg after every update. Email Microsoft and ask them If it's OK and see what they tell you they already warned people not to use them in 2014 meaning if you got hacked you will be liable just like if you never done updates.. There is no warranty for hacked updates it just like if you activated with a illegal Volume Lic key it dont change no files tell you do updates but it dont make it legal windows. Even on open source you can install codecs witch will let you watch protected DVDs witch is legal in some countries but illegal in others . If you live in a place were it's not legal they want you too buy a paid player to watch protected DVDS the people who makes the paid player paid a royalty fee so it's legal everywhere . That's why most distros you have too install them yourself . All software you install is not legal ether to use if it breaks you're countries laws it like these apps that let you listen too YouTube without a video against Google copyright. This one is legal though because they just make the video real small were you can minimize it too the tray Link to comment Share on other sites More sharing options...
SPECTRUM Posted May 19, 2017 Share Posted May 19, 2017 1 hour ago, steven36 said: Its the same thing as injecting a serial into the reg it dont modify no software files ether but it still activates the program. It's just like I use trial reset for some programs after used over the trial period its no longer legal. when you put that in the REG you're activating POS Ready updates Microsoft is closed source you dont own those updates they do, so you're stealing them without permission . Updates have expired for you you're key is no longer valid to get updates. Once you updated it did change the files too it modifies explorer on every update. They can just look at explorer.exe and other files and see you're running POS Ready even if you removed it from the reg after every update. Email Microsoft and ask them If it's OK and see what they tell you they already warned people not to use them in 2014 meaning if you got hacked you will be liable just like if you never done updates.. There is no warranty for hacked updates it just like if you activated with a illegal Volume Lic key it dont change no files tell you do updates but it dont make it legal windows. Even on open source you can install codecs witch will let you watch protected DVDs witch is legal in some countries but illegal in others . If you live in a place were it's not legal they want you too buy a paid player to watch protected DVDS the people who makes the paid player paid a royalty fee so it's legal everywhere . That's why most distros you have too install them yourself . POSReady updates are public not closed/private, anyone can download them from Microsoft Catalog website for free, also the updates does not care about your serial number, the updates only check if registry value exist or not, and that's all. Link to comment Share on other sites More sharing options...
steven36 Posted May 19, 2017 Share Posted May 19, 2017 19 minutes ago, SPECTRUM said: POSReady updates are public not closed/private, anyone can download them from Microsoft Catalog website for free, also the updates does not care about your serial number, the updates only check if registry value exist or not, and that's all. That still don't make it legal too install them I can activate any windows I want for free and download and install them . It's not illeagl to download isos of windows ether or any other closed source software but it's not legal to modify it unless you have written permission. It's OK to use stuff and install it on Windows as long as they have permission and the proper lic and you have permission from the vendor as long as it's legal in you're country . Link to comment Share on other sites More sharing options...
Holmes Posted May 19, 2017 Share Posted May 19, 2017 Windows xp xeightysix users can use the windows xp embedded registry tweak without hurting there systems yes steventhirtysix is right it is illegal to do so because of licensing restrictions. There are two versions of sixty four bit windows xp one for itanium systems only and the one based on the windows server two thousand three codebase. You are technically breaking the licensing restrictions by applying the registry tweak to your windows xp thirtytwo bit systems spectrum. Its not only not supported by microsoft but its not supported by microsoft because of there eula. I just read a article that talks about the registry tweak: http://www.zdnet.com/article/registry-hack-enables-continued-updates-for-windows-xp/ Microsoft response to the registry tweak: We recently became aware of a hack that purportedly aims to provide security updates to Windows XP customers. The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP. The best way for Windows XP customers to protect their systems is to upgrade to a more modern operating system, like Windows 7 or Windows 8.1. I was just thinking about installing them on my moms windows xp xeightysix computer and changed my mind because of microsoft's response to the registry tweak. Link to comment Share on other sites More sharing options...
SPECTRUM Posted May 19, 2017 Share Posted May 19, 2017 it does not broke the EULA, it is just not officially supported by Microsoft, nothing else. Link to comment Share on other sites More sharing options...
steven36 Posted May 21, 2017 Share Posted May 21, 2017 Quote Bruce Schneier: The next ransomware attack will be worse than WannaCry Ransomware isn’t new, but it’s increasingly popular and profitable. The concept is simple: Your computer gets infected with a virus that encrypts your files until you pay a ransom. It’s extortion taken to its networked extreme. The criminals provide step-by-step instructions on how to pay, sometimes even offering a help line for victims unsure how to buy bitcoin. The price is designed to be cheap enough for people to pay instead of giving up: a few hundred dollars in many cases. Those who design these systems know their market, and it’s a profitable one. The ransomware that has affected systems in more than 150 countries recently, WannaCry, made headlines last week, but it doesn’t seem to be more virulent or more expensive than other ransomware. This one has a particularly interesting pedigree: It’s based on a vulnerability developed by the National Security Agency that can be used against many versions of the Windows operating system. The NSA’s code was, in turn, stolen by an unknown hacker group called Shadow Brokers — widely believed by the security community to be the Russians — in 2014 and released to the public in April. Microsoft patched the vulnerability a month earlier, presumably after being alerted by the NSA that the leak was imminent. But the vulnerability affected older versions of Windows that Microsoft no longer supports, and there are still many people and organizations that don’t regularly patch their systems. This allowed whoever wrote WannaCry — it could be anyone from a lone individual to an organized crime syndicate — to use it to infect computers and extort users. The lessons for users are obvious: Keep your system patches up to date and back up your data regularly. This isn’t just good advice to defend against ransomware, but good advice in general. But it’s becoming obsolete. Everything is becoming a computer. Your microwave is a computer that makes things hot. Your refrigerator is a computer that keeps things cold. Your car and television, the traffic lights and signals in your city and our national power grid are all computers. This is the much-hyped internet of things. It’s coming, and faster than you might think. And as these devices connect to the internet, they become vulnerable to ransomware and other computer threats. It’s only a matter of time before people get messages on their car screens saying that the engine has been disabled and it will cost $200 in bitcoin to turn it back on. Or a similar message on their phones about their Internet-enabled door lock: Pay $100 if you want to get into your house tonight. Or pay far more if they want their embedded heart defibrillator to keep working. This isn’t just theoretical. Researchers have already demonstrated a ransomware attack against smart thermostats, which may sound like a nuisance at first but can cause serious property damage if it’s cold enough outside. If the device under attack has no screen, you’ll get the message on the smartphone app you control it from. Hackers don’t even have to come up with these ideas on their own; the government agencies whose code was stolen were already doing it. One of the leaked CIA attack tools targets internet-enabled Samsung smart televisions. Even worse, the usual solutions won’t work with these embedded systems. You have no way to back up your refrigerator’s software, and it’s unclear whether that solution would even work if an attack targets the functionality of the device rather than its stored data. These devices will be around for a long time. Unlike our phones and computers, which we replace every few years, cars are expected to last at least a decade. We want our appliances to run for 20 years or more, our thermostats even longer. What happens when the company that made our smart washing machine — or just the computer part — goes out of business, or otherwise decides that they can no longer support older models? WannaCry affected Windows versions as far back as XP, a version that Microsoft no longer supports. The company broke with policy and released a patch for those older systems, but it has both the engineering talent and the money to do so. That won’t happen with low-cost internet-of-things devices. Those devices are built on the cheap, and the companies that make them don’t have the dedicated teams of security engineers ready to craft and distribute security patches. The economics doesn’t allow for it. Even worse, many of these devices aren’t patchable. Remember last fall when the Murai botnet infected hundreds of thousands of Internet-enabled digital video recorders, webcams and other devices and launched a massive denial-of-service attack that resulted in a host of popular websites dropping off the internet? Most of those devices couldn’t be fixed with new software once they were attacked. The way you update your DVR is to throw it away and buy a new one. Solutions aren’t easy and they’re not pretty. The market is not going to fix this unaided. Security is a hard-to-evaluate feature against a possible future threat, and consumers have long rewarded companies that provide easy-to-compare features and a quick time-to-market at its expense. We need to assign liabilities to companies that write insecure software that harms people, and possibly even issue and enforce regulations that require companies to maintain software systems throughout their life cycle. We may need minimum security standards for critical internet-of-things devices. And it would help if the NSA got more involved in securing our information infrastructure and less in keeping it vulnerable so the government can eavesdrop. I know this all sounds politically impossible right now, but we simply cannot live in a future where everything — from the things we own to our nation’s infrastructure — can be held for ransom by criminals again and again. Bruce Schneier is a security technologist and a lecturer at the Kennedy School of Government at Harvard University. His latest book is “Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World.” http://www.tulsaworld.com/washingtonpost/commentary/bruce-schneier-the-next-ransomware-attack-will-be-worse-than/article_d6aa9884-be18-5768-b81b-2eb5a9a5b9d0.html Link to comment Share on other sites More sharing options...
UnknownOne Posted May 26, 2017 Share Posted May 26, 2017 ive said it a thousand times, disable all your ports especially port 135 as RPC is likely the next big thing... (that is rediculously vulnerable..) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.