I Hope Everyone has Patched their Windows Machines!

[Foxbat]

https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/
It's been ten years since I've seen the Internet Storm Center at anything other than "Green", but they went to Yellow in regards to the massive Ransomware outbreak made worse by the malware not only encrypting files on the victim's machine, but also searching the local LAN for unpatched nodes and nodes vulnerable to one of the leaked NSA tools and spreading via Remote Code Execution.
http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/

If you're still running Windows XP I feel sorry for you. Back up your system now now since I heard the ransom jumped up to over $600 in Bitcoin.

Edit: Hmmm, Cisco's Talos Intelligence group may have put the brakes on the infection. Hopefully the Malware authors don't compile and relaunch a different version using different domain.
http://blog.talosintelligence.com/2017/05/wannacry.html

 

[harshness]

The ransom is over $3,100 USD (1.79 bitcoin) for the JAFF ransomware that is also out there in addition to WannaCry.

The aforementioned Microsoft patch only fixes the back door Windows Networking. It doesn't prevent entry through the front door (idiot clicking on a malware bearing attachment). There may be other Windows defenses since March that have been installed. Microsoft Office is a very dangerous piece of software and that's how both of these ransomwares gain access to your network.

Anyone that is using XP (versus Linux or FreeBSD) as a file server deserves what they get.

 

[Juan]

Set up separate admin and user accounts on your pc..then limit user privileges

Sent from my SM-G950U using the SatelliteGuys app!

 

[stardust3]

Hmm we have an xp machine setup as a network printer. It doesn't get used for anything else except that. I guess I need to get into the router and disable the wan for that machine if possible.

 

[Foxbat]

The aforementioned Microsoft patch only fixes the back door Windows Networking. It doesn't prevent entry through the front door (idiot clicking on a malware bearing attachment).

Boy, I'd love to see Microsoft try and patch their Users!

My big fear with a Worm like this is that a lot of the Industrial PA systems are still running on Windows 2000/2003/XP because:

a) This system works / why spend money to "fix" something that works?
b) it costs too much to upgrade my systems;
c) my Vendor tells me I can't patch my systems or they are no longer liable for the system working;
d) the system's so old the Vendor went out of business / got bought and the new owner dropped support;
e) some variation on a, b, c, & d;
f) All of the Above.​

Also, Windows Vista/7 changed the rules on what processes were allowed to do, locking down a lot of exploitable code, but it broke many PA vendors who counted on "bending the rules" to be able to interface to the hardware.

 

[EarDemon]

If you have Windows XP machines connected to the internet, I would do the Embedded reg hack so they keep getting updates. May not patch everything, but it's better than nothing.

https://www.ghacks.net/2014/05/24/get-security-updates-windows-xp-april-2019/

I've been running XP in a VM with the reg hack since May 2014 and have had no issues. This week was patch Tuesday. Got 9 High Priority Updates to install

At work, I have the MAC addresses of the 4 or so XP machines we have blocked from inbound and outbound external access. They are for specific purposes, not assigned to users, but need internal network access. After two infections of cryptolocker on my watch, I have instituted Exchange Server moderation rules. All incoming emails with doc, xls, ppt and zip attachments come to my inbox for inspection where I can reject garbage and take it out of the users hands.

 

[Foxbat]

I heard the reason the NHS was hit so bad was they had been paying Microsoft for extended support of XP up until last year but stopped to cut budget costs. I guess they didn't know about the Piece of Sh... er, PoS trick. But it's equally scary that so many Sales Terminals are running software that's over a dozen years old. Also, many companies run internal WSUS infrastructures that may not include PoS versions of Windows XP.

I hope one of the XP PoS updates took care of the SMB v1 Exploit MS17-010. I can't find any conformation that your XP boxes are safe.

 

[harshness]

Set up separate admin and user accounts on your pc..then limit user privileges

Unfortunately, there's so much software that requires administrative rights at one time or another, we've become quite blind to having to elevate or end up giving up and running everything as an administrator (that doesn't stop the elevations, it just reduces them a tiny bit).

Security and Windows should never be mentioned in the same paragraph and nothing practical can be done to fix that. The fact that trojans can more or less silently bypass what security there is using an Excel or Word macro is a crime against computerdom.

 

[harshness]

Also, many companies run internal WSUS infrastructures that may not include PoS versions of Windows XP.

The current WSUS Offline version is the last that will support Vista. XP support was dropped three years ago.

For many of these kinds of headless applications, Linux makes more sense. It is lighter and typically much more secure because security isn't an afterthought as it is with Microsoft. To be sure, there are bugs, but there aren't built-in security workarounds.

 

[EarDemon]

Microsoft has come out with patches for variants of XP, Server 2003 and 8. The links to download are near the bottom of the this ZDNet article

http://www.zdnet.com/article/wannac...s-patch-for-windows-xp-and-other-old-systems/

Here's the direct download links

http://www.catalog.update.microsoft.com/search.aspx?q=4012598

it looks like XP Embedded got the update back in March along with the other supported operating systems. So if you're running XP and have it tricked into thinking it's Embedded, you should be good.

 

[navychop]

"PA vendor"?

 

[harshness]

"PA vendor"?

My money is on "Public Address" and audio paging systems.

 

[Foxbat]

Worse. Process Automation. Sorry to spew jargon there.

I say worse because Process Automation is resistant to security.


Sent from my iPhone using SatelliteGuys