If at all possible, replace older Windows systems with the latest versions.Īnd since the worm payload was ransomware, a reminder on defenses for that are in order:.Stay on top of all patch releases and apply them quickly.To guard against malware exploiting Microsoft vulnerabilities: ![]() The best advice remains the same as it did when the outbreak began: Suspending email is another tactic that works until everyone complains. Unfortunately, some of those steps have proven unpopular, as Naked Security’s John Dunn wrote yesterday. Admins can block services or ports at firewall level but not often indefinitely. With the return of old-school worm outbreaks like this one, it’s worth reviewing steps users can take to avoid infection. The three bitcoin wallets had received 253 payments totaling 41.78807332 BTC ($71,647.06 USD) by Tuesday evening. ![]() By Sunday, the number between the three wallets was up to $30,706.61 USD. On Saturday, three ransomware-associated wallets had received 92 bitcoin payments totaling $26,407.85 USD. But by Monday morning, the balances were on the rise, suggesting that more people were responding to the ransom message Monday. Over the weekend, accounts set up to collect ransom payments had received smaller amounts than expected for an attack of this size. In the following hours we identified thousands of additional WannaCry-infected clients, from a wide variety of countries and ISPs, trying to communicate with the domain. Our first evidence for WannaCry was found at 7:44am UTC, when a client from an ISP in south-east Asia hit WannaCry’s kill-switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergweacom). The findings of south-east Asian origin are in sync with that of other research organizations, such as Nominum. Yuriy Yuzifovich, head of data science and security research, and Yohai Einav, principal security researcher, wrote on their website: SophosLabs’ investigation indicates the first infections Friday appeared in India, Hong Kong and the Philippines. Once the IP addresses were defined, the worm sent malicious SMB packets to the remote host, spreading itself.įrom there, files on the hijacked computers were encrypted and ransom notes like this appeared on victims’ screens: The worm generated random IP addresses, as the following code snippet shows. Microsoft addressed the issue in its MS17-010 bulletin. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft does support legacy versions of Windows, but at extra cost.Īs we’ve noted previously, the attack exploited a Windows vulnerability Microsoft had released a patch for in March. Microsoft had discontinued support for Windows XP and not issued a patch for this system, but subsequently issued a patch for Windows XP in light of this attack. Organizations are still running Windows XP.Patching operating systems is the first line of a security strategy, yet many still struggle to achieve regular updates across their environments. It exploited a vulnerability that many organizations had not patched against.The inclusion of code that caused the threat to spread across networks as a worm quickly without needing further user action after the initial infection had taken place.There were three key factors that caused this attack to spread so quickly: It used a variant of the Shadow Brokers’ APT EternalBlue Exploit (CC-1353) and used strong encryption on files such as documents, images, and videos. It also went after servers, trying to encrypt SQL server databases and Microsoft Exchange data files. Once computers were hijacked, it encrypted documents and displayed ransom notes.Īnalysis seems to confirm that Friday’s attack was launched using suspected NSA code leaked by a group of hackers known as the Shadow Brokers. From there, the payload was unpacked and executed. The investigation revealed a three-stage attack, starting with remote code execution and the malware gaining advanced user privileges. ![]() What follows are additional details from the SophosLabs investigation.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |