- This topic has 9 replies, 3 voices, and was last updated 3 years, 1 month ago by Joe (G. This post has been viewed 124 timesW. This post has been viewed 124 timesN. This post has been viewed 124 timesS. This post has been viewed 124 times). This post has been viewed 124 times
May 16, 2017 at 6:05 pm #97754
Anyone else stuck on duty and glued to a chair defending/patching/reporting for 4 straight days like me?
May 16, 2017 at 6:45 pm #97755
…for 4 straight days like me?
Thought you might be busy regarding that, let us know your take when you have time.
Depending on the source things have ranged from it’s the end of the world fearmongering hype, to attempts at calming fears that are just as full of crap trying to make people feel better.
May 16, 2017 at 10:50 pm #97756CommsPrepperParticipant
I have been too busy watching the Fake News.
May 17, 2017 at 9:49 am #97757
Windows 10 users not vulnerable
THIS IS THE PATCH for others
4 observed real variants in the wild
each has a ‘killswitch’ domain that if ANSWERS, kills the malware. If you rig up a sinkhole, the malware will not get an answer and execute. You need to let it get an HTTP response to kill it. the “Internet” is fake answering for these now, have been for a couple days to halt propogation.
This is an anti analysis technique. I can elaborate on later if anyone asks. It was also easily defeated once identified so a rookie mistake or a draft version launched initially. There is a sample of a variant without a killswitch but it is broken because it was edited from the original and not compiled from scratch.
Possible 5th killswitch domain variant, not confirmed
propogation is via network, it is a worm with a ransomware piggyback
email(phishing) is not a confirmed vector—yet but none seen in the wild in phishing campaigns
if you have Windoz XP and it connects to the internet you can get a custom patch they released for this nastyware
same for server2003
If you DO still have those, work on your plan to guarantee their isolation and/or replace that unsupported stuff
Propagation continues to be via the vulnerability that the Supposed NSA tools ETERNALBLUE and DOUBLEPULSAR exploit that were leaked by ShadowBrokers
a significant volume of affected hosts are around the world and are pirated copies that Microsoft doesn’t recognize and patch. low volume in the USA generally.
May 17, 2017 at 4:36 pm #97758
Thanks for the update, good to know and I’ll pass it along to people I know are vulnerable.
Glad to not be a Windows user.
May 18, 2017 at 4:07 pm #97759
not much new on this other than there was another killswitch variant observed but no morphing into different behavior or delivery method.
May 20, 2017 at 9:41 am #97760
Thankfully this op tempo finally wound down for me. Lots of lessons learned for us but for the most part our response was successful. This was an interesting event because prevention was reasonably easy and the vulnerability was patched in March. The BIG problem people had was not being patched. Going 50 days without deploying critical patches NO MATTER WHAT THE SYSTEM IS DERELICTION.
Also there seems to be a wannacry decryption tool floating around now. The chances it will work for any one individual are slim as it depends on pulling a encryption key that is generated out of the RAM (memory) but this only works in some systems and only if the RAM is not changed by other applications on the system.there also might be an artifact written to disk when the operating system swaps out blocks of data from RAM to disk. Good luck with that tho, it takes skill and tools to get that data.
Detailed knowledge of attack surface and method was one of my significant contributions to this effort as well as the ability to adequately run Incident command and proper messaging up the chain to White House and dealing with our cyber intel partners and the US-CERT. An event like this takes a good team and the rockstars really shine and those that are not performing as well stand out pretty far too. The AAR on this we do is going to be interesting and hopefully prove that some resource reallocation is necessary.
There was some pretty robust finger pointing early on but that shit got whacked hard and I did see one very senior level deferral of authority (read as responsibility) attempted. Not sure how that went since that was at cabinet staff level and thankfully I am just a cyber nerd that does not have SES as a grade.
May 20, 2017 at 10:49 am #97761
The BIG problem people had was not being patched. Going 50 days without deploying critical patches NO MATTER WHAT THE SYSTEM IS DERELICTION.
Thankfully this op tempo finally wound down for me.
Hope things stay that way for awhile.
May 20, 2017 at 12:03 pm #97762
Yes Joe, I can use a break…
The new threat flying around is called .jaff which is a variant of locky
.jaff is distributed by email so once again, don’t get fooled by by the lures and don’t click to enable anything some pop message says when you try to open the attachment THAT YOU SHOULDN’T BE OPENING ANYWAY.yelling was on purpose…
The British National Health Service ( among many others) should be embarrassed big time for running critical infrastructure on systems unsupported by the mfg. They still run a ton of Windows XP/Server 2003 in a networked environment. Bad juju.
May 20, 2017 at 12:05 pm #97763
don’t get fooled by by the lures and don’t click to enable anything some pop message says when you try to open the attachment THAT YOU SHOULDN’T BE OPENING ANYWAY.yelling was on purpose…
- You must be logged in to reply to this topic.