British NHS network is under cyber attack.
http://bgr.com/2017/05/12/nhs-hack-ransomware-cyberattack/

Scary shit. Reports are it came in as a typical Word macro ransomware, and is spreading via unpatched MS17-10.

We just got an email at work that there is a very active and aggressive ransomware attack being spread world wide. I hate this BS, it's freaky stuff.

It is still active. It is not just UK it is wide spread than UK.

Originally posted by The_Penguin
Scary shit. Reports are it came in as a typical Word macro ransomware, and is spreading via unpatched MS17-10.

It's May, if they didn't patch MS17-10 by this point, their IT head need to be fired.

The idiots though the NHS has money...? LOLZ. :rofl:
Kinda reminds me of this scene.

https://www.youtube.com/watch?v=N9_tl_b-bFs

Thats like going to your local out of work bro dog and asking for some cash..

Originally posted by The_Penguin
Scary shit. Reports are it came in as a typical Word macro ransomware, and is spreading via unpatched MS17-10.

Had a local EPC engineer send me a request to review some files. Sounds like there is somethings floating around locally as well.

Damn US hackers. You can tell its a US hacker for sure by the damage done to Britain and the Russians.

That, and its always about money.

Add: Bitcoin only payment. Very colonial. I mean, when you take over a tropical island by economic force, the first thing you do is require that they pay in something like US dollars over which they have no control over, where they may have been using shells or lumps of metal for centuries.

http://uk.reuters.com/article/uk-britain-security-hospitals-ransomware-idUKKBN1882NV

Stolen from NSA server. Seems to be a legitimate backdoor given to the USA.

Originally posted by ZenOps
Damn US hackers. You can tell its a US hacker for sure by the damage done to Britain and the Russians.

Time zone effect, the working day started over there first.

EDIT: Actually, was wrong this one started around 11am EST.

https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=0

I guess Europe and Russia doesn't like to patch their Windows

Still, whose fault is it.

US builds a nuke, and then guards it with a pet poodle and a rusty padlock. Teenager from the US gets bored of going to the mall and steals said nuke, then demands that everyone pay him money or more people will start dying in hospitals.

Let it go, Z. Why are you so insistent that it might be the USA's fault in some way?

I am amused though that it appears that this could've easily been avoided.

Originally posted by speedog
Let it go, Z. Why are you so insistent that it might be the USA's fault in some way?

I am amused though that it appears that this could've easily been avoided.

It is USA's fault because NSA did not disclose this bug to keep the backdoor open. Then hired a contractor who was not careful with the tools.

This could be avoided if everyone sticks reasonably close to MS's patching schedule which has been around for more than a decade now. When this surfaced, MS actually postpone the patching cycle in Feb to get MS17-10 in quick. This is serious enough that MS actually skip a patching release 1st time ever since the program started.

So to not have MS17-10 patched by May, especially on user workstation is pretty weak from IT security perspective.

Its bad enough when one country gets a backdoor, its even worse when they lose it to a rogue hacker.

Imagine if China got a backdoor into Microsoft Windows for legitimate, above board for use at any time. And then they *accidentally* lost the code to North Korea.

North Koreans then encrypt all medical files of all US hospitals, and banking information for ransom of 20 bitcoins each. The beauty of encryption is that the data is not blatantly destroyed or altered, its just encrypted. Have a million dollars in a bank? Prove it.

Its foolish to trust the NSA any more than the former KGB, or North Korea.

There are many reasons companies don't update when patches are released and that's the same reason many companies are still using old operating systems. Some applications are legacy and don't support newer versions of windows or some developers need time to ensure that patches won't break their applications as with the case with the recent creators update

Originally posted by adam c
There are many reasons companies don't update when patches are released and that's the same reason many companies are still using old operating systems. Some applications are legacy and don't support newer versions of windows or some developers need time to ensure that patches won't break their applications as with the case with the recent creators update

While this is true, it doesn't necessarily hold true for security updates...

.NET updates may be held off (but not .NET security updates, those are usually always applied). Feature packs, added functionality, etc... can and usually are held off for testing (won't effect security). Security updates are usually always separate, and should always be done ASAP.

It's definitely work to balance, but it's do-able (part of everyday I.T.).

Generic windows security updates should always be applied (usually don't break things).

If the company is large enough, they should have dedicated people testing deployment with applications before approving updates for deployment.


Problem is, companies are cheap AF when it comes to IT... I can't tell you how many times I've gone on a sales call to a decent sized business that stores customer personal data, only to find out they haven't patched in 3 years, and have active infections on their server. Management doesn't usually care as the systems are still working (I get told, well if it's not broke, don't fix it).

You tell them how serious it is, with violations of the privacy act by not taking care of it. They lie and say they found someone cheaper to do it (always find out later they ended up doing nothing), lol.

Originally posted by Zhariak
Problem is, companies are cheap AF when it comes to IT... I can't tell you how many times I've gone on a sales call to a decent sized business that stores customer personal data, only to find out they haven't patched in 3 years, and have active infections on their server. Management doesn't usually care as the systems are still working (I get told, well if it's not broke, don't fix it).

You tell them how serious it is, with violations of the privacy act by not taking care of it. They lie and say they found someone cheaper to do it (always find out later they ended up doing nothing), lol.

Bingo. That why nobody learns until people who make these dumb decisions is removed.


Originally posted by adam c
There are many reasons companies don't update when patches are released and that's the same reason many companies are still using old operating systems. Some applications are legacy and don't support newer versions of windows or some developers need time to ensure that patches won't break their applications as with the case with the recent creators update

That's not an excuse any more in 2017. If it's business critical and you can't update it, one should start looking at restricting access and firewall it off.

But going back to Zhariak's observation about business being cheap AF when it comes to security, that's why these shit spreads.

I'm glad WannaCry happened. It's been almost a decade since for a major outbreak and CIOs and IT Managers are getting lax on paying attention.

I'm not saying it's an excuse it's just how it is, I'm pretty sure you work in IT as do I. We have clients who refuse to deploy updates because someone might leave work open in their computer and don't want to risk losing it but if this were to hit them it would be the fault of IT regardless of who said not to deploy updates

One client in particular... we asked them what would happen in the event of a power outage, they would lose their work.. their response was to buy desktop ups devices for their workstation and still refused regaular patching

Originally posted by adam c
One client in particular... we asked them what would happen in the event of a power outage, they would lose their work.. their response was to buy desktop ups devices for their workstation and still refused regaular patching

For clients like that, I will have all the email/decision saved. The minute shit like WannaCry hit, will send it back to them or their bosses and along with a quote of clean up bill. :D

One client I know has been hit with Ransomware on 2 separate occasions the past 4 years, both times I was able to save their business from backups - yet they refuse to have me check the backups (and their file server) on a regular basis - eg. every 2-3 months 1 hour remote check. Its not even a real Windows Server, just a desktop OS/box with Enterprise drives inside.

It was sheer luck that their systems were running when the latest attack occurred as I happened to be on a service call and noticed their file server needed some work, about a month prior (their backup drive stopped working).

Pure cheap-assery - yet at the same time I know arrogant IT guys who love to make work, talk down to clients and thus create jaded customers who despise IT.

Oh btw, here is a prevention tool im sure many of you have heard of ..... but just in case you havent:

https://ransomfree.cybereason.com/

Essentially it monitors for massive file and folder attrib changes system wide. Windows 10 came out with something similar but this would be of benefit to older systems.

I'm kinda surprised Microsoft is releasing a patch for it's unsupported products...

You'd think it would be a good wake up call to upgrade... :dunno:


Microsoft solution available to protect additional products (https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)


In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.

For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.

This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).

We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).

Customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March. If customers have automatic updates enabled or have installed the update, they are protected. For other customers, we encourage them to install the update as soon as possible.

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.

I went ahead and blocked SMB1 on all my systems except one VM with my PLEX Server because its still needs it.

Originally posted by ipeefreely
I'm kinda surprised Microsoft is releasing a patch for it's unsupported products...

You'd think it would be a good wake up call to upgrade... :dunno:


Microsoft solution available to protect additional products (https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)



I went ahead and blocked SMB1 on all my systems except one VM with my PLEX Server because its still needs it.

What about my Windows95 machine? Not worthy? Doesn't matter, it's just a door stop that I just can't seem to throw out kind of like an XP box I have as well but that XP box did happen to prove to be useful lately because it had an old out of date Dropbox folder on it that made answering a 4 year old CRA EI question much easier.

Originally posted by speedog


What about my Windows95 machine? Not worthy?

Basically there are still businesses which can't get rid of XP and Windows 2003 who are still paying MS (depends on size, I have heard into the millions) to keep some support. It's not hard for MS to write that patch and release to the public since businesses already paid for it.

Probably lots of people getting called out this weekend to deal with this issue.

I dont think its affecting Canada and Australia nearly as much in comparison ....

https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=0

We got a few XP machines and 2003 servers at work and they haven't been patched in forever, or have any antivirus stuff on them. I am doing lots of file migrations right now to 2016 servers and we constantly get hits on the new servers that data we are copying over is a virus, or some ransomware.

Kind of hope this type of shit pushes us over the edge and something actually gets done with this old shit. It's all legacy apps, but it isn't so much active software...it's just stuff they don't want to get rid off.....sigh....oh well. We will see how tomorrow plays out.

Reports coming out that a new variant has been released that doesn't have a 'kill code'

This week could turn interesting but I dont see the cheapasses doing anything about it either because "nothing broke".

Originally posted by adam c
Reports coming out that a new variant has been released that doesn't have a 'kill code'

Yup. If you didn't patch Friday and still didn't patch over the weekend, you are screwed. These outbreak usually mean get everyone in and patch everything in shifts until it's done.

I was surprised all these ransomware didn't came out sooner as this exploit was in the wild since Feb. I was so worried that we will get pwned during Feb.