WannaCrypt ransomware snatches NSA exploit, fscks over Telefónica, other orgs in Spain Workers at Telefónica's Madrid headquarters were left staring at their screen on Friday following a ransomware outbreak. Telefónica was one of several victims of a widespread file-encrypting ransomware outbreak, El Pais reports. Telefónica has confirmed the epidemic on its intranet while downplaying its seriousness, saying …
BBC are reporting the following:
"A massive ransomware campaign appears to have attacked a number of organisations around the world.
Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by parties claiming to be affected.
There have been reports of infections in the UK, USA, China, Russia, Spain, Italy, Vietnam, Taiwan and others."
Difficult to definitely link them as there are probably ransomware hits around the world every day anyway and therefore this is just normal, however it could be a significant outbreak.
I'm pretty sure it's not related in that way. It only affects Windows PC's (AFAIK Windows 7, maybe other versions too), none of those services are Windows systems. It's not impacting operations per se... but if an operator needs access to those systems and he needs to do it from his Windows seat, he's screwed.
I suspect it also might be related to Windows preferring to execute emailed malware rather than than scan it. It nicely removes the user actually having to do anything.
This is Avery good reminder why windows is such a security cesspit, and unless you need to run Windows stuff, you are far more secure running a Chromebook with its signed read-only runtime.... It's pretty much unhackable
While I understand that we have to declare war on Eurasia soon, our dear idiot Geography teacher and fuhrer wannabie is a bit rushing it here.
The common denominator between Telefonica R&D and NHS are that they are underfunded badly maintained Windows shops. I have had dealing with both, there is plenty of unpatched machines running "this special application" which prevents them from updates and upgrades, they are networked in a flat non-segmented network and it is a perfect environment for a network worm.
There is no attack. There is just a mass infection of populations which are vulnerable by design and were going to be infected sooner rather than later.
There will be more of that, but the root cause in both - flat networking, lack of zoning and chronic underfunding will not be fixed.
Experienced enough to never open an email attachment or follow a link from an email address I don't know.
Experienced enough to recognise an email attachment from an email address I do know and a link in an email from an address I do know could be dangerous. The body of the message usually gives enough clues as to the legitimacy of the email.
Linux and Windoze user... Who's last virus infection was the Saddam virus on my Amiga 500. Getting old sucks but the wisdom it brings has benefits.
>The body of the message usually gives enough clues as to the legitimacy of the email
Actually, if you can be bothered, get into the habit of adding some personalized content when you share links. Something that is recognizably yours.
"Dude, this reminds of that time we had that really bad beer", rather than just "check this out!".
It's not uncommon for infections to spread via email contacts. Make it clear it's actually you and get your friends to understand you appreciate the favor returned.
I get a lot of emails from addresses I know with attachments or links to somewhere. I can always tell if they are legit. It is obvious that it is a spoofed sender or hacked account email. In fact It is painfully obvious. I don't think I am particularly smart.. to be honest I can be pretty stupid. I just know my clients even though I have many of them.
I sign all my emails with PGP and send all in plain text. I also explain this to my clients and send my public key attached. If they click on a link or open an attachment from an email that looks like it is from me that is not signed... fsck 'em. I can't look after every slow thinker on the planet.
I also see my received emails in plain text. Who needs html email? Aint that what websites are for?
Wisdom is definitely a handy by-product of the grey hair but for the SMB vulnerability being referenced as a possible vector for this to spread, you also need wisdom from everyone else on your network or an IT shop that provides its employees with properly patched/protected systems.
The diagnostics and analysis on how this thing actually arrived and spread may prove quite entertaining.
Reserving a little smugness in the belief that the vulnerability is Windows only, but not too much as the NSA et al may yet have the kit to do similar to Linux.
Wouldn't agree.
I had a CFO and CEO, both of whom are sharper than me, persistently arguing with me that the quote for business that they had received from a trading partner with an outlook applied signature must be released.
They expected a lookalike, and didn't let up until I had the make and model of the virus to display to them, and would have attempted forwarding to phones and switching off wifi. Murphy's law.
The business fashion of being abrupt and minimalist in communication is easy to spoof.
(And is anyone else horrified by the Microsoft common clipboard proposed between devices in Windows 10 Creator Fall edition?)
Its a huge coincidence that the day the NHS suffers a ransomeware attack, so do many other large organisations around the globe.
I'm willing to punt a pint they are all related attacks. Too much of a coincidence that several un-related attacks would all be launched on the same day.
We usually roll them out within a fortnight - the ones we can roll out.
MS have made it a lot harder of late by putting too much in each basket. I would not be surprised if several of these places could not apply this patch because one of the other things in the same blob broke something important.
US DoD, for years, has allowed ten days to deploy patches to Category I vulnerabilities, which the vulnerability in question surely is given that it involves remote code execution. It now is 58 days since the patch was made available and 47 days since The Register reported leak of the EternalBlue tool. We were allowed 60 days, if I remember correctly, for significantly less severe Category II vulnerabilities. Requirements were not always met, but failure carried a requirement for detailed and frequent requirements and the implied threat of suspension of an Authority to Operate for the affected devices.
I was caught a few times with WSUS auto-approval on my learning curve with AD servers. Can I suggest having your preparation notes on AD rollback and Microsoft's Lingering Objects Liquidator tool done in advance?
And when it gets to serious stuff...
https://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm085281.htm
the manufacturing devices and system have to undergo at least system verification before patches goes into production.
So they get their own private offline WSUS / RHN equivalent and VLANs.
Set the Quality dept vs the Accounts dept and let them yell at each other.
>So what happens when a patch for a Cat I vulnerability broke something critical in the process, creating a dilemma because the critical machine was inoperable either way?
You reduce the attack surface by making sure critical systems are segregated and get extra protection. For example, you don't run web browsers or email clients on critical servers. Maybe you don't map drives to large swathes of critical files, make sure write access is only granted to those who really need it; maybe provide terminal server access for things which are important, so you can control the environment more easily.
Standard security precautions really. How much have you saved by not hiring a security team? Are you sure you've saved money?
Quite right... 10 days for cat I. But boy oh boy is the actual implementation completely random! God help you if you are a poor bastard at an ashore installation and get caught with your, er, patches down.
But then I go shipboard and find unpatched, unsecured, bog standard Win XP running radars (Northrup Sperry... looking at you) that are actually networked with the ships' nets. So I ask the obvious questions. What it all comes down to is that the more powerful program offices and septic think tanks can get waivers due to a combination of stupidity and raw political clout. Gotta love it!
Yes, it ran very nicely on XP - at one time it was the most effective AND least intrusive scanner available.
From memory, package updates ended about 3 years ago, and virus signature updates about a year* ago.
* Length of a year may vary, depending on which planet you live on.
"Do these things do anything useful?"
The updates you get today should protect you against stuff that's been known for x* days. That means that some people will be infected in the period between release and the discovery and distribution of the AV update. In the normal state of affairs this will be a small proportion of vulnerable systems. When the virus spreads as rapidly as this today's updates are already too late.
*where x is however long it takes for the vendor to confirm reports and put together their update.
So, erm, I'm going to say it first.. This is why government organisations shouldn't hoard vulnerabilities. They will get leaked and they will get used by others who are less trustworthy (grey area..). If you find a vulnerability and don't want to be a part of breaking the internets, please submit it in privacy to the vendor.
NSA didn't "hoard" vulnerabilities, it stockpiled, it weaponised, it planned to use them for its own attacks. MS probably knew about the vulns all along, but when news spread about their being imminently released, MS pointedly patched SOME OF its operating systems. So your appeal is definitely aimed at somebody else's choir.
Here's an IPA for the El Reg reader(s) who pointed out a way to shut down SMB (which I obviously didn't need) a couple of weeks ago, on my two XP systems, as a vaccine for the Doublepulsar vuln. Downvote me for mentioning XP or for mentioning India, or for implicitly criticizing MS; nobody but you will know precisely which.
... it only goes to show that they are not up to the task of running computers in a security critical environment.
This worm spreads over SMB, a service you only need on fileservers. A service which is known to be one of the most complex file sharing protocols, which is therefore likely to have a significant amount of security critical bugs. This particular bug was found before and apparently even patched already.
So any organisation can be blamed for 3 main things:
1. Running Windows
2. Running Windows with the SMB server enabled on non servers
3. Not updating Windows quickly after security critical bugs get public
If they avoided any of those things, they wouldn't have had any problem with this.
"This particular bug was found before and apparently even patched already."
And considering it came to light in the NSA toolkit leak, it's been around for a long time and US officialdom, at least in the NSA, was aware of the potential but did nothing about it. I wonder if any affected US orgs will try suing the agency whose role includes protecting the US for knowingly failing to do their job? Likewise, allies of the US are not likely to be happy that they didn't share this info sooner.
People who have been in the Malicious Software field for as long as I have will remember the Aids Information Floppy disk (5 1/4"!) of 1989. That was an early ransomware hit, and the fact that it was presented as a quasi-medical service ensured a wide copy across the UK medical services.
People in technical specialisms are often very unthinking about security when communicating with their colleagues...
Which stovepipe's budget is going to be picking up the cost of cancelled appointments, wasted time, etc?
Will it be the IT directors, IT departments and their suppliers?
If not, why not? Who else is responsible?
Surely there's an SLA in this picture? Nothing can go wrong if there's an SLA, can it?
Where there's a claim there's a blame...
When you leave school/college/uni you'll find in business, finances are finite. So the Head of IT/Director has to go cap in hand to some idiot bean counter [FD/CFO] who sees IT as a cost and not as an integral part of the business - to simplify it for you, accountants see IT like plumbing, not a shiny store front.
Add to that it's the NHS, where, you know, things are a little 'tight'... And we'll cancel your Granny's hip replacement and a few dozen heart transplants because something 'might' happen?
Getting the picture yet?
Yes, there's probably some bad network designs out there, and less than perfectly configured PC/Servers, often for some long forgotten historical reason i.e. PoS software/hardware. But your post shows an infantile understanding of both business and the complexity and scale of NHS IT
/rant
If budgets are that tight then they are not running shiney new windows and apps, so then what does old windows offer that you couldn't get more securely from a Linux Distro and those available apps. In fact, if money is that tight then Linux and those apps should be used. Certainly changes would be required but TCO would be significantly lower over time. Maybe the NHS could through a few million per annum at Debian or other to help ensure updates and new dev continues. Honest to F&%# it's not that difficult. Although the cash packets and jobs would stop flowing to the purchasers/decision makers, so won't ever happen.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
