Then I have learned an important lesson. To not believe at all the reports, analysis and investigations during the first 15 or 30 days when an important and massive malware campaign is discovered.
I take all the investigation\reports from AV and other security tool vendors with a pinch of salt..Kaspersky waying in with figures on what flavours of windows were hit etc..Think I'll wait for a bona fide report\overview from sources without a sales interest.
If those networks really have public facing SMB ports open, then WannaCry is not their biggest problem.
I believe the Malwarebytes assumption that WannaCry was spread via open public facing SMB ports a "bit of a stretch" as I posted in another thread. I find it a bit hard to accept that commercial concerns would have had those ports open to Internet access. Even the Win firewall if used on client devices blocks edge transversal on those ports. I am also in the believe that the entry point for the malware was at the server level and it exploited some unknown and yet to be determined vulnerability there to gain access to the network and deploy the NSA exploits.
Think I might be on to something. Below is a screen shot of the Win firewall inbound port 445 rule for the domain profile: Below is the same rule for the private profile: The Win firewall rule for the domain profile is in stark contrast to third party AV firewalls that specifically restrict inbound port 445 traffic to the local trusted subnet if file and printer sharing is enabled regardless of whether a domain is involved or not. So it appears to me that the Win firewall as far as inbound port 445 traffic goes for the domain profile relies entirely on the network perimeter firewall device to block inbound port 445 traffic.
WannaCry Didn’t Start with Phishing Attacks, Says Malwarebytes... ... but itself can be used for phishing. http://www.marketrasenmail.co.uk/news/crime/warning-over-fake-bt-wannacry-ransomware-email-1-7973094
You should make this a separate thread. Of course, fraudsters are going to try to "cash in" on the WannaCry hysteria.
Also if anyone hasn't read this thread: https://www.scmagazine.com/forgotte...-infect-systems-with-wannacry/article/663435/ , please do. Notably the following excerpt. It explains how WannaCry could enter the server undetected:
Also from the Trend Micro analysis is this: As far as MS08-067 goes: Connecting the dots, this explains how Win XP devices ended up with WanaCry's ransomware malware without being susceptible to the SMBv1 EternalBlue NSA exploit. Appears the 1500 out of 6500 Win XP boxes used by the NHS had not had the MS-067 patch deployed. Additionally, it appears the patch had not been applied to its Windows Server 2003 and/or Windows Server 2008 boxes.
