Many firms hit by global cyber-attacks

There is only one actor that has the means and the motive. Anyone who cant figure this out has a below average IQ.

 

You restore my faith in people. Anyone who thinks that this attack was done by some criminal gang to harvest a couple of bucks is sadly mistaken; although it must be nice to be so innocent.

 

I took the red pill.

 

Appears no one yet has figured this one out.

All that was needed was one unpatched device on the network. This would be more common than thought since large corps. have thousands of PCs and it is entirely likely that one in some remote unused location or the like was overlooked.

The patch protects against the EternalBlue backdoor from being installed preventing any other subsequent malicious activities. The patch does not prevent an internal worm from spreading within the network. Now if the infected corps. had removed SMBv1 from every network device that would have stopped the worm from spreading. This is no small feat on a large corp. network since SMBv1 has to be manually disabled on pre-Win 8 endpoints and Win 2012 R2 servers.

The worm also could have been stopped if all endpoints had Eset, Kaspersky, etc. installed which have IDS network protection and would have blocked the worm via CVE detection or disabling SMB access to admin shares.

 

Some additional details on this attack:

https://threatpost.com/complex-petya-like-ransomware-outbreak-worse-than-wannacry/126561/

Also this attack was mutli-vectored. In addition to the way deployed in the Ukraine are:

http://www.darkreading.com/attacks-...ustrial-sector-thousands-more/d/d-id/1329231?

 

BBC is reporting that this attack is nothing to do with unpatched networks and all to do with a compromised update of a Ukrainian software program. So much for automatic updates!

http://www.bbc.com/news/technology-40428967

 

"...Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process..."

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?cn=cmV0d2VldA==

Maybe they will gather more evidence but as of now it can not be accurately stated that the updater was the sole initial means of attack.

 

"...What security experts aren't yet able to explain is how organizations outside of Ukraine, such as major U.S. pharmaceutical Merck and law firm DLA Piper, became infected, given the unlikelihood they used MeDoc or came into close contact with those who did. The malware does contain some powerful techniques to spread between PCs running on the same network (including the same leaked NSA tool, EternalBlue, used by WannaCry), but it's unclear why western European, U.S. or Russian organizations would be close enough to Ukrainian systems to become infected..."


https://www.forbes.com/sites/thomas...-blamed-for-ransomware-outbreak/#49044b1b73c8


Edit:

NB: The multinational Merck does have an office in The Ukraine.

http://www.msd.com/contact/contacts.html

oOps: DLA Piper also has an office in the Ukraine.

https://www.dlapiper.com/en/us/

hawki concedes

Job Listings: Forbes

Senior Research Analyst

Must be proficient in using Google;
able to type one word/minute on a blank line in the Google Search Engine
Spelling accuracy not required

 

And so how this this attack effect power grids if it was aimed at health software?

 

EDit: hawki? you beat me to the post. Are you reading my mind?

 

Is not be the sam e MeDoc. There is an Israeli Company (Medoc) that makes electical pain reducing devices.

http://medoc-web.com/

The Ukranian MeDoc does Tax Software Systems.

 

So why were two
hospitals in the US hit?

 

"'How to Switch a Country Off': Wired's New Cyberattack Cover Is Scary-Perfectly Timed..."

http://adage.com/article/media/wired-magazine-cyberattack-cover-story-is-perfectly-timed/309609/

 

"Hackers have made just 3.7 bitcoin - or less than $10,000..."

http://video.cnbc.com/gallery/?video=3000631564

Yeah I know that Posteco shut the mailbox (for notifications from victims that they had directed bitcoins to their designated wallet), but if they were sophisticated enough to pull off this attack and cared about the money, surely they would not have set up such a vulnerable payment/notification scheme.

A similar point can be made about the vaccine. The hackers must have known that their attack could be shut down so simply, indicating again that this attack was merely a test or message, or was directed at The Ukraine and was intended that it would be shut down before it spread much further than there. Further indication of the latter is that the attack was timed to coincide with the onset of the Ukranian Constitution Day Holiday. For max impact the culprits would not have timed it for the actual day of the Holiday, which is today - 6/28. The day before gives maximum effect.

 

Hum .......... Did you read my reply #80 posting?

My current take is the corps. affected not only overlooked some long forgotten basement resident server, but did the following. Many ran around "like chickens with the heads cut off" patching any Internet facing server. They assumed that this would "buy them time" to patch the rest of their internal facing only devices. Or, God forbid, they naively assumed that their internal facing devices were not vulnerable to the worm malware portion of the WannaCry attack. In either case, a very bad assumption.

As far as the way the current attack is being deployed, it is by any method malware can be deployed. Obviously hijacking legit software as done in the Ukraine is the ideal deployment but only one of many, many ways.

 

Those machines are toast aren't they unless they either have good ready backup images or some other return duplicates?

And it's for sure they dare not go back online unpatched again but many likely will.

 

https://blogs.technet.microsoft.com...-old-techniques-petya-adds-worm-capabilities/

According to MS it doesn't need the SMB/Eternal blue/Eternal romance vulnerabilty. It has several ways of spreading through networks SMB is just one of them.
Just as a side note I thought this was interesting, from the article,

That is very detailed telemetry which version of Windows was providing them with that?

 

Kaspersky also used it's telemetry to notice 2000 infected machines.
Post #53

 

Thanks for the reference. Clear cut and dried explanation.

The lsadump part particularly so concerning network credentials.

 

Keep ALL important data offline in the form of paper records. And make sure your Windows is fully patched and up to date.

 

If malware gains admin privilege, it can do anything to a compromised system and spread itself. AV and AM is of no use countering malware running with admin privilege. Its a big loophole.

 

"New Peyta Distribution Vectors Bubbling to Surface

While Microsoft and others continue to shore up links between yesterday’s global ransomware outbreak and the update mechanism for Ukrainian financial software provider MEDoc, others are finding even more distribution vectors used by the malware..."

https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/