|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
.“Researchers have detected a new worm that is spreading via SMB, but unlike the worm component of the WannaCry ransomware, this one is using seven NSA tools instead of two.
The worm’s existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws.”
Stealth Backdoor Abused NSA Exploit Before WannaCrypt
By Ionut Arghire | May 19, 2017
In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.
Targeting a Server Message Block (SMB) vulnerability on TCP port 445, the exploit was made public in April by the group of hackers calling themselves “The Shadow Brokers” and is said to have been stolen from the National Security Agency-linked Equation Group. The targeted flaw was patched in March.
The fast spreading WannaCry brought EternalBlue to everyone’s attention, yet other malware families have been using it for infection long before the ransomware started using it. One of them was the Adylkuzz botnet, active since April 24, researchers revealed.
Now, Cyphort says that evidence on a honeypot server suggests attacks on SMB were active in early May, and they were dropping a stealth Remote Access Trojan (RAT) instead of ransomware. The malware didn’t have the worm component and didn’t spread like WannaCry.
Read the full article on securityweek.com
From the bleepingcomputer post @MrBrian quoted in the top post:
As a worm, EternalRocks is far less dangerous than WannaCry’s worm component, as it currently does not deliver any malicious content. This, however, does not mean that EternalRocks is less complex.
Is my understanding correct that we’re also protected from this nasty if we’ve installed the March patch that protects us from WannaCry? Thanks.
Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie
Information is still a little hazy on this, but at this stage it seems the SMB issue and Port 445 are important to address, as well as patching.
This post about NCSC guidance might help.
The answer is NO, but it is better to be patched than not. The Shadow Brokers and their many customers have mixed motives.
Security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability. Some were in play before WannaCry was discovered. Security labs (and Microsoft) have analysed some of them but the problem is that there is a lot more coming and sometimes these malicious activities go unnoticed for weeks.
The scumbags who released two of the earlier versions before WannaCry was discovered, used different attack vectors and set it up to inject a stealthy thread inside legitimate applications. In other words, a backdoor. These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch.
We are definitely in Code Red – RIGHT NOW. The advise I would give to a Windows Home user : stay vigilant.
I believe so, if you had updated soon enough – see Protecting customers and evaluating risk.
The May 2017 Microsoft updates also fixed various SMB vulnerabilities, including 4 remote code execution vulnerabilities that Microsoft rates as “Exploitation Less Likely.” See http://blog.talosintelligence.com/2017/05/ms-tuesday.html for more details.
I said this a few days ago, repeating it here.
I highly recommend you install the May 2017 SMB patch as soon as possible, or, if your organization can deal with the repercussions to certain commercial productivity software — disable SMB 1.x immediately.
CVE-2017-0279 | Windows SMB Remote Code Execution Vulnerability
Security Vulnerability
Published: 05/09/2017 | Last Updated : May 11, 2017A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.
Good luck! My team is prepared, I think – but we are bracing for a major storm the rest of May.
~ Group "Weekend" ~
This is the type of tweak done by people like Noel who is locking down his system to the extreme. I am not doing it.
To be clear, I have removed SMB1 support, but I still run Server on all my systems. I need to be able to move files around freely between systems.
I rely on my router to prevent incoming connections from the wild internet to Windows Networking, and my firewall configuration to prevent both incoming and outgoing ones that haven’t been pre-approved (e.g., from beyond my LAN).
Frankly, if you’re NOT using Windows Networking to access files between computers, you should be able to go into the Network and Sharing Center > Advanced sharing settings and just disable file and printer sharing. I don’t think I’ve ever run a Windows system that way, since I always use a LAN, so I can’t speak from personal experience but the settings are there.
-Noel
Due to the fact that,
1.) New exploits are now in the wild as noted above
2.) My employer pushed the May “Group B” updates to my computer at work at least a week ago
3.) I’m already in what I call “Group A#” (A-sharp, i.e. telemetry disabled) at home
I went ahead and installed the following updates:
KB4019112 – Security and Quality Rollup for the .NET Framework for Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1: May 9, 2017 – https://support.microsoft.com/en-us/help/4019112/
KB4019264 – 2017-05 Monthly Rollup – https://support.microsoft.com/en-us/help/4019264/
No issues detected so far.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
