|
Patch reliability is unclear, but widespread attacks make patching prudent. Go ahead and patch, but watch out for potential problems. |
.Details are still sketchy as to the nature of today’s cyber attack, but it is a ransomware worm from details currently available. However, what its actu[See the full post at: New cyber attack is a ransomware worm]
Link to Code Red topic: Variant of Petya ransomware is spreading fast
Been following this all morning. One of the better ongoing discovery discussions is at https://community.spiceworks.com/topic/2010736-petya-ransomware-discussion-thread
We “think” that an initial attack vector is via a link in a phishing email that lands your browser on a malware drop page. There may be malware attachments involved. Like WannaCry — no one seems to be able to really confirm.
We know that once a machine on a LAN gets infected, there appear to be multiple paths to spreading with the goal being your orgs servers. Vectors include the EternalBlue vuln, plus (maybe) another SMBv1 bug that was patched in May, plus the use of WMIC and/or PSEXEC with admin credential hashes mined from a workstations stored hash table.
More info about these vectors:
https://notawfulsecurity.blogspot.ca/2017/06/petya-good-practices-final-exam.html
~ Group "Weekend" ~
Someone found a killswitch at the local machine level. Found several other sources on Twitter that confirmed it blocks the WMIC vector (but not other vectors – and this thing can travel by one of a few roads.)
*********** KILLSWITCH // PARTIAL? GOT PROOF – EMAIL!
Local kill switch – create file “C:\Windows\perfc” (no file extension)
It kills WMI vector. Still need to patch MS17-010 for full protection.
https://mobile.twitter.com/hackerfantastic/status/879806667197644800
The name of the extension-less file may need to be altered if you find a variant.
If you get hit, DO NOT ALLOW A REBOOT. Power down the machine and attempt file recovery on the hard drive from a PE disk or dock the hard drive on another machine in passive mode. (make sure autoplay is turned off on the other machine!)
~ Group "Weekend" ~
Disabling execution of “perfc.dat” was in the Kaspersky tweet (in the blogpost).
Further to @netdef saying not to reboot if hit, pulling out the ethernet cable/disabling wifi connection might also help to prevent the infection spreading to other machines on your network – if done soon enough (due to the worm aspect).
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
