Ransomware hitting a new dimension – with the NSA-backdoors pre-installed in a lot of soft and hardware (check out Intel AMT/ME disaster) – hackers/attackers are trying to find and exploit those in order to make some profit. Millions of € and $ are earned by hackers by ransomware – probably the most profitable way to use an exploit. This money is – of course – re invested into finding further security holes – making it a true cat-and-mouse game for data and data protection.

Even Cisco (!!!) routers contain NSA-backdoors that also could be used by hackers.

„could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.“

MS17-010 Security in Microsoft’s SMB-Server

Win XP patched to avert new outbreaks spawned by NSA-leaking Shadow Brokers

download patch for Windows XP

EN:

https://www.microsoft.com/en-us/download/confirmation.aspx?id=3205

DE:

https://www.microsoft.com/de-de/download/confirmation.aspx?id=3205

Company warns of “destructive cyberattacks” as it tries to prevent another WCry.

https://arstechnica.com/security/2017/06/win-xp-patched-to-avert-new-outbreaks-spawned-by-nsa-leaking-shadow-

brokers/

https://arstechnica.com/security/2017/05/wcry-is-so-mean-microsoft-issues-patch-for-3-unsupported-windows-versions/

https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

 

sophos podcast:

What it means for IT-crowd:

updates updates updates! 😀

means a lot of work for Administrators…

snapshot – update – test…

http://www.chip.de/downloads/CHIP-Windows-7-Update-Pack-32-Bit_69083747.html

Security Security Security

Administrators will have to ramp up security massively and constantly. Unfortunately a lot of companies like to learn from mistakes – before investing more money into cyber security.

Have a anti virus software installed on every client.

Also: separate internet (www,mail) usage from your business-networks as much as possible – allowing by firewall only contact to certain servers that are needed for online-updates – and nothing more.

What you can and should do:

all other Unix-like operating system such as macOS, FreeBSD and others are not vulnerable to the flaw. However, you must take care if you are using Samba software on Linux or Unix-like system. Make sure you disable SMB version 1 on Windows clients.

Fig.01: Disable SMB v1.0 on MS-Windows

Long answer: WannaCrypt/WannaCry targets the Microsoft Windows operating system. The attack spreads by phishing emails but also uses the EternalBlue exploit and DoublePulsar backdoor developed by the U.S. National Security Agency (NSA). If you are using older and unsupported operating systems such as Windows XP and Windows Server 2003, you will get infected. All of your files will be encrypted. To get back your files, you need to pay ransom payments in the cryptocurrency Bitcoin. Microsoft has released software updates for Windows XP and Windows Server 2003. You must apply those patches ASAP. In short Linux users are not affected by this attack.

How to protect yourself from ransomware attacks

I recommend that everyone should do the following regardless of operating system:

  1. Backup all your files and data regularly. Ideally you should make three copies of your backup data on two different media. One backup copy must be offline all the time.
  2. Patch your system including BIOS and device drivers
  3. Turn on automatic updates
  4. Do not use outdated and unsupported software
  5. Turn on firewall on both your router and computer
  6. You should turn on anti-virus software on Windows
  7. All Windows XP user should upgrade to the latest version of Microsoft Windows such as Windows 10. All Windows 2003 server user should upgrade to the latest version of Windows server
  8. Avoid using pirated software
  9. See Decentsecurity website, it has a guide that is reasonable for non-techies to understand and follow

https://www.cyberciti.biz/security/is-my-linux-server-or-desktop-affected-by-wannacrypt-ransomware/#comments

In Addition:

  1. internet-clients should NOT be connected physically to the LAN, but to a WIFI-AP in demilitarized zone (between internet-DSL-router and your firewall – blocking all access to your LAN) (use noscript!)
  2. LAN-clients should not use Administrator accounts to work (would allow them to install software – unfortunately/luckily portable firefox can be run without Administrator rights!)
  3. LAN-clients should NOT use www or mail and have only access to certain servers (Microsoft Updates other Update-Servers)
  4. LAN-clients should NOT be able to bring USB sticks from home and plugin at work. (disable USB)
  5. Use OpenDNS as dns-servers on all your DHCP-Servers (Fritzbox can do it)
  6. NoJS: i think it’s highly critical if Internet and JavaScript usage is allowed inside a company-LAN.
    1. Hence business websites that COMPLETELY rely on JavaScript are a NO-GO.
    2. It is basically putting your customers at risk that you as a firewall vendor are supposed to protect.
  7. Always a good idea if possible: Separate programs (C:) from data (D:) and have regular backups of atleast the data (not possible for all programs to separate) Actually ONLY the data is supposed to change during normal operating.
  8. IMHO also a good idea – but increasing time and costs for updates – lock C: against changes 😀 – this can be done software-wise with: http://www.dr-kaiser.de/ (can also block access to internet, USB, DVD/CD)

Backups Backups Backups

a clean and robust backup strategy needs to be put in place…

Automatic backups are nice… but could theoretically also be reached by Virus.

Critical data should be backuped to robust MDISCs every year. (untested)

And therefore secured against – electro magnetic problems but also hackers 😉

„Wanna Decrypter 2.0 ransomware that started its assault against hospitals across the UK before spilling across the globe.

The attack appears to have exploited a Windows vulnerability Microsoft released a patch for in March. That flaw was in the Windows Server Message Block (SMB) service, which Windows computers use to share files and printers across local networks. Microsoft addressed the issue in its MS17-010 bulletin.

SophosLabs said the ransomware – also known as WannaCry, WCry, WanaCrypt and WanaCrypt0r – encrypted victims’ files and changed the extensions to .wnry, .wcry, .wncry and .wncrypt.

Sophos is protecting customers from the threat, which it now detects as Troj/Ransom-EMG, Mal/Wanna-A, Troj/Wanna-C, and Troj/Wanna-D. Sophos Customers using Intercept X will see this ransomware blocked by CryptoGuard. It has also published a Knowledge Base Article (KBA) for customers.“

Wanna Decrypter 2.0 ransomware attack – what you need to know

WannaCry: Angriff mit Ransomware legt weltweit Zehntausende Rechner lahm
England: Kryptotrojaner legt zahlreiche Krankenhäuser lahm
In ganz England hat ein Kryptotrojaner am Freitag zahlreiche Krankenhäuser lahmgelegt. Und das ist offenbar nur die Spitze des Eisbergs einer globalen Welle von Infektionen mit Wana Decrypt0r 2.0 oder einfach WannaCry.
Goldeneye nutzt Informationen vom Arbeitsamt für äußerst gezielte Angriffe
Goldeneye nutzt Informationen vom Arbeitsamt für äußerst gezielte Angriffe
Alles deutet darauf hin, dass die Angreifer hinter der sich rasant verbreitenden Ransomware Goldeneye Daten missbrauchen, die von der Bundesagentur für Arbeit stammen. Die Anschreiben sind so realistisch, dass sie eine handfeste Gefahr darstellen.

Firewalls:

http://www.phoenixcontact-cybersecurity.com/en/

https://secure2.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition/software.aspx

http://dwaves.de/2017/01/31/how-to-create-your-own-pfsense-firewall-proxy/

Links:

http://www.pcwelt.de/a/wana-crypt0r-2-0-erpresser-virus-verbreitet-sich-rasant-so-schuetzen-sie-sich,3446749

https://www.heise.de/thema/Ransomware

https://krebsonsecurity.com/

http://dwaves.de/2014/04/29/cryptodefense-evil-competition-of-cryptolocker-cryptorbit-encrypting-ransomware-houston-our-files-got-hijacked/

update: ransomeware generated 25Millione$ https://www.theverge.com/2017/7/25/16023920/ransomware-statistics-locky-cerber-google-research

admin