International Cyber Attack Underway May 12, 2017

[Xentrk]

A large-scale cyberattack affected nearly one hundred countries and held tens of thousands of computers ransom throughout the day on Friday.

Friday's attacks are being blamed on a piece of malware called WCry, WannaCry, or Wana Decryptor, that's now been tracked in large-scale attacks across Europe and Asia — particularly Russia and China — as well as attacks in the U.S. and South America, according to a map on the Malware Tech site.

Make sure your systems are patched. Do not open email attachments, especially zip files.

https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported

https://www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html?_r=0

http://www.mirror.co.uk/news/world-news/74-countries-hit-45000-wannacry-10411971

http://www.npr.org/sections/thetwo-...englands-nhs-hospital-system-ransoms-demanded

 

[sfx2000]

Make sure your systems are patched.

It's a Windows hack.. and weapons grade at that...

 

[kvic]

Coincidentally I saw more unsolicited visitors dropped by my router's firewall in the past two days:

May  8 19:12:01 erx logger: ruleset     packets     bytes       action  description
May  8 19:12:02 erx logger: WAN_IN      109         5324        DROP    Block Bad IP (src)
May  8 19:12:02 erx logger: WAN_LOCAL   7541        488748      DROP    Block Bad IP (src)
May  8 19:12:02 erx logger: WAN_LOCAL   12005       841377      DROP    DEFAULT ACTION

May  9 19:12:01 erx logger: ruleset     packets     bytes       action  description
May  9 19:12:01 erx logger: WAN_IN      120         5796        DROP    Block Bad IP (src)
May  9 19:12:02 erx logger: WAN_LOCAL   8422        547619      DROP    Block Bad IP (src)
May  9 19:12:02 erx logger: WAN_LOCAL   13570       941751      DROP    DEFAULT ACTION

May 10 19:12:01 erx logger: ruleset     packets     bytes       action  description
May 10 19:12:01 erx logger: WAN_IN      216         11715       DROP    Block Bad IP (src)
May 10 19:12:01 erx logger: WAN_LOCAL   9182        597421      DROP    Block Bad IP (src)
May 10 19:12:01 erx logger: WAN_LOCAL   14765       1001662     DROP    DEFAULT ACTION

May 11 19:12:01 erx logger: ruleset     packets     bytes       action  description
May 11 19:12:01 erx logger: WAN_IN      280         15550       DROP    Block Bad IP (src)
May 11 19:12:02 erx logger: WAN_LOCAL   10150       674652      DROP    Block Bad IP (src)
May 11 19:12:02 erx logger: WAN_LOCAL   17834       1313569     DROP    DEFAULT ACTION

May 12 19:12:01 erx logger: ruleset     packets     bytes       action  description
May 12 19:12:02 erx logger: WAN_IN      1581        98061       DROP    Block Bad IP (src)
May 12 19:12:02 erx logger: WAN_LOCAL   11048       726608      DROP    Block Bad IP (src)
May 12 19:12:02 erx logger: WAN_LOCAL   19602       1395340     DROP    DEFAULT ACTION

total "malicious" visitors:
May 9: 2457
May 10: 2051
May 11: 4101
May 12: 3967

The surge in "WAN_IN" (from 280 to 1581) on May 12 is interesting. Seems like some of the attacker IPs may have already been picked up by one or more online bad ip lists in the past 24 to 48 hours.

 

[System Error Message]

Not as many as my router which reports 23k ip addresses blacklisted

 

[kvic]

Not as many as my router which reports 23k ip addresses blacklisted

total "malicious" visitors:
May 9: 2457
May 10: 2051
May 11: 4101
May 12: 3967
May 13: 4705

But I believe additional surge was partially contributed by BitTorrent. A guest visited me yesterday and ran two sessions of Transmission. I have my router allowing DHT traffic automatically when Transmission is actually doing work.

(Why could DHT traffic attract "malicious" visitors? Interested readers can check out my previous blog post here).

 

[sfx2000]

I haven't seen a huge uptick in 'bad' traffic over the past couple of days... but there's other BotNet's that are running the noise level up pretty high...

But common sense generally prevails - keep patched up, watch out for attachments/links in email, watch what ports are exposed, and one should be ok...

 

[Xentrk]

I haven't seen a huge uptick in 'bad' traffic over the past couple of days... but there's other BotNet's that are running the noise level up pretty high...

But common sense generally prevails - keep patched up, watch out for attachments/links in email, watch what ports are exposed, and one should be ok...

The windows server I support at a school had been turned off since school let out in mid-March. School resumes tomorrow. So I went over today and made sure it was all patched up, along with some other work stations that had been sitting idle. I reminded staff not to click on email attachments.

 

[kvic]

I haven't seen a huge uptick in 'bad' traffic over the past couple of days... but there's other BotNet's that are running the noise level up pretty high...

total "malicious" visitors:
May 9: 2457
May 10: 2051
May 11: 4101
May 12: 3967
May 13: 4705
May 14: 6229
May 15: 2618

Upon further check, the two transmission sessions actually ran past the data snapping time for more than 4 to 5 hours (I haven't my transmission setup to only allow being killed after a certain ratio reached as a courtesy.) That might explain the further surge on May 14.

The above numbers are aggregate sum of default drops and drops by "bad ip". I didn't bother to count separately. All numbers are low by any measure. Roughly "bad ip" lists caught less than 50% of all dropped packets.

Recently people here are in vogue to add many upset block lists. In fact, if you don't have those blocks, your router's FW will drop them by default. So the lists provide little additional security, especially for a home environment. Sorry, for breaking another news. LOL

Anyway, things seem back to normal on May 15. The city where I'm only reported 17 confirmed cases of WanaCry so far. All Windows 7 machines..quite anti dramatic. Both private sectors and government aren't doing that bad on security.

 

[RMerlin]

Since WannaCry spreads through SMB, and many ISPs will block these ports, we might not all see any change in malicious traffic.

I had two customers still with one WinXP machine each. Installed MS's hotfix (after a long swearing bout at Microsoft - they posted the WRONG file for the WinXP SP3 French patch, it was linked to the WinXP Embedded edition... Sigh.)

 

[sfx2000]

Recently people here are in vogue to add many upset block lists. In fact, if you don't have those blocks, your router's FW will drop them by default. So the lists provide little additional security, especially for a home environment. Sorry, for breaking another news. LOL

Well - as long as folks don't expose ports... the bots can hammer on the WAN as much as they want...

I don't use blacklists - I use whitelists... much easier that way.

 

[sfx2000]

Since WannaCry spreads through SMB, and many ISPs will block these ports, we might not all see any change in malicious traffic.

Direct Attached PC's are more at risk perhaps - behind a router/gw/firewall, it's less of a problem.

For WinXP - it's more of a risk for bootleg/unregistered copies, as this is the big vector at the moment...

Win10 was patched 2 months ago, and Samba never was a risk there...

 

[Xentrk]

For WinXP - it's more of a risk for bootleg/unregistered copies, as this is the big vector at the moment...

Most Thai's I have encountered here that have asked me for help with their PC or Laptop here in Thailand have bootleg copies of MS Windows installed. In fact, all but one now that I think about it! I tell them I don't support it and try to educate them on the risks. With the bootleg copies, they can't get Windows updates. Cheap is not always better.

 

[spalife]

total "malicious" visitors:
May 9: 2457
May 10: 2051
May 11: 4101
May 12: 3967
May 13: 4705
May 14: 6229
May 15: 2618

Upon further check, the two transmission sessions actually ran past the data snapping time for more than 4 to 5 hours (I haven't my transmission setup to only allow being killed after a certain ratio reached as a courtesy.) That might explain the further surge on May 14.

The above numbers are aggregate sum of default drops and drops by "bad ip". I didn't bother to count separately. All numbers are low by any measure. Roughly "bad ip" lists caught less than 50% of all dropped packets.

Recently people here are in vogue to add many upset block lists. In fact, if you don't have those blocks, your router's FW will drop them by default. So the lists provide little additional security, especially for a home environment. Sorry, for breaking another news. LOL

Anyway, things seem back to normal on May 15. The city where I'm only reported 17 confirmed cases of WanaCry so far. All Windows 7 machines..quite anti dramatic. Both private sectors and government aren't doing that bad on security.

Just as a teaser,
nothing more nothing less
the lists can be
like a needle in a haystack
but sometimes they are effective too

 

[RMerlin]

For WinXP - it's more of a risk for bootleg/unregistered copies, as this is the big vector at the moment...

More like public institutions that failed to upgrade. UK NHS is one example, they were paying 200$/month per desktop to be on Microsoft's extended support plan for the first year, and were planning to migrate during that year. Migration never got completed, and they didn't pay the 400$/desktop that the second year would have cost. So, they got hit hard.

(BTW, if those 200$/desktop/1st year, 400$/desktop/2nd year, 600$/desktop/3rd year numbers are accurate... Ouch?)

Some US military segments too are waking up, and scrambling to complete the move to Windows 10 by the end of the year... or so they say.

 

[RMerlin]

I have one interesting question here: who's to blame?

- The NSA for finding the exploit, and sitting on it rather than reporting it to Microsoft?
- Whoever leaked it to Wikileaks?
- Wikileaks for publishing it (tho Wikileaks did a good thing in contacting various vendors first before publishing exploits, giving them a chance to patch - like your usual responsible public disclosure)
- Microsoft, for having created the WinXP patch as far back as last FEBRUARY, but not publishing it until the house was on fire?
- People for still running an EOL OS that's been dead since April 2014?
- IT departments who weren't keeping systems up-to-date (Win7/Win8 that were unpatched)?
- Whoever wrote the ransomware, and spread it?


My personal vote is: All of the above, aside maybe the leaker (because it would have eventually be found by someone else anyway, so it was just a matter of time), and Wikileaks (assuming that in this particular case, they did contact MS ahead of publication).

 

[ColinTaylor]

I have one interesting question here: who's to blame?

I think a lot of people are wondering the same thing as all the actors blame each other.

http://www.theregister.co.uk/2017/05/16/wannacrypt_microsoft_blame_game/

 

[kvic]

Just as a teaser,
nothing more nothing less
the lists can be
like a needle in a haystack
but sometimes they are effective too

View attachment 9348

This is a good idea. I think I saw @Martineau did something similar. Reporting and statistics like this provides a reason to run such a blocker (rather than for perceived additional security IMO).

On my router I have a tiny whitelist and a blacklist (of a few hundred entries)... similar to @sfx2000. It's not a coincidence..I think we discussed the same topic more than a year ago in another thread. lol

I expanded the blacklist by pulling in online data. Mainly for check out outgoing traffics.

 

[kvic]

I have one interesting question here: who's to blame?

The attackers are losers financially as very few victims actually pay so far. The IT industry profits indirectly. I feel sorry for innocent ppl like affected patients in the case of NHS. The world has become a place where few ppl's hefty gain is largely at the expense of many others. Cruel but real.

 

[sfx2000]

On my router I have a tiny whitelist and a blacklist (of a few hundred entries)... similar to @sfx2000. It's not a coincidence..I think we discussed the same topic more than a year ago in another thread. lol

Indeed...

 

[sfx2000]

I have one interesting question here: who's to blame?

- The NSA for finding the exploit, and sitting on it rather than reporting it to Microsoft?
- Whoever leaked it to Wikileaks?
- Wikileaks for publishing it (tho Wikileaks did a good thing in contacting various vendors first before publishing exploits, giving them a chance to patch - like your usual responsible public disclosure)
- Microsoft, for having created the WinXP patch as far back as last FEBRUARY, but not publishing it until the house was on fire?
- People for still running an EOL OS that's been dead since April 2014?
- IT departments who weren't keeping systems up-to-date (Win7/Win8 that were unpatched)?
- Whoever wrote the ransomware, and spread it?

Ultimately - it's MSFT's bug, and they fixed it...

Whatever gov't agency that was saving it - that's a strategic thing they kept - and that's ok - there will be a time where things like this are needed...

Wikileaks - well - that is what it is...

Someone's house on fire - I think we'll all stand on the street and watch perhaps...

Knowing that we've done the best we can do keep our houses from catching on fire...