>> The WannaCry ransomware outbreak on Friday, May 12th, 2017,
proved that even after a vulnerability is identified, announced, and even patched,
companies and individuals at home, in a lot of cases, do nothing.
WannaCry propagated with the EternalBlue exploit
of the Microsoft Windows SMB, Server Message Block protocol.
The vulnerability that this exploit exploits was discovered by the United States
of America NSA, National Security Agency.
Instead of telling Microsoft about it, though, they kept it to themselves
and used it to offensively attack.
Eventually Microsoft found the vulnerability themselves, and on March 14th, 2017,
issued MS17-10, which explained the vulnerability and made patches available
for all Windows versions supported at the time.
EternalBlue was released by the Shadow Brokers, a hacker group, on April 8th, 2017,
with other tools apparently leaked from Equation Group, widely believed to be part of the NSA.
The problem, of course, is that many individuals and companies ignored the Microsoft patches
in March and on May 12th, 2017, found their systems locked with a ransom demand;
200,000 computers were infected in 150 countries.
The biggest impacts were felt in Russia, Ukraine, India, and Taiwan.
Major telecommunication companies in Spain were affected.
Lots of NHS, National Health Service hospitals in England
and Scotland were telling non-critical accident and emergency patients to stay away
as over 70,000 devices, including computers, MRI scanners,
and blood storage refrigerators were locked up.
Critical patients had to be moved to other facilities.
Companies all over told their employees to shut down and unplug their machines.
The ransomware locked the machines, encrypted files,
and demanded nearly $600 in bitcoin for a decryption key.
Nearly 90% of care facilities in the UK's NHS are still using Windows XP,
a 16-year-old operating system.
Overall, Windows XP marketshare was around 7% in May 2017,
and that's a really huge number considering
that Microsoft stopped supporting Windows XP in April 2014.
Hackers like to go for the low-hanging fruit first.
Why make it that easy for them?
Within 24 hours of the WannaCry outbreak, Microsoft did something really strange
and unprecedented by issuing emergency patches
for unsupported operating systems including Windows XP, Windows server 2003,
and Windows 8 to foil the ransomware.
Then in June 2017, Microsoft issued more patches for the unsupported OSs to clean
up vulnerabilities that could be attacked with the Shadow Broker exploits as well
as older issues, a few going back as far as nine years, that could still be exploited.
Microsoft announced "our decision today to release these security updates for platforms not
in extended support should not be viewed as a departure from our standard servicing policies.
Based on an assessment of the current threat landscape by our security engineers,
we made the decision to make updates available more broadly.
As always, we recommend customers upgrade to the latest platforms.
The best protection is to be on a modern,
up-to-date system that incorporates the latest defense-in-depth innovations.
Older systems, even if fully up to date, lack the latest security features and advancements."
Not too long after the WannaCry outbreak began, a 22-year-old web security researcher
from England, who goes by the handle Malware Tech, found the kill switch in the ransomware
which was activated by registering a domain name found in the code.
Malware Tech reverse engineered WannaCry and saw that it checked to see
if a gibberish URL led to an active webpage.
Curiously, he registered that domain himself for $10.69
and once the malware found the URL to be live, it shut down.
This pretty much halted the initial outbreak,
but new versions without the kill switches have since been detected.
Researchers have also discovered ways to recover data
from infected machines under certain circumstances.
In a shocking twist, antivirus provider, Kaspersky Lab, concluded that 98%
of the victims were actually running Windows 7 and the number
of infected Windows XP machines was insignificant.
However, upgrading and patching are still the lessons to be learned.
NotPetya
>> On June 27th, 2017, another major global ransomware cyber attack began in France,
Germany, Italy, Poland, the United Kingdom, and the United States of America,
with the majority of infected systems in Russia and Ukraine.
The malware appeared to be a variant
of a previously discovered encrypting ransomware family called Petya.
Kaspersky Lab named this specimen NotPetya as it actually differed greatly
in operations to previous variants.
It is believed that NotPetya was designed to spread quickly,
specifically targeting energy companies, the power grid, bus stations,
gas stations, the airport, and banks.
What caused this outbreak?
Apparently the software update mechanism of M.E.Doc,
a popular Ukrainian tax preparation program, was compromised to spread the malware.
A back door was present in the update system for at least six weeks prior to the attack.
M.E.Doc denied that they were entirely responsible.
On July 4th, 2017, Ukraine's cyber crime unit seized M.E.Doc's servers when new activity
that could result in uncontrolled proliferation of malware was detected.
Ukraine police warned M.E.Doc users to stop using the software immediately.
The back door was still there.
When the servers were seized, the forensic analysis revealed
that software updates had not been applied since 2013.
There was evidence of Russian presence
and an employee's account on the servers was compromised.
It looks like criminal charges are inevitable for the company due to its negligence.
It also appears that NotPetya was just masquerading as ransomware
for media attention following WannaCry.
NotPetya overwrote parts of a disk needed to run, making it a wiper instead of ransomware.
A single bitcoin wallet was used for collection, not an efficient way of collecting money.
Victims were required to email a long string of characters that had to be manually typed,
and the email address was subsequently shut down by its provider.
127
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
