Help me understand the WannaCry threat

glenimp617

glenimp617

glenimp617

Soldato
Joined
30 Sep 2005
Posts
16,736
Hi All,

https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/

I'm struggling to understand the attack vectors regarding wannacry. Most sites simply say it's an smb exploit found in WinXP, 7, 2003, 2008 but not much else.

Could someone please help me understand how the virus would enter a network and do damage please.

If a network has a firewall blocking all major ports apart from say 80/443 and no NAT rules. How can the network become infected, even if it's full of XP machines. Via a website? What about if there's a web proxy with a white list?

Thanks!!
 
ok, so it seems it started from someone clicking on an email. It doesn't say how it spread from company to company. Unless there's millions of idiots clicking on random emails?

https://www.ft.com/content/82b01aca-38b7-11e7-821a-6027b8a20f23?mhq5j=e2


"EternalBlue exploits a security loophole in Windows operating systems that allows a malicious code to spread through structures set up to share files — such as dropboxes and shared drives for documents or databases — without permission from users. “The widespread use of filesharing between organisations is to some extent a dream come true for a cyber criminal,” says Darren Thomson, chief technology officer of Symantec, the anti-virus and web security company. “If you can exploit a filesharing vulnerability, then you can get to tens or even hundreds of thousands of users.”"

I can't believe out of all the companies that got hit, they all used shared drives between each other (domain trusts) or launched iffy emails. Now the article states "the structure set up to share files" which I assume means SMB. Still doesn't say how it spreads between companies.

Question: When the virus encrypts a document, does that document itself contain a self replicating virus?

edit: Well it does seem the spread between companies was through email

As evident from its worldwide attacks, WannaCrypt first gains access to the computer system via an email attachment and thereafter can spread rapidly through LAN. The ransomware can encrypt your systems hard disk and attempts to exploit the SMB vulnerability to spread to random computers on the Internet via TCP port and between computers on the same network.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom