NHS computer systems hacked!?
- Thread starter Tone1979
- Start date
You're thinking of the older spam emails containing ransomware attachments like "notavirus.pdf.exe", this attack is regarding a worm that can install itself via Windows security flaws leaked by the NSA. The patches being discussed fix the flaw.
I bet it came in via email, once in it can then spread via network / exploit..
This particular program infects machines using port 139 or port 445 and exploits a vulnerability within Windows. It doesn't work the same as the other CryptoLocker variants that have been out there recently. Because of the Windows vulnerability, unless you're specifically patched to protect you against it, you'll get it and all other PCs within the network will as well if not patched. It isn't necessarily down to a single person opening up an email.
MS have released an update that fixes the exploit within Windows XP:
https://www.microsoft.com/en-us/download/details.aspx?id=55245
https://www.microsoft.com/en-us/download/details.aspx?id=55245
And as with other ransomware it has the headache that an unpatched computer can wreck havoc on a patched computer/server if it has network access to a shared drive/folder.
I agree once the worm is running on a network machine it opens up 137/445 connections to other hosts and if vulnerable will infect. To activate the code someone of something needed to have run the attachment - once thats done its a free for all on a network. A simple firewall would block 137/445 inbound connections from the Internet by default to it needed to be transported inside an organisation (via email) and executed from within to be able to spread
Here is a good write up from Cisco on the attack:-
http://blog.talosintelligence.com/2017/05/wannacry.html
It attacks using ports 139 / 445 so make sure they are closed as well as installing the required update.
http://blog.talosintelligence.com/2017/05/wannacry.html
It attacks using ports 139 / 445 so make sure they are closed as well as installing the required update.
If its Windows - those ports are part the core comms ports so closing them isnt an option. Patching and HIDS probably the only solution here
The whole point that a lot of people seem to be missing is that once you are past the firewall/router, you can pretty much what you want if the OS is not secure.
Nobody knows that for sure right now. There's been talk of multiple ways that this has got into these networks. Some have said it was a direct attack on specific targeted IP ranges and routers vulnerable on ports 139 and 445 have let it through. There has been mention that it spread via email. There have been other things discussed at the moment. We don't know a whole lot about how it's actually out there entering systems right now, only that it specifically exploits a vulnerability within Windows.
For me personally, I'm inclined to go with the IP targeted attack, specifically using port 139 or 445 within the routers to get into a network to spread the infection. Someone earlier mentioned that over 500 000 routers tested with a port scan have these open, so that's a very viable way of starting this off. It wouldn't surprise me that most networks haven't been secured against this.
This won't stop PCs from responding on those port numbers from internal requests though, because the router won't be responsible for handling these requests. The router will only block these requests from the outside. So if one of your internal PCs is already compromised, and your other PCs aren't patched against the exploit, they'll be infected as well. Your only protection in this case would be to have the patch on from MS to prevent infection.
That's a good article, thanks.
I have received an email in to my gmail account with a ZIP attachment, be careful people! Have warned people on facebook etc.
Email sender was a307192503 (at) 163.com which is confirmed on google as a known ransomware email sender/domain
email was
"Dear Darren
Statement: EZXXXXXXXXXXX" where XX Random numbers
My home address was listed
a 4 digit passcode
Sincerely
Arcelia Barnault"
and obviously the ZIP file attached
Went straight in the bin
Email sender was a307192503 (at) 163.com which is confirmed on google as a known ransomware email sender/domain
email was
"Dear Darren
Statement: EZXXXXXXXXXXX" where XX Random numbers
My home address was listed
a 4 digit passcode
Sincerely
Arcelia Barnault"
and obviously the ZIP file attached
Went straight in the bin
If you have a proper firewall it will stop it sending out
By ethernet port or VLANs, sure, but most people don't have switches and firewalls that are capable of this sort of configuration. I'm focusing more toward the masses of home users or small businesses. Most that I deal with don't have any managed devices unfortunately. It would be so much easier if they did though!
You can still be infected if some numpty opens the email even if its patched. Granted it wont spread but you'll still be done.
Is there anyone left to warn?
If people still open strange e-mails with attachments after the amount of press coverage over the weekend, they are just too plain stupid to be allowed a PC.
Probably not but you never know there are some people out there that will do stupid things
