|
orange sky posted:Ahah tomorrow everyone is gonna be hosed when they turn on their pcs. Apparently it's not using smb 1 to spread anymore? Wmic and psexploit apparently Sounds like both smb1 and those other things. (Also seems like initial Ukrainian targets might have been attacked via... auto update of some accounting software?)
|
#
?
Jun 27, 2017 19:22
|
|
|
|
| # ? May 23, 2024 17:32 |
|
|
THN has a comprehensive report http://thehackernews.com/2017/06/petya-ransomware-attack.html
|
|
#
?
Jun 27, 2017 19:53
|
|
|
Well this helped me find out my OS apparently thinks every scheduled task is corrupted.
|
|
#
?
Jun 27, 2017 20:30
|
|
|
Can't have a reboot task shutdown your machine if all your tasks are hosed 
|
|
#
?
Jun 27, 2017 20:38
|
|
|
 https://twitter.com/GroupIB_GIB/status/879772068300165120
|
|
#
?
Jun 27, 2017 21:07
|
|
|
It's doing this automatically? So it only needs a session where the Administrator account is logged on and then uses PtH or something?
|
|
#
?
Jun 27, 2017 21:09
|
|
|
Is it time to give up on computers yet?
|
|
#
?
Jun 27, 2017 21:15
|
|
|
orange sky posted:It's doing this automatically? So it only needs a session where the Administrator account is logged on and then uses PtH or something? Yeah that's my understanding although it'll also move laterally to patched machines that i.e. share a local administrator password. Kapersky reports it is using several different attack vectors.  https://twitter.com/kaspersky/status/879749175570817024
|
|
#
?
Jun 27, 2017 22:01
|
|
|
Yeah, a local admin has to be tricked into opening a malicious file. But once that happens, say goodbye to your domain. This is why you don't give out admin privileges like candy. Also, you can show the command line in Task Manager by adding the "Command line" column to the Details pane. This shows you what DLL and function is being run through rundll32, so you can tell if it's malicious or not. Don't just go around killing every instance of rundll32 you see.
|
|
#
?
Jun 27, 2017 22:07
|
|
|
Double Punctuation posted:Don't just go around killing every instance of rundll32 you see. Pussy
|
|
#
?
Jun 27, 2017 22:19
|
|
|
I reserve that level of belligerence for svchost.
|
|
#
?
Jun 27, 2017 23:24
|
|
|
Ran a quick search on Shodan, it shows more than 1.8M Internet-facing IPs with SMBv1 enabled: https://www.shodan.io/search?query=%22SMB+version%3A+1%22+port%3A%22445%22 I would be surprised if even 10% of those were protected by some form of IPS or AV. Wonder how many are patched, too.
|
|
#
?
Jun 28, 2017 12:56
|
|
|
The most annoying thing about Petya isn't Petya itself, it's the hundred AV vendors who suddenly have my email address out of the blue barraging me with "information" about how their product will protect my org. And then the cold calls. I'm going to start getting fake email/phone business cards printed up for trade shows.
|
|
#
?
Jun 28, 2017 14:11
|
|
|
Martytoof posted:The most annoying thing about Petya isn't Petya itself, it's the hundred AV vendors who suddenly have my email address out of the blue barraging me with "information" about how their product will protect my org. I was at SANS the other month, thanks work..., and in the vendor I convinced my coworker to let them scan his badge for the swag I wanted saying I left mine in the room. He's been getting barraged since then.
|
|
#
?
Jun 28, 2017 14:46
|
|
|
Never let vendors scan your badge.
|
|
#
?
Jun 28, 2017 15:25
|
|
|
Lain Iwakura posted:Never let vendors scan your badge. Where else am I supposed to get a pen or fidget spinner?
|
|
#
?
Jun 28, 2017 15:39
|
|
|
Lain Iwakura posted:Never let vendors scan your badge. A conference I went to recently seemed to give my contact info to every event sponsor without me taking any swag from the booths.
|
|
#
?
Jun 28, 2017 15:58
|
|
|
mewse posted:A conference I went to recently seemed to give my contact info to every event sponsor without me taking any swag from the booths. the cheaper the conference the more likely this is
|
|
#
?
Jun 28, 2017 16:27
|
|
|
Martytoof posted:Where else am I supposed to get a pen or fidget spinner? One vendor was giving away lockpicks. It was the only time I would have done it but still resisted.
|
|
#
?
Jun 28, 2017 16:39
|
|
|
One of them is really determined. Emails below + one or two phone calls that I ignoredMay 23rd posted:Good Morning mewse, May 25th posted:Good Morning mewse, May 30th posted:Hi mewse, June 20th posted:Hi mewse, June 27th posted:Hi mewse,  Lain Iwakura posted:One vendor was giving away lockpicks. It was the only time I would have done it but still resisted. I did get Kevin Mitnick's business card from this conference and it is a set of lockpicks! 
|
|
#
?
Jun 28, 2017 16:44
|
|
|
Those emails are automated. Don't use a normal email or phone number for your registration. Opsec.
|
|
#
?
Jun 28, 2017 16:50
|
|
|
I use my gvoice number and an aliased email address that dumps directly to a spam folder in my main profile, works pretty well.
|
|
#
?
Jun 28, 2017 17:04
|
|
|
mewse posted:One of them is really determined. Emails below + one or two phone calls that I ignored 
|
|
#
?
Jun 28, 2017 17:35
|
|
|
 https://www.technologyreview.com/s/601643/companies-are-stockpiling-bitcoin-to-pay-off-cybercriminals/
|
|
#
?
Jun 28, 2017 18:08
|
|
|
Back... ...ups?...
|
|
#
?
Jun 28, 2017 19:22
|
|
|
Martytoof posted:I'm going to start getting fake email/phone business cards printed up for trade shows. At one company I used to have two email addresses, and cards with each. At another I stole some from a colleague with the same first name.
|
|
#
?
Jun 28, 2017 19:33
|
|
|
BangersInMyKnickers posted:UAC introduces a split token scheme for local execution so by default even if you are in the local administrators group the programs you execute run with the permissions of a standard user, unless you force it through an elevation prompt. The problem is only the locally executed programs are aware of this UAC restriction, so LocalAccountTokenFilterPolicy also filters outbound remote management requests to drop the built-in administrators group token as well so if there are other systems exposed to you that you also have admin rights on you can elevate/compromise that system and then jump back or to other systems. Disabling the filtering makes that attack model possible. There are other ways to work around UAC and elevate, but having to modify that setting generally means you are doing something fundamentally wrong. Hate to break it to you, but microsoft recomends changing that registry so you can administer a non-domain joined servers and the hyper-v role. One of their certification steps calls for you to roll out that reg entry via powershell. quote:Managing non-domain joined servers through Server Manager is, however, more complicated and requires a level of expertise that is more suitable for the exam. Typically, workgroup environments are not covered in MCSE exams, but “manage non-domain joined servers” has officially been added as a new task in the updated objectives for Windows Server 2012 R2 yada yada DSC yada yada scripted locked down server core yada yada firewalls
|
|
#
?
Jun 28, 2017 19:46
|
|
|
Martytoof posted:The most annoying thing about Petya isn't Petya itself, it's the hundred AV vendors who suddenly have my email address out of the blue barraging me with "information" about how their product will protect my org. Get a fake domain and a google voice number. Then use that fake domain to get a Sendgrid free account (10k a month emails). Have the domain forward all addresses through Sendgrid to your regular email address. You'll probably need to rewrite the sending domain to like '"realaddress@realdomain.com "remailer@fakebusinesscarddomain.com' to avoid pissing off things like DMARC. You can of course do it without sendgrid, though if you're forwarding to a gmail account it makes acceptance a lot easier. I also use it for some other malarkey. Business cards are cheap. Ganson fucked around with this message at 20:06 on Jun 28, 2017 |
|
#
?
Jun 28, 2017 20:01
|
|
|
I also thank my lucky stars every day that our entire dev department is on Macs (with like one or two exceptions), production is all Linux, and it's not my job to give a crap about user endpoints anymore. I have a bunch of keywords set to filter mail to a 'reply helpdesk number' folder and go through it like once a week.
|
|
#
?
Jun 28, 2017 20:08
|
|
|
Ganson posted:Get a fake domain and a google voice number. Then use that fake domain to get a Sendgrid free account (10k a month emails). Have the domain forward all addresses through Sendgrid to your regular email address. You'll probably need to rewrite the sending domain to like '"realaddress@realdomain.com "remailer@fakebusinesscarddomain.com' to avoid pissing off things like DMARC. That's pretty intricate; I have a mycorp.ca and a mycorp.org email so I'll probably just put the .org on my spammy business card and then just filter that in outlook.
|
|
#
?
Jun 28, 2017 20:11
|
|
|
Ganson posted:I also thank my lucky stars every day that our entire dev department is on Macs (with like one or two exceptions), production is all Linux, and it's not my job to give a crap about user endpoints anymore. Ah yes. The secure macOS and Linux systems that cause no problems at all.
|
|
#
?
Jun 28, 2017 20:12
|
|
|
I never said that, we still have our fair share of phishing attacks, legacy misconfigurations, new misconfigurations, people trolling for Struts vulnerabilities, a million kernel and critical tool vulns in the last 3 months (sudo!), etc. At least there I can cut the attack surface down to almost nothing and don't have to deal with the samba-vulnerability-of-the-week. Vulnerabilities that do come out tend to have a good write up with mitigation steps if needed from Redhat within a week. Makes a massive difference coming from a heterogeneous environment where I was dealing with Linux, Windows, VMWare, Cisco, and Fortigate infrastructure along with a variety of end user configuration in various states of repair... with a 3 man team where one person was glorified helpdesk and the other doesn't want to sully themselves by doing any actual work. Ganson fucked around with this message at 20:38 on Jun 28, 2017 |
|
#
?
Jun 28, 2017 20:21
|
|
|
Ganson posted:I never said that, we still have our fair share of phishing attacks, legacy misconfigurations, new misconfigurations, people trolling for Struts vulnerabilities, a million kernel and critical tool vulns in the last 3 months (sudo!), etc. Do you think there are no regular dangerous exploits for Linux or Samba or something  Look at 2016 for example: https://www.cvedetails.com/top-50-products.php?year=2016You're not any safer and you're being dangerously misleading and ignorant.
|
|
#
?
Jun 28, 2017 20:42
|
|
|
CLAM DOWN posted:Do you think there are no regular dangerous exploits for Linux or Samba or something ...I'm not trying to pick a fight with you, where's the anger coming from? I realize there are regular dangerous vulnerabilities in Linux (we don't use Samba). We have an aggressive patching program and various other layers of defense in depth I'd rather not announce on an open forum. But Microsoft is the market leader (especially on the end user side) and as such is the biggest target for bad actors and their ilk. Microsofts not always great transparency and sometimes questionable choices for defaults are something I'm happy to avoid. Distros have the same issue at times too (and Linus regularly getting into pissing contests with people doesn't help) but since they're all competing with basically the same code bases if one distro misses something another may pick it up (or a researcher with access to the source code may find it). I'd rather deal with that then smb-worm-of-the-week.
|
|
#
?
Jun 28, 2017 20:46
|
|
|
Ganson posted:...I'm not trying to pick a fight with you, where's the anger coming from? I realize there are regular dangerous vulnerabilities in Linux (we don't use Samba). We have an aggressive patching program and various other layers of defense in depth I'd rather not announce on an open forum. What, I'm not angry, I'm pointing out how ignorant and misleading you're being.
|
|
#
?
Jun 28, 2017 20:49
|
|
|
I think the point is that Macs and Linux can give users a false sense of security and that's very, very dangerous. And honestly if you follow best practices Windows is pretty good. Their problem is more the concessions they have to make for the sake of backward compatibility (why the gently caress is SMBv1 still available for example).
|
|
#
?
Jun 28, 2017 22:13
|
|
|
Furism posted:I think the point is that Macs and Linux can give users a false sense of security and that's very, very dangerous. Because some software still "only supports SMBv1." loving shoot me.
|
|
#
?
Jun 28, 2017 22:30
|
|
|
Buying Macs generally happens in companies that finance their IT better, so it's likely that they are also staffed better, enrolled in a management platform to ensure software is kept up-to-date etc. That might skew the results somewhat. I've seen small businesses that buy some Macs and get the person 'good at computers' to look after them, and they are just as much of a mess as a Windows machine would be after a few months of running as local admin.
|
|
#
?
Jun 28, 2017 22:30
|
|
|
So let the admin install and enable an optional component. Could even prompt if something tries to touch SMBv1 functionality.
|
|
#
?
Jun 28, 2017 22:32
|
|
|
|
| # ? May 23, 2024 17:32 |
|
|
Subjunctive posted:So let the admin install and enable an optional component. Could even prompt if something tries to touch SMBv1 functionality. If this is directed at me, the software requires SMBv1 for pretty much everything. Not sure what you mean by "let the admin install and enable," unless you mean that Windows Server should install with SMBv1 disabled by default, in which case I would agree.
|
|
#
?
Jun 28, 2017 22:42
|
|