A massive attack with a cryptor Wana decrypt0r 2.0
At the moment, we can observe a massive attack with a Trojan-decryptor "Wana decrypt0r 2.0"
The attack is observed in different networks completely unrelated between themselves.
A ransomware spreading in the lab at the university ( from here )
Some companies advise their users to turn off their computers and wait for further instructions.
Contacting former colleagues, I was surprised by similar stories.
As for me, today I prepared several new Windows images for our cloud system, among them was Windows Server 2008 R2.
What is most interesting is that when I just installed Windows and set up a static IP address on it, it was immediately infected for several minutes.
All Windows images were obtained from MSDN, the hashes are the same, so the possibility of image infection is excluded.
And this is despite the fact that the firewall configuration for a single network interface looking outward has been configured as a “Public Network”.
Nmap does not find open ports . The nmap output shows that even in this case, some ports are open outside by default:
Host is up (0.017s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
135/tcp open msrpc
445/tcp open microsoft-ds
49154/tcp open unknown— Virtio-, Windows CD.
ISO- — Fedora, .
Windows .
, .
:
, :
UPD: , SMBv1.
:
- Microsoft Security Bulletin MS17-010
- , (Windows XP, Winows Server 2003R2)
- , SMBv1. ( Windows 8.1 ):
dism /online /norestart /disable-feature /featurename:SMB1ProtocolUPD2: . :
- , Windows 7 Windows Server 2008 R2,
40122124012215 cmd.exe( )- :
wmic qfe list | findstr 4012212 - Enter
- - , :
http://support.microsoft.com/?kbid=4012212 P2 Security Update KB4012212 NT AUTHORITY\ 3/18/2017 - ,
- , UPD9
100% .
, , Windows .
, . FuzzBunch, Shadow Brokers Equation Group, . .
Microsoft MS 17-010, .
https://github.com/fuzzbunch/fuzzbunch .
DoublePulsar.
, 445 MS 17-010, DoublePulsar
, .
UPD4: :
UPD5: :
UPD6: :
- WannaCrypt , iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
, @MalwareTechBlog, , - , .
, , , ; , . , .
- 12 . 300 . 99 , , «», . , , . .
, , Windows, .
UPD7: Microsoft (Windows XP Windows Server 2003R2)
Shadow brokers
C/Python
Linux
?Linux
IP
445
SMB , ,
.
UPD9: :
Windows XP: download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-rus_84397f9eeea668b975c0c2cf9aaf0e2312f50077.exe
Windows XP x64: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
Windows Vista x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Vista x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows 7 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu
Windows 7 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
Windows 8 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x86_5e7e78f67d65838d198aa881a87a31345952d78e.msu
Windows 8 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu
Windows 8.1 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x86_e118939b397bc983971c88d9c9ecc8cbec471b05.msu
Windows 8.1 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu
Windows 10 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x86_8c19e23de2ff92919d3fac069619e4a8e8d3492e.msu
Windows 10 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu
Windows 10 (1511) x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x86_f997cfd9b59310d274329250f14502c3b97329d5.msu
Windows 10 (1511) x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x64_7b16621bdc40cb512b7a3a51dd0d30592ab02f08.msu
Windows 10 (1607) x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x86_8b376e3d0bff862d803404902c4191587afbf065.msu
Windows 10 (1607) x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu
Windows Server 2003 x86: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-rus_62e38676306f9df089edaeec8924a6fdb68ec294.exe
Windows Server 2003 x64: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-rus_6efd5e111cbfe2f9e10651354c0118517cee4c5e.exe
Windows Server 2008 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Server 2008 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows Server 2008 R2: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
Windows Server 2012: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu
Windows Server 2012 R2: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu
Windows Server 2016: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu
UPD10: killswitch UPD6.
xsash, Inflame, Pulse, nxrighthere, waisberg, forajump, Akr0n, LESHIY_ODESSA, Pentestit, alguryanow .
')
Source: https://habr.com/ru/post/403837/
All Articles