New global ransomware attack hits East Europe and spreading

Page 9 of 10 FirstFirst ... 78910 LastLast

  1. Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       #81

    bro67 said:
    AndreTen, I think that we can at least now state to enable Firewall protection full time on any system, whether it is running Linux, Mac OS or Windows. When troubleshooting problems, we are all going to have to remember to address the issue of if a person has a firewall enabled and make sure that everyone asks what security software they are running also. The fact that if someone blocks or disables Netbios and/or SMB ports, it will break the system.
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.


    AndreTen said:
    Guys, don't worry so much about SMBv1 for home networks (OK, it's not something you really need), unless you have some irresponsible admin user in your network. This is not 1st line of attack. Any router will block this.

    Main danger for home users is still phishing with attachments and browsing on internet.
    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
      My Computer


  2. Posts : 29,078
    Windows 10 21H1 Build 19043.1023
       #82

    f14tomcat said:
    Thanks, I have uninstalled that feature. The only reason I asked was this was a clean install about a month ago, and it was enabled by default. I did not proactively enable the feature. Not running XP. And don't have an old printer. That is odd to me.
    I've seen quotes here and there that SMB1 was no longer enabled since March, but when I went in to check, it was enabled in my machine and I had to manually disable it. So, someone must have gotten the wrong information . . .

    Whoops! Gotta check out both of the Laptops and the other partition on this desktop. I'm pretty sure they'll have SMB1 enabled too.
      My Computer


  3. Posts : 29,078
    Windows 10 21H1 Build 19043.1023
       #83

    Hydrate said:
    I'll challenge myself here to translate into laymen terms. The blue flags indicate where Microsoft's protection against the ransomware is available and mitigated the threat and eliminated it.

    1. A malicious software update containing the petya.dll (dynamic link library) provided by the threat actor (entity responsible for this madness) was executed upon patient zero's machine knowing it had been vulnerable, supposedly a client of a Ukrainian account company who has run into similar security issues. AppLocker would have restricted access to executable files, therefor stopping petya.
    2. This allows the malware to propagate and hijack the master boot record with full privileges from SeDebug.


    I just got too lazy to continue, but essentially the SMB exploits spread across the networks from available from the other machines running SMB v1 and steals network credentials, find a list of all other machines, and spreads itself again using commands from WMIC and PSEXEC for remote execution across a network and allow petya.dll to spread and hijack more MBRs.
    Thanks, Hydrate! Alls I can say is that it's a good thing I don't have to do anything; otherwise I'd prolly be a goner!
      My Computer


  4. Posts : 29,078
    Windows 10 21H1 Build 19043.1023
       #84

    Hydrate said:
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.




    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .

    New global ransomware attack hits East Europe and spreading-security.png
      My Computer


  5. Posts : 5,833
    Dual boot Windows 10 FCU Pro x 64 & current Insider 10 Pro
       #85

    Wynona said:
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .
    I have mine set on and "PCs on my local network, and PCs on the Internet" on my Insider builds only, for I have no personal files there. I set it to off on my CU partition. I'll wait a bit longer for that to update to the next OEM Fall release. Although, they state that it's safe, I don't trust hackers so far as my CU is concerned.

    Can Delivery Optimization access my personal files?

    Delivery Optimization doesn’t access your personal files or folders or change any files on your PC.
    Windows Update Delivery Optimization: FAQ
      My Computers


  6. Posts : 7,871
    Windows 11 Pro 64 bit
       #86

    Hydrate said:
    I have extremely strict firewall rules that disables NetBIOS and SMB completely, I absolutely agree. I don't use those protocols and it's not necessary.

    f14tomcat, I legitimately thought you were trying to be a smarty pants and prove me wrong otherwise and I mistakened it for not being a genuine advice based question.




    You dismiss Petya's attack vector too simply.

    If there is an admin with admin$ shares enabled, connected to other clients or hosts OR SMB v1 enabled AND OR NetBIOS enabled, petya will have a feast on the network and scan for lateral infection. Anyone with a share is a possible target from a PSEXEC remote file execution and infecting the system (target user needs administrative privileges). Windows Management Instrumentation command-line is also a method used to propagate itself on the local network as well if PSEXEC fails.

    Petya utilizes ports 137, 138, 139 and 445 being outbound and inbound on another local, outbound connections must be blocked or restricted to by application demand.

    Then you have nothing to worry about, regardless of having a router with basic set up.

    Shares will be accessed, so it is a pertinent threat to home users once infected.
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
      My Computers


  7. Posts : 7,871
    Windows 11 Pro 64 bit
       #87

    f14tomcat said:
    Wasn't worried about anything. Just curious why it was enabled by default. Haven't had any problems, and don't intend to.

    And the only admin user on this box is me........
    SMB 1.0 was on by default on all three W10 PCs I have.
      My Computers


  8. Posts : 5,833
    Dual boot Windows 10 FCU Pro x 64 & current Insider 10 Pro
       #88

    essenbe said:
    No, I have no evidence or have heard none that the Russians did it, but they are big state sponsors of cyberattacks. Most of the sources state it did start with an Accounting Software Company in Russia though. That puts it a lot closer to Russia than anyone else. But yes, still speculation.
    You mean to say it was an Accounting Software Company in Ukraine, yes? At least that was in the articles linked in the OP. Have you found otherwise?

    So far as accusations that Russians being a “big state sponsors of cyberattacks”; Not doubting that, but how about our own government with possible attacks and proven hacking to spy on we citizens? Or any country for that matter. Isn’t that an attack on our privacy? That’s the whole motive using EternalBlue and other spyware. Thank our government for their insecure systems to ultimately give these idiots the tools they needed.

    Anywho, here’s a report from MS:

    On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.
    New ransomware, old techniques: Petya adds worm capabilities Windows Security
      My Computers


  9. Posts : 124
    Windows 10.0.15063 (Version 1703) Pro 64-bit
       #89

    Wynona said:
    Thanks, Hydrate! Alls I can say is that it's a good thing I don't have to do anything; otherwise I'd prolly be a goner!
    Of course! My specialty is InfoSec and IT security. So, I've really invested my time into this new wiper.

    Steve C said:
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
    To reduce the attack surface and minimize the probability of the malware spreading and to prevent future attacks, yes. I recommend blocking these ports unless you use NetBIOS. I agree with Symantec as they explain if you do not use SMB or Windows Network File Sharing capabilities, turn off NetBIOS and SMB, as well as adding the port configurations for extra protection.

    Wynona said:
    I don't know if anyone has thought about this one, or if it could present a problem, so I'll just throw it out here to see what y'all think about it . . .

    New global ransomware attack hits East Europe and spreading-security.png
    Not necessarily a problem unless you have other P2P clients and services running on your IP address, (assuming poorly configured firewall and router, best to assume the worst to be secure) which can be used by attackers for a remote execution exploit or run some arbitrary code if those software are not updated and remain vulnerable.

    I turn it off because I have high speed internet and all the time in the world to download updates (automatically).

    Steve C said:
    Should home users be blocking those ports and NetBios and if so, what's the best way of doing this?
    If you do not use NetBIOS, I suggest you turn it off in services to reduce attack surface, it's a great way for hackers to get in on a Windows box.









    I found all the rules required to block the current strain of Petya we know of: (thanks logo-symantec-dark-source <3)



    • Add the following Inbound network rules:
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 137, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 138, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: 139, Remote IP: Any, Remote Port: Any
      • Action: Deny, Protocol: TCP, Local Port: 445, Remote IP: Any, Remote Port: Any

    • Add the following Outbound network rules:
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 137
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 138
      • Action: Deny, Protocol: Both TCP and UDP, Local Port: Any, Remote IP: Any, Remote Port: 139
      • Action: Deny, Protocol: TCP, Local Port: Any, Remote IP: Any, Remote Port: 445




    My policy is that for the ports listed, you access your Firewall (assuming for Windows 10) it's from:










    Create new firewall rules accordingly to the rules I have described above.

    If you would like, I will create a powershell script to append the same rules to your current firewall configurations!
      My Computer


  10. Posts : 7,871
    Windows 11 Pro 64 bit
       #90

    Great post 89 by Hydrate! I disabled NetBios as suggested. I also see you can disable NetBIOS via the TCP settings from the network adapter. Which is the best approach?

    I use Kaspersky Total Security and tried disabling the ports in KTS. However, video streaming from BBC iPlayer stops as soon as I disable port 137. It seems disabling these ports is not a good idea for me. It would be useful to know what these ports are used for so people can decide whether to disable them.
    Last edited by Steve C; 02 Jul 2017 at 01:36.
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 06:17.
Find Us




Windows 10 Forums