Wana decrypt0r 2.0 cryptor mass attack sedang berlangsung

Saat ini, seseorang dapat mengamati serangan skala besar oleh Wana decrypt0r 2.0 trojan-decryptor
Serangan itu diamati di jaringan yang berbeda sepenuhnya tidak terkait satu sama lain.

Ransomware menyebar di lab di universitas ( dari sini )

Beberapa perusahaan menyarankan pengguna mereka untuk mematikan komputer mereka dan menunggu instruksi lebih lanjut.

Menghubungi mantan rekan kerja, saya terkejut dengan cerita serupa.

Bagi saya, hari ini saya sedang mempersiapkan beberapa gambar Windows baru untuk sistem cloud kami, di antaranya adalah Windows Server 2008 R2.

Yang paling menarik, segera setelah saya menginstal Windows dan mengatur alamat IP statis di atasnya, ia langsung terinfeksi selama beberapa menit.

Semua gambar Windows diperoleh dari MSDN, hash cocok, sehingga kemungkinan infeksi gambar dikecualikan.

Dan ini terlepas dari kenyataan bahwa konfigurasi firewall untuk satu-satunya antarmuka jaringan yang melihat ke luar dikonfigurasikan sebagai "Jaringan publik".

~~Nmap tidak menemukan port terbuka~~ . Output nmap menunjukkan bahwa bahkan dalam kasus ini, beberapa port terbuka secara default:

Host is up (0.017s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
49154/tcp open  unknown

— Virtio-, Windows CD.
ISO- — Fedora, .

~~Windows~~ .

, .

:

, :

UPD: , SMBv1.

:

Microsoft Security Bulletin MS17-010
, (Windows XP, Winows Server 2003R2)

- , SMBv1. ( Windows 8.1 ):

dism /online /norestart /disable-feature /featurename:SMB1Protocol

UPD2: . :

, Windows 7 Windows Server 2008 R2, 4012212 4012215
cmd.exe ( )
:
```
wmic qfe list | findstr 4012212
```
Enter

- , :

http://support.microsoft.com/?kbid=4012212 P2 Security Update KB4012212 NT AUTHORITY\ 3/18/2017

,
, UPD9

100% .
, , Windows .

UPD3: :

, . FuzzBunch, Shadow Brokers Equation Group, . .
Microsoft MS 17-010, .
https://github.com/fuzzbunch/fuzzbunch .
DoublePulsar.
, 445 MS 17-010, DoublePulsar
, .

UPD4: :

UPD5: :

Here is a video showing ETERNALBLUE being used to compromise a Windows 2008 R2 SP1 x64 host in under 120 seconds with FUZZBUNCH #0day ;-) pic.twitter.com/I9aUF530fU
— Hacker Fantastic (@hackerfantastic) April 14, 2017

UPD6: :

- WannaCrypt , iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
, @MalwareTechBlog, , - , .

, , , ; , . , .

- 12 . 300 . 99 , , «», . , , . .
, , Windows, .

UPD7: Microsoft (Windows XP Windows Server 2003R2)

UPD8: 2ch.hk

Shadow brokers
C/Python
Linux

?
Linux
IP
445
SMB , ,
.

UPD9: :

MS17-010

Windows XP: download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-rus_84397f9eeea668b975c0c2cf9aaf0e2312f50077.exe
Windows XP x64: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
Windows Vista x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Vista x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows 7 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu
Windows 7 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
Windows 8 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x86_5e7e78f67d65838d198aa881a87a31345952d78e.msu
Windows 8 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu
Windows 8.1 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x86_e118939b397bc983971c88d9c9ecc8cbec471b05.msu
Windows 8.1 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu
Windows 10 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x86_8c19e23de2ff92919d3fac069619e4a8e8d3492e.msu
Windows 10 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu
Windows 10 (1511) x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x86_f997cfd9b59310d274329250f14502c3b97329d5.msu
Windows 10 (1511) x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x64_7b16621bdc40cb512b7a3a51dd0d30592ab02f08.msu
Windows 10 (1607) x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x86_8b376e3d0bff862d803404902c4191587afbf065.msu
Windows 10 (1607) x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu

Windows Server 2003 x86: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-rus_62e38676306f9df089edaeec8924a6fdb68ec294.exe
Windows Server 2003 x64: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-rus_6efd5e111cbfe2f9e10651354c0118517cee4c5e.exe
Windows Server 2008 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Server 2008 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows Server 2008 R2: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
Windows Server 2012: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu
Windows Server 2012 R2: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu
Windows Server 2016: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu

UPD10: killswitch UPD6.

xsash, Inflame, Pulse, nxrighthere, waisberg, forajump, Akr0n, LESHIY_ODESSA, Pentestit, alguryanow .

Source: https://habr.com/ru/post/id403837/

All Articles