Wana decrypt0r 2.0 ataque em massa de criptografia está em andamento

No momento, pode-se observar um ataque em larga escala pelo Wana decrypt0r 2.0 trojan-decryptor
O ataque é observado em redes diferentes, completamente sem relação entre si.

Um ransomware que se espalha no laboratório da universidade ( daqui )

Algumas empresas aconselham seus usuários a desligar seus computadores e aguardar mais instruções.

Entrando em contato com ex-colegas, fiquei surpreso com histórias semelhantes.

Quanto a mim, hoje eu estava preparando várias novas imagens do Windows para o nosso sistema em nuvem, entre elas o Windows Server 2008 R2.

O mais interessante é que, assim que instalei o Windows e configurei um endereço IP estático, ele foi imediatamente infectado por vários minutos.

Todas as imagens do Windows foram obtidas no MSDN, os hashes correspondem e, portanto, a possibilidade de infecção da imagem é excluída.

E isso apesar do fato de que a configuração do firewall para a única interface de rede externa foi configurada como uma "rede pública".

~~O Nmap não encontra portas abertas~~ . A saída nmap mostra que, mesmo nesse caso, algumas portas são abertas externamente por padrão:

Host is up (0.017s latency).
Not shown: 997 filtered ports
PORT      STATE SERVICE
135/tcp   open  msrpc
445/tcp   open  microsoft-ds
49154/tcp open  unknown

— Virtio-, Windows CD.
ISO- — Fedora, .

~~Windows~~ .

, .

:

, :

UPD: , SMBv1.

:

Microsoft Security Bulletin MS17-010
, (Windows XP, Winows Server 2003R2)

- , SMBv1. ( Windows 8.1 ):

dism /online /norestart /disable-feature /featurename:SMB1Protocol

UPD2: . :

, Windows 7 Windows Server 2008 R2, 4012212 4012215
cmd.exe ( )
:
```
wmic qfe list | findstr 4012212
```
Enter

- , :

http://support.microsoft.com/?kbid=4012212 P2 Security Update KB4012212 NT AUTHORITY\ 3/18/2017

,
, UPD9

100% .
, , Windows .

UPD3: :

, . FuzzBunch, Shadow Brokers Equation Group, . .
Microsoft MS 17-010, .
https://github.com/fuzzbunch/fuzzbunch .
DoublePulsar.
, 445 MS 17-010, DoublePulsar
, .

UPD4: :

UPD5: :

Here is a video showing ETERNALBLUE being used to compromise a Windows 2008 R2 SP1 x64 host in under 120 seconds with FUZZBUNCH #0day ;-) pic.twitter.com/I9aUF530fU
— Hacker Fantastic (@hackerfantastic) April 14, 2017

UPD6: :

- WannaCrypt , iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
, @MalwareTechBlog, , - , .

, , , ; , . , .

- 12 . 300 . 99 , , «», . , , . .
, , Windows, .

UPD7: Microsoft (Windows XP Windows Server 2003R2)

UPD8: 2ch.hk

Shadow brokers
C/Python
Linux

?
Linux
IP
445
SMB , ,
.

UPD9: :

MS17-010

Windows XP: download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-rus_84397f9eeea668b975c0c2cf9aaf0e2312f50077.exe
Windows XP x64: http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe
Windows Vista x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Vista x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows 7 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu
Windows 7 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
Windows 8 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x86_5e7e78f67d65838d198aa881a87a31345952d78e.msu
Windows 8 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu
Windows 8.1 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x86_e118939b397bc983971c88d9c9ecc8cbec471b05.msu
Windows 8.1 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu
Windows 10 x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x86_8c19e23de2ff92919d3fac069619e4a8e8d3492e.msu
Windows 10 x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu
Windows 10 (1511) x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x86_f997cfd9b59310d274329250f14502c3b97329d5.msu
Windows 10 (1511) x64: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013198-x64_7b16621bdc40cb512b7a3a51dd0d30592ab02f08.msu
Windows 10 (1607) x86: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x86_8b376e3d0bff862d803404902c4191587afbf065.msu
Windows 10 (1607) x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu

Windows Server 2003 x86: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x86-custom-rus_62e38676306f9df089edaeec8924a6fdb68ec294.exe
Windows Server 2003 x64: http://download.windowsupdate.com/c/csa/csa/secu/2017/02/windowsserver2003-kb4012598-x64-custom-rus_6efd5e111cbfe2f9e10651354c0118517cee4c5e.exe
Windows Server 2008 x86: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu
Windows Server 2008 x64: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu
Windows Server 2008 R2: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x64_2decefaa02e2058dcd965702509a992d8c4e92b3.msu
Windows Server 2012: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8-rt-kb4012214-x64_b14951d29cb4fd880948f5204d54721e64c9942b.msu
Windows Server 2012 R2: http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/02/windows8.1-kb4012213-x64_5b24b9ca5a123a844ed793e0f2be974148520349.msu
Windows Server 2016: http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/03/windows10.0-kb4013429-x64_ddc8596f88577ab739cade1d365956a74598e710.msu

UPD10: killswitch UPD6.

xsash, Inflame, Pulse, nxrighthere, waisberg, forajump, Akr0n, LESHIY_ODESSA, Pentestit, alguryanow .

Source: https://habr.com/ru/post/pt403837/

All Articles