Submitted via IRC for SoyCow1
Despite early reports that there was no use of National Security Agency-developed exploits in this week's crypto-ransomware outbreak, research released by Cisco Talos suggests that the ransomware worm known as "Bad Rabbit" did in fact use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims' networks. The attackers used EternalRomance, an exploit that bypasses security over Server Message Block (SMB) file-sharing connections, enabling remote execution of instructions on Windows clients and servers. The code closely follows an open source Python implementation of a Windows exploit that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. NotPetya also leveraged this exploit.
(Score: 4, Interesting) by Zinho on Wednesday November 01 2017, @09:47PM
I've been seeing a related attack at work for the last three days; I came into the office on Monday, and was greeted by an unending stream of alerts from my antivirus:
* OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
* Audit: Unimplemented Trans2 Subcommand
* Attack: SMB Double Pulsar Ping
This repeated every 10 minutes or so all day Monday and Tuesday. Only 2 sets today, though, so I guess corporate IT has found the troublemakers and fixed them (traceroute tells me most of the attacks were coming from inside the firewall).
Moral of the story, I guess, is keep your OS patched and antivirus up to date. According to TFA, Microsoft patched this in March, so it is only a threat to unpatched systems.
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin