from the the-gift-that-keeps-on-giving dept.
Submitted via IRC for SoyCow1
Despite early reports that there was no use of National Security Agency-developed exploits in this week's crypto-ransomware outbreak, research released by Cisco Talos suggests that the ransomware worm known as "Bad Rabbit" did in fact use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims' networks. The attackers used EternalRomance, an exploit that bypasses security over Server Message Block (SMB) file-sharing connections, enabling remote execution of instructions on Windows clients and servers. The code closely follows an open source Python implementation of a Windows exploit that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. NotPetya also leveraged this exploit.
(Score: 4, Interesting) by Zinho on Wednesday November 01 2017, @09:47PM
I've been seeing a related attack at work for the last three days; I came into the office on Monday, and was greeted by an unending stream of alerts from my antivirus:
* OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
* Audit: Unimplemented Trans2 Subcommand
* Attack: SMB Double Pulsar Ping
This repeated every 10 minutes or so all day Monday and Tuesday. Only 2 sets today, though, so I guess corporate IT has found the troublemakers and fixed them (traceroute tells me most of the attacks were coming from inside the firewall).
Moral of the story, I guess, is keep your OS patched and antivirus up to date. According to TFA, Microsoft patched this in March, so it is only a threat to unpatched systems.
"Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin
(Score: 2) by Snotnose on Wednesday November 01 2017, @11:29PM (1 child)
But while I love Python, it isn't exactly a low level programming language like C/C++. If Python can break your security, your security is seriously broken.
Recent research has shown that 1 out of 3 Trump supporters is as stupid as the other 2.
(Score: 5, Interesting) by Virindi on Wednesday November 01 2017, @11:55PM
Huh? Even high level languages tend to be capable of assembling buffers of arbitrary bytes (aka packets). We're not talking about complex manipulation of memory and opcodes here, this is a REMOTE exploit. As in, if you send the right packet (or packet sequence) to the target, it has an unintended effect.
If the effect generated on the target is a stack overflow, the ROP/shellcode payload will not start by executing in Python. But you could still send it from a Python script on the attacking PC.
(Score: 1, Interesting) by Anonymous Coward on Thursday November 02 2017, @02:15AM
Glad I always disable SMB and block the ports on my windows boxes!
(Score: 3, Funny) by aristarchus on Thursday November 02 2017, @03:04AM
I have a bad feeling about this. Malware, that breeds like rabbits? At least it is not Tribbles, yet.
(Score: 0) by Anonymous Coward on Thursday November 02 2017, @01:50PM (2 children)
soooo .. excuse me, WHAT is the secret to sending files over the network then?
FTP is not encrypted, has "troubles" without extra firewall modules (babysitting).
SMB is flawed because it was born and raised in m$ house.
NFS works perfect, if you got an computer engineering degree from some uni that guarantees a house, car and wife.
what the F...k. can normal people use to innocently send files from one computer to the other then?
this is crazy. the most basic problem is ... made difficult, for what?
it looks like a conspiracy :}
(Score: 2) by Freeman on Thursday November 02 2017, @04:23PM
I use Dropbox. Though, good old fashioned Sneaker Net is very reliable and not likely to be intercepted between the two computers.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Thursday November 02 2017, @07:34PM
What? NFS is pretty damn easy to set up, the only drawback is it only works with nixes. I've got no degree, no car, no house, no wife, a couple F's, and I can figure it out...