Hey sysadmins wake up, NotPetya is just a start

We’ve ain’t seen nothing yet. For most of us, the impact of cyberattacks is still small, but the arms race is on. Visible incidents are still rare. I for example never thought, that Namics could never be touched by simple phishing mail. And I was proven wrong.

And here comes WannaCry exploiting a known weakness referenced as Eternal Blue in Microsofts SMB protocol. Reading about the attack in May, I was shocked about the negligence of the maintenance level of systems. And shocked about the possible damage that could have occurred. I never understood why there was such a simple kill switch programmed into the attack. It felt to me like someone playing with sysadmins.

The reaction to WannaCry’s wakeup call is so obvious: Patch your systems and switch off SMBv1. And now, two month later? NotPetya. The same attack vector: Eternal Blue. And (obviously) a spiced up code to do more harm. Good idea of the attackers to distribute via admin shared and decrypting local passwords was always fun. And why not add some efficiency by only encrypting NFS‘ master file records ;<). If you are before infection, there is a „local file“ kill switch (again: why?). And did anybody say that daily users should have admin rights? Just too simple for the bad guys. And we’ve ain’t seen nothing yet!

So my dear sysadmins: Wake up! You could be responsible of your employer being able to pay any salaries in the future.

Update: Detailed analysis by US-Cert was published referenced as TA17-818A.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>