Crippling cyberattack continues to spread around the world

L A Times ^ | 05/13/2017 6:45 pm Pacific

[mac_truck]

Saw this online this morning...if you can't patch, disable SMBV1.0

[palmer]

Phishing and spear-phishing represent the majority of malicious exploit distributions around the world today. Despite being "shouted down" by other FReepers calling me a Microsoft fanboi, which I freely admit I am, Microsoft isn't the problem here. This is a user education issue.

No, that's not correct. The attacking software probes for SNMP v1 on listening computers and exploits the bug. There is no user involvement at all.

[palmer]

Sorry, that should say SMB v.1 not SNMP.

[palmer]

Thought I had the best anti virus!

Anti-virus can't stop the attack. The attacking software connects directly to the vulnerable service and all that anti-virus does is stop execution of downloaded malware, clicking on attachments, etc. The only way to stop the attack is to stop incoming connections with a firewall. Windows firewall will do it, either stopping all incoming connections or just port 139 which has the vulnerability. You can also turn off SMB v1 compatability which stops it. Or apply the patch. I never patch so I have to do one of the other things to stop it.

[palmer]

Yep, that’s right. I did that (disabled SMB v.1) But I also stopped incoming connections, then realized I needed one. So I stopped incoming to port 139 instead using Windows firewall.

[bar sin·is·ter]

It was also mentioned close down port 445.

[rarestia]

SMB (over TCP 445) is not something most businesses have wide open to the Internet. There’s no evidence that the infection is spread through direct injection via SMB exposed to the Internet. The infection has to be introduced into an environment and can spread from there. If SMBv1 is available (and MS17-010 is not distributed), it makes lateral movement all that much easier.

There are 2 compromises here: SMBv1, addressed by MS17-010, and WannaCry(pt). WannaCry(pt) is your typical run-of-the-mill ransomware with logic built into it to look for SMBv1 to compromise. That’s new. Otherwise, the infection has to start by someone stupid enough to let it loose in an environment, and I stand by my original post.

[Skooz]

My thoughts exactly.

I have multiple back ups of every file.

[Cen-Tejas]

..........just saw this this Sunday morning!

What my tech guy told me to do is just “turn it off” and it will go away. In my case, this threat was precisely known to him and all IT guys/gals. Namely, the culprits put a window saying EMERGENCY...........call Microsoft. Well, I bit and called the number. They sounded totally legit and even with background noise etc etc. But they were not Microsoft. They were crooks.

[palmer]

The EMERGENCY: CALL MS window is completely fake, put up by a rogue website usually using Flash. That venerable scam has zero relation to the port 139 attack, although they may claim otherwise. Usually they want you to call so they can "fix" your computer remotely. If you turn on remote desktop for them, you are pretty much cooked. If you do not, and do not do anything else they recommend, then you are safe.

They will claim otherwise and give you "proof" that you have been hacked which is all lies. I have salvage computers that they were let into via someone turning on remote desktop. But it's not easy or pretty (I often end up with broken drivers as I try to remove various infections).

[Cen-Tejas]

...........very good info to know. I’m a self taught guy and can use them well as long as they work and no outsider rocks the boat. I did suspect BS when this happened and though I did call the number (it looked so authentic), and I did talk to someone (she sounded REAL), I did not give them CC info or let them take over my computer.

All I did was turn it off and unplug it until I could talk to my teckie!