Petya ransomware attacks the world - thank you, NSA!
Tricks @ Thu Jun 29, 2017 6:36 am
DrCaleb DrCaleb:
Tricks Tricks:
I'm arguably at that point in that I don't open an email from someone I don't know. If I do know them and I open it and it isn't something I recognize ever talking to them about, or doesn't follow their typical email style, I ignore it unless they ask me about it 
I use Thunderbird in text mode for email. No HTML, no scripting. And I don't open attachments.
I've been tossing around the idea of hosting a mail server on my NAS, but I'm far too lazy to figure out how to do it. Then I can control everything myself.
DrCaleb @ Thu Jun 29, 2017 6:42 am
The only problem you'll run into is your ISP will control the DNS record for that IP address, so you may not be able to host your own domain email without their changing DNS records.
For a true email host, you have to use a hosting company or find someone willing to change the DNS record for that IP to allow your email server to be authoritative.
Tricks @ Thu Jun 29, 2017 6:45 am
DrCaleb DrCaleb:
The only problem you'll run into is your ISP will control the DNS record for that IP address, so you may not be able to host your own domain email without their changing DNS records.
For a true email host, you have to use a hosting company or find someone willing to change the DNS record for that IP to allow your email server to be authoritative.
For a true email host, you have to use a hosting company or find someone willing to change the DNS record for that IP to allow your email server to be authoritative.
Yeah I had looked at using a hosting company but wasn't a fan.
DrCaleb @ Thu Jun 29, 2017 6:53 am
Tricks Tricks:
DrCaleb DrCaleb:
The only problem you'll run into is your ISP will control the DNS record for that IP address, so you may not be able to host your own domain email without their changing DNS records.
For a true email host, you have to use a hosting company or find someone willing to change the DNS record for that IP to allow your email server to be authoritative.
For a true email host, you have to use a hosting company or find someone willing to change the DNS record for that IP to allow your email server to be authoritative.
Yeah I had looked at using a hosting company but wasn't a fan.
At company I worked for, I got a fiber trunk pulled into the building. ($$$!) It came with a bunch of public IP addresses, so I got to setting up an authoritative server for our domain. But the IPs were part of a block owned by Telus, and getting them to change DNS records was like pulling hen's teeth. And we were paying $10k a month for bandwidth!
I can't imagine what kind of customer service Joe Home User would get, or how you'd explain it to the person at the Indian call center because it isn't going to be in their script of possible problems.
Edit: That's just an FYI on rolling your own email server. A hosting company might be expensive, but they will change DNS entries so you can host your own domain email on their servers. An ISP usually wants you to use their servers and register your domain for you.
BartSimpson @ Thu Jun 29, 2017 11:08 am
This just in from Microsoft:
$1:
From: Dan Osier
Sent: Thursday, June 29, 2017 6:05:55 PM (UTC) Coordinated Universal Time
To: Dan Osier
Subject: Alert - Additional Guidance Concerning "Petya Ransomware"
What is the purpose of this alert?
This alert is to provide you with additional guidance concerning the ransomware issue being discussed broadly starting on Tuesday, June 27, 2017. This ransomware is being described by the press and security researchers as “Petya Ransomware.”
Background
Microsoft’s antivirus software detects and protects against this ransomware. Our initial analysis found that the ransomware uses multiple techniques to spread, including ones which were addressed by a security update (MS17-010) previously provided for all platforms from Windows XP to Windows 10. We are continuing to investigate, and our support teams are fully mobilized and engaged globally to help any impacted customers.
Windows Defender, System Center Endpoint Protection, and Forefront Endpoint Protection detect this threat family as Ransom:Win32/Petya. Ensure you have a definition version equal to or later than:
• Threat definition version: 1.247.197.0
• Version created on: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)
• Last Update: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)
In addition, the free Microsoft Safety Scanner http://www.microsoft.com/security/scanner/ is designed to detect this threat as well as many others. If you use a solution from an antivirus provider other than Microsoft, please check with that company.
New guidance from the MMPC Blog
On Tuesday June 27, 2017, the Microsoft Malware Protection Center (MMPC) released a detailed analysis of the Petya Ransomware attack in a new blog post:
Microsoft Malware Protection Center Blog:
New ransomware, old techniques: Petya adds worm capabilities
This MMPC blog provides the most cogent and detailed analysis available on how the malware works and guidance for network administrators and security professionals concerning how to mitigate against specific attack methods.
New guidance from the MSRC Blog
On Wednesday June 28, 2017, the Microsoft Security Response Center (MSRC) released a new blog post to provide additional insights and guidance customers can use to improve protections in the enterprise:
Microsoft Security Response Center Blog:
Update on Petya Malware Attacks
Recommendations from the MSRC blog include:
• If for some reason you cannot apply the update, a possible workaround to reduce the attack surface is to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547.
• Consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks.
• For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running.
• Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.
New guidance from the Azure Security Center Blog
On Wednesday June 28, 2017, the Microsoft Azure Security Center released a new blog discussing measures that Azure customers can take to prevent and detect Petya malware through Azure Security Center:
Azure Security Center Blog:
Petya ransomware prevention & detection in Azure Security Center
Recommendations
In addition to the recommendations we included in our previous alert on Tuesday, we strongly recommend reviewing the information provided in these blogs for specific steps you can take to mitigate against Petya Ransomware.
Additional Resources
• Microsoft Security Bulletin: MS17-010 - Security Update for Microsoft Windows SMB Server (4013389)
• KB2696547 - How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
• Whitepaper: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, v1 and v2
• Windows Defender Advanced Threat Protection
• Windows IT Center: Device Guard Deployment Guide for Windows 10 and Windows Server 2016
• The Microsoft Security Tech Center: https://technet.microsoft.com/en-us/security/default
• The Microsoft Security Update Guide: http://aka.ms/securityupdateguide
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.
Sent: Thursday, June 29, 2017 6:05:55 PM (UTC) Coordinated Universal Time
To: Dan Osier
Subject: Alert - Additional Guidance Concerning "Petya Ransomware"
What is the purpose of this alert?
This alert is to provide you with additional guidance concerning the ransomware issue being discussed broadly starting on Tuesday, June 27, 2017. This ransomware is being described by the press and security researchers as “Petya Ransomware.”
Background
Microsoft’s antivirus software detects and protects against this ransomware. Our initial analysis found that the ransomware uses multiple techniques to spread, including ones which were addressed by a security update (MS17-010) previously provided for all platforms from Windows XP to Windows 10. We are continuing to investigate, and our support teams are fully mobilized and engaged globally to help any impacted customers.
Windows Defender, System Center Endpoint Protection, and Forefront Endpoint Protection detect this threat family as Ransom:Win32/Petya. Ensure you have a definition version equal to or later than:
• Threat definition version: 1.247.197.0
• Version created on: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)
• Last Update: 12:04:25 PM : Tuesday, June 27 2017 (Pacific Time)
In addition, the free Microsoft Safety Scanner http://www.microsoft.com/security/scanner/ is designed to detect this threat as well as many others. If you use a solution from an antivirus provider other than Microsoft, please check with that company.
New guidance from the MMPC Blog
On Tuesday June 27, 2017, the Microsoft Malware Protection Center (MMPC) released a detailed analysis of the Petya Ransomware attack in a new blog post:
Microsoft Malware Protection Center Blog:
New ransomware, old techniques: Petya adds worm capabilities
This MMPC blog provides the most cogent and detailed analysis available on how the malware works and guidance for network administrators and security professionals concerning how to mitigate against specific attack methods.
New guidance from the MSRC Blog
On Wednesday June 28, 2017, the Microsoft Security Response Center (MSRC) released a new blog post to provide additional insights and guidance customers can use to improve protections in the enterprise:
Microsoft Security Response Center Blog:
Update on Petya Malware Attacks
Recommendations from the MSRC blog include:
• If for some reason you cannot apply the update, a possible workaround to reduce the attack surface is to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547.
• Consider implementing techniques like network segmentation and least privileged accounts that will further limit the impact of these types of malware attacks.
• For those using Windows 10, leverage capabilities like Device Guard to lock down devices and allow only trusted applications, effectively preventing malware from running.
• Finally, consider leveraging Windows Defender Advanced Threat Protection, which automatically detects behaviors used by this new ransomware.
New guidance from the Azure Security Center Blog
On Wednesday June 28, 2017, the Microsoft Azure Security Center released a new blog discussing measures that Azure customers can take to prevent and detect Petya malware through Azure Security Center:
Azure Security Center Blog:
Petya ransomware prevention & detection in Azure Security Center
Recommendations
In addition to the recommendations we included in our previous alert on Tuesday, we strongly recommend reviewing the information provided in these blogs for specific steps you can take to mitigate against Petya Ransomware.
Additional Resources
• Microsoft Security Bulletin: MS17-010 - Security Update for Microsoft Windows SMB Server (4013389)
• KB2696547 - How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server
• Whitepaper: Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, v1 and v2
• Windows Defender Advanced Threat Protection
• Windows IT Center: Device Guard Deployment Guide for Windows 10 and Windows Server 2016
• The Microsoft Security Tech Center: https://technet.microsoft.com/en-us/security/default
• The Microsoft Security Update Guide: http://aka.ms/securityupdateguide
Regarding Information Consistency
We strive to provide you with accurate information in static (this mail) and dynamic (web-based) content. Microsoft’s security content posted to the web is occasionally updated to reflect late-breaking information. If this results in an inconsistency between the information here and the information in Microsoft’s web-based security content, the information in Microsoft’s web-based security content is authoritative.
herbie @ Thu Jun 29, 2017 12:06 pm
$1:
At company I worked for, I got a fiber trunk pulled into the building. ($$$!) It came with a bunch of public IP addresses, so I got to setting up an authoritative server for our domain. But the IPs were part of a block owned by Telus, and getting them to change DNS records was like pulling hen's teeth. And we were paying $10k a month for bandwidth!
Same damn thing I went thru, lower part of the IP block was formerly a dialup bank. Had to get Telus to contact all the spam services. Didn't use them for hosting or registration and ran my own DNS servers, Telus propagation was actually pretty quick.
Happy not t d that shit anymore. Run your own mail server if you want to piss around with security shit every bloody day.
gordsgold @ Wed Sep 06, 2017 8:21 am
Hmm, ransomware is huge, but I'd also keep an eye out for malvertising. It's apparently becoming the next big threat as "there was a 132% increase in malvertising in 2016 compared to the previous year. Out of two billion advertisements, it’s safe to say that an average of one in every 250 is infected"
As if advertising on the internet wasn't bad enough already :/ I guess as long as banner and display advertising continues to increase, there will always be vulnerabilities in plugins and opportunities for malware in ads 