Friday, May 19, 2017

Shadow Brokers/NSA Malware Update - Haven't Patched? Do It Now.

The Shadow Brokers data dump is the gift that keeps on giving.

It wasn't just the victims and good guys who took notice of the unbridled spread of the WannaCry ransomware worm. The bad guys paid attention, too. And now more SMBv1-based attacks have been unleashed or are in active development.

If you have an older Windows machine and think you're out of luck there's good news. Microsoft recently released updates for their outdated/unsupported operating systems going back to Windows XP. The updates are unusual because Microsoft makes it a practice to never update end-of-life operating systems and software. They prefer to spend development cycles on new products and those under their support contracts. This is a special case, though, as many of the devices infected by WannaCry and being targeted by the new malware include embedded operating systems (things like ATMs and point-of-sale systems) that *can't* be easily updated.

It's also worth noting that, according to, Windows 10 is lagging behind its older predecessors in terms of adoption. Windows 7 makes up nearly half (48.5%) of the current operating systems in use today while XP, Vista, 8 and 8.1 combine to make up over 16%. That's a whole lot of unpatched exposure.

For those with XP, Vista, 8, 8.1, Server 2003 or Server 2008, you can find standalone updates to protect against the SMBv1 exploits here:

For some reason Microsoft made the Windows 7 and Server 2008 R2 standalone updates separate from the above batch. You can find them here:

What are you still doing here? Go patch now!

Saturday, May 13, 2017

Basic Hygiene aka Security 101

What the heck happened on May 12? Super-evil technical genius releases ransomware worm that invaded systems around the world and he made a gazillion dollars?


A ransomware worm was, in fact, released in the wild. It did, in fact, cause mass chaos. This depicts the last 24 hours of infections worldwide (see MalwareTech for real-time stats):

The "evil genius" created this attack by using information released by Shadow Brokers a few weeks ago. As of this writing the miscreant has made a whopping $26K in Bitcoin. Meanwhile, the good guys are continuing to eradicate this mess through various truly genius means.

The real culprit in the exponential spread of this attack? You.

The worm (self-propagating code) leveraged a weakness in an outdated version of a Microsoft Windows feature known as Server Message Block, or SMB, to plant the ransomware and spread itself to the next machine. To grossly oversimplify, SMB is how Microsoft systems "talk" to each other. Microsoft released a patch for this vulnerability on its current products back in March.

The 2 important points in that last sentence: "current products," "patched in March."

Microsoft is well known for its upgrade path. Some people like it, some people hate it. Microsoft wants their customers to update to their latest operating systems to make money, sure. But it's also to keep their customers safer. Their engineers and threat researchers constantly work to improve the security of their products. This is why they release monthly security updates. This is also why they offered a free upgrade to Windows 10 for so long.

One of the key factors in the rampant spread of this ransomworm (as some of my peers have dubbed it) is versions of Windows that are so old (XP, for instance), they stopped being supported by Microsoft years ago. This means no security updates have been released for these systems. And that means they are vulnerable to multiple attacks, including this one.

Which brings me to the second point. As stated above, the vulnerabilities that made this worm possible were patched in March. For those who do have current systems, and left Windows Update enabled (the default), you probably just read about the hoopla and went on with your life. According to latest statistics, at least 90,000 people didn't get the memo and have spent the last 24 hours really wishing they had.

This entire event highlights failures in basic computer hygiene. I thought it an opportune time to remind folks of the simple steps to reduce the likelihood of becoming a victim to this and other types of online attacks. This applies to ALL computer and mobile systems, not just Microsoft, by the way:
  • Keep your operating system and installed software current
  • Turn on automatic updates for your operating system (at a minimum) and software popular with bad guys (Adobe, Java, iTunes, etc.)
  • Back up regularly
  • Install antimalware and keep it updated
The last point may or may not have helped with the ransomworm but it's still a good practice. And yes, Mac users, this means you, too. Last week also saw OS X take a direct hit by the Proton malware.

Prevention is so much easier than recovering lost time and, worse, lost data.