New Ytest
Sign out
Bimmerpost
Login
BMW E39 5-Series Forum | 5Post.com
BMW Garage BMW Meets Register Search Today's Posts Mark Forums Read  
Go Back   BMW E39 5-Series Forum | 5Post.com > BIMMERPOST Universal Forums > Off-Topic Discussions Board

Post Reply
 
Thread Tools Search this Thread
      06-27-2017, 04:10 PM   #1
Matticus91
Brigadier General
Matticus91's Avatar
United_States
3520
Rep
3,722
Posts

 
Drives: 2013 135i
Join Date: Aug 2015
Location: Washington DC

iTrader: (6)

Exclamation Petya & NotPetya Ransomware %$&#!!

Anyone else an IT professional? If you're looking for info on this here's some that might help...

There’s another ransomware virus going around – started in Holland and Ukraine this morning and has jumped to the US since, already reports in local businesses including a large hospital in PA. It’s primarily spreading by sending emails with either a Word doc or a .scr executable file using notepad and then trying to auto-run macros online. These are some precautions that can be taken to help prevent the attack:


Block ADMIN$ via GPO to stop lateral movement on WMI and PSEXEC

There are a few killswitches being tested but non confirmed 100%: Create files with no extension in %windir% named perfc and perfdec

That MAY halt the virus, but remains unconfirmed.


MS Patch that resolves the attack vector (as listed CVE-2017-0199): https://support.microsoft.com/en-us/...-april-11-2017

More details on CVE-2017-0199: https://www.fireeye.com/blog/threat-...a-handler.html

Other measures:
• Adjust spam filter to block the following extensions
o Scr
o Js
o Vbs
o Exe
• Block .zip if possible
• Ensure AV is up-to-date and running

Github link with lots of good info: https://gist.github.com/vulnersCom/6...4c176baba45759

Godspeed to anyone not on top of this.

Edit:

Cisco you bunch of cheeky fuckers you (see attached lol)
Attached Images
 
__________________
"Tobias" 2013 135i ///M-Sport 6MT • Pure Stage 1 • XDI 35 HPFP • 404whp/440wtq

Last edited by Matticus91; 06-27-2017 at 04:15 PM..
Appreciate 2
      06-27-2017, 04:11 PM   #2
Matticus91
Brigadier General
Matticus91's Avatar
United_States
3520
Rep
3,722
Posts

 
Drives: 2013 135i
Join Date: Aug 2015
Location: Washington DC

iTrader: (6)

Also https://ransomfree.cybereason.com/ may or may not help here, no confirmations yet but can't hurt
__________________
"Tobias" 2013 135i ///M-Sport 6MT • Pure Stage 1 • XDI 35 HPFP • 404whp/440wtq
Appreciate 0
      06-27-2017, 04:44 PM   #3
UncleWede
Long Time Admirer, First Time Owner
UncleWede's Avatar
United_States
18404
Rep
9,420
Posts

 
Drives: G01 X3 M40i Dark Graphite
Join Date: Jun 2005
Location: Oxnard, CA

iTrader: (0)

I made an appt for PA to review my firewall with me, but not until next week. Backups are running well at this point. AV is up to date on all devices. Printing out that list of machines that have more than 10 updates left from WSUS and making personal visits.
Appreciate 1
Matticus913519.50
      06-27-2017, 06:48 PM   #4
c1pher
Primo Generalissimo
c1pher's Avatar
United_States
4980
Rep
4,175
Posts

 
Drives: All of them
Join Date: Jun 2009
Location: DC area

iTrader: (0)

Garage List
The vulnerability associated with this has already been patched. Just keep your $h1t updated an you'll be fine. Report after report including my own internal stats illustrate that 90-95% of these hacks can be prevented with already existing tools. Good passwords, AV and updated software take care of almost everything. It can be more complicated than that in an enterprise, but at home, not so much.
Appreciate 1
Matticus913519.50
      06-27-2017, 07:40 PM   #5
zx10guy
Brigadier General
5506
Rep
3,310
Posts

 
Drives: 2013 135i
Join Date: Feb 2014
Location: DC

iTrader: (0)

If you're dealing with enterprise level systems, getting a heuristic based security solution is key here. Using signature based security solutions will not provide the necessary protections. For end point/client protection, I've been recommending Cylance. Here's a blog they put out about Petya:

https://www.cylance.com/en_us/blog/c...ampaign=buffer
__________________
Quote:
Originally Posted by Lups View Post
We might not be in an agreement on Trump, but I'll be the first penis chaser here to say I'll rather take it up in the ass than to argue with you on this.
Appreciate 1
Matticus913519.50
      06-28-2017, 08:59 AM   #6
Matticus91
Brigadier General
Matticus91's Avatar
United_States
3520
Rep
3,722
Posts

 
Drives: 2013 135i
Join Date: Aug 2015
Location: Washington DC

iTrader: (6)

Quote:
Originally Posted by MGM135is View Post
The vulnerability associated with this has already been patched. Just keep your $h1t updated an you'll be fine. Report after report including my own internal stats illustrate that 90-95% of these hacks can be prevented with already existing tools. Good passwords, AV and updated software take care of almost everything. It can be more complicated than that in an enterprise, but at home, not so much.
100% true, and yes I'm dealing with this in an enterprise situation with global deployments that rarely hit HQ for updates
__________________
"Tobias" 2013 135i ///M-Sport 6MT • Pure Stage 1 • XDI 35 HPFP • 404whp/440wtq
Appreciate 0
      06-28-2017, 09:29 AM   #7
UncleWede
Long Time Admirer, First Time Owner
UncleWede's Avatar
United_States
18404
Rep
9,420
Posts

 
Drives: G01 X3 M40i Dark Graphite
Join Date: Jun 2005
Location: Oxnard, CA

iTrader: (0)

I'm still waiting on a quote for TRAPS, to leverage my WildFire from PA. I'm still a bit worried about putting all my eggs into one basket though.

End users are so difficult to persuade to do their updates. <whining> "But, it takes time" </whining>

Not half as long as if you infect your computer, the network, and I have to rebuild both.
Appreciate 0
      06-28-2017, 09:55 AM   #8
Blacross
Second Lieutenant
97
Rep
201
Posts

 
Drives: Tundra
Join Date: Jul 2012
Location: Ny

iTrader: (0)

best investment we ever made was using mimecast for sandboxing email attachments. happy sys admin here
Appreciate 0
      06-28-2017, 10:34 AM   #9
Wolf 335
Brigadier General
Wolf 335's Avatar
Canada
2561
Rep
3,659
Posts

 
Drives: 2007 E92 335i
Join Date: Aug 2012
Location: Toronto

iTrader: (0)

Once infected is there absolutely no way of gaining access to your files without paying?
Appreciate 0
      06-28-2017, 10:40 AM   #10
Matticus91
Brigadier General
Matticus91's Avatar
United_States
3520
Rep
3,722
Posts

 
Drives: 2013 135i
Join Date: Aug 2015
Location: Washington DC

iTrader: (6)

Quote:
Originally Posted by Blacross View Post
best investment we ever made was using mimecast for sandboxing email attachments. happy sys admin here
'

We switched from MXlogic to MC this year when MX was ending, great system.

Quote:
Originally Posted by Wolf 335 View Post
Once infected is there absolutely no way of gaining access to your files without paying?
There's pretty much no way even if you do pay, the chances of actually getting your shit back is essentially zilch.

Your best bet if you DO get infected is to turn your shit off, pull out your hard drive, try to recover your files using a machine you don't care about, scrub that shit, and hope for the best.

Otherwise, just make a backup ahead of time and wipe/restore.
__________________
"Tobias" 2013 135i ///M-Sport 6MT • Pure Stage 1 • XDI 35 HPFP • 404whp/440wtq
Appreciate 0
      06-28-2017, 10:42 AM   #11
NoGuru
Major
NoGuru's Avatar
779
Rep
1,434
Posts

 
Drives: 335is
Join Date: Apr 2017
Location: MI

iTrader: (0)

Garage List
2021 Chevy Silverad ...  [0.00]
2014 CTS  [0.00]
2011 335is  [0.00]
We are getting updates about this and Wannacry daily. We have about 110K employees so patching is critical.
No one in North America has got this at the Co yet.
__________________
2011 335is DCT BQ Tuning / BMS CAI / VRSF kittyless DP's / Synapse BOV and charge pipe / 7" VRSF Race FMIC / Walbro 535 and 450 on BMP4 / E90 tune / Diff Brace / PR Coils / Relocation Inlets / DAW Stage3+ Turbos / MMP port injection / xHP Stage 3 / FPR and -6 fuel lines
Appreciate 0
      06-28-2017, 10:44 AM   #12
Matticus91
Brigadier General
Matticus91's Avatar
United_States
3520
Rep
3,722
Posts

 
Drives: 2013 135i
Join Date: Aug 2015
Location: Washington DC

iTrader: (6)

Quote:
Originally Posted by NoGuru View Post
We are getting updates about this and Wannacry daily. We have about 110K employees so patching is critical.
No one in North America has got this at the Co yet.
Fingers crossed for you mate, 110k employees is a scary number haha. If everyone is patched up and you've done your proper prep work you should be ok. At the very least doing some GPO blocking with admin$ would prevent any lateral movement and keep things isolated.
__________________
"Tobias" 2013 135i ///M-Sport 6MT • Pure Stage 1 • XDI 35 HPFP • 404whp/440wtq
Appreciate 0
      06-28-2017, 10:55 AM   #13
335e92tx
ahat
335e92tx's Avatar
1064
Rep
2,592
Posts

 
Drives: Was '07-335e92 - Now '13-335IS
Join Date: Mar 2008
Location: Texas

iTrader: (6)

Good effort -

Quote:
Originally Posted by Matticus91 View Post
Anyone else an IT professional?
Not anymore - retired after 33yrs..

G/L

It wont get any better...

Quote:
Originally Posted by NoGuru View Post
We have about 110K employees so patching is critical.
No one in North America has got this at the Co yet.
G/L to u 2.

I used to be an ISO for 6K users that were both geographically dispersed and had no central policy mgmt..
See above about retired ;-)
__________________

'13 335IS N54 (1 of 373 LeMans Blue out of 3597 total production e92)- Grey interior (1 of 24 in LMB with any trans- 1 of 14 with DCT)-MODS -MFactory LSD/MHD-BQ custom Tune/ATM-IC/AFE Momentum GT Intake/Konis/Mfront&HeimJoint Rear rods&arms/Brembos.
https://photos.app.goo.gl/Lo6aHZRo7XqtPkhL8
Appreciate 0
      06-28-2017, 10:56 AM   #14
NoGuru
Major
NoGuru's Avatar
779
Rep
1,434
Posts

 
Drives: 335is
Join Date: Apr 2017
Location: MI

iTrader: (0)

Garage List
2021 Chevy Silverad ...  [0.00]
2014 CTS  [0.00]
2011 335is  [0.00]
Quote:
Originally Posted by Matticus91 View Post
Fingers crossed for you mate, 110k employees is a scary number haha. If everyone is patched up and you've done your proper prep work you should be ok. At the very least doing some GPO blocking with admin$ would prevent any lateral movement and keep things isolated.
Unfortunately I cannot manage GPO's, I can only deploy software and patch's.
We have done a lot to prevent this but you never know what is going to get through.
I like the Cisco add when searching for Petya,
__________________
2011 335is DCT BQ Tuning / BMS CAI / VRSF kittyless DP's / Synapse BOV and charge pipe / 7" VRSF Race FMIC / Walbro 535 and 450 on BMP4 / E90 tune / Diff Brace / PR Coils / Relocation Inlets / DAW Stage3+ Turbos / MMP port injection / xHP Stage 3 / FPR and -6 fuel lines
Appreciate 0
      06-28-2017, 11:38 AM   #15
UncleWede
Long Time Admirer, First Time Owner
UncleWede's Avatar
United_States
18404
Rep
9,420
Posts

 
Drives: G01 X3 M40i Dark Graphite
Join Date: Jun 2005
Location: Oxnard, CA

iTrader: (0)

So, the last major infection that ran thru the network shares; 1 GUESS who thought his computer sandboxing would make it safe to open that attachment he KNEW was viral, just out of PROFESSIONAL curiosity.

I was supposed to cruise down the coast to Neptune's Net for a retirement party for an old friend. Didn't make it . . .
Appreciate 0
      06-28-2017, 12:02 PM   #16
davis449
Captain
United_States
426
Rep
887
Posts

 
Drives: 2014 Audi SQ5
Join Date: Apr 2014
Location: San Antonio, TX

iTrader: (0)

Quote:
Originally Posted by Matticus91 View Post
100% true, and yes I'm dealing with this in an enterprise situation with global deployments that rarely hit HQ for updates
Enterprise level here as well, same situation...
Appreciate 0
      06-28-2017, 01:01 PM   #17
Blacross
Second Lieutenant
97
Rep
201
Posts

 
Drives: Tundra
Join Date: Jul 2012
Location: Ny

iTrader: (0)

since there's a bunch of IT people in this thread I'll throw it out there that I'm looking to move somewhere warmer all year (Texas, NC, Florida, etc)

I have 20 years experience and I'm looking for something at a senior level systems admin or IT management. I have the usual cisco certs, security certs and I'm a certified penetration tester.

So if anyone is hiring I'd love the lead.
Appreciate 0
      06-28-2017, 01:26 PM   #18
zx10guy
Brigadier General
5506
Rep
3,310
Posts

 
Drives: 2013 135i
Join Date: Feb 2014
Location: DC

iTrader: (0)

Quote:
Originally Posted by Blacross View Post
since there's a bunch of IT people in this thread I'll throw it out there that I'm looking to move somewhere warmer all year (Texas, NC, Florida, etc)

I have 20 years experience and I'm looking for something at a senior level systems admin or IT management. I have the usual cisco certs, security certs and I'm a certified penetration tester.

So if anyone is hiring I'd love the lead.
If you don't mind working for the Federalis, US CERT has a location in Florida. US CERT is under DHS/NPPD. You might want to look on USA Jobs to see if there are any openings there.
__________________
Quote:
Originally Posted by Lups View Post
We might not be in an agreement on Trump, but I'll be the first penis chaser here to say I'll rather take it up in the ass than to argue with you on this.
Appreciate 0
      06-28-2017, 01:47 PM   #19
Sidewinderpb
Banned
327
Rep
1,739
Posts

 
Drives: 2017 340i xDrive 6mt
Join Date: Nov 2013
Location: CT

iTrader: (7)

Quote:
Originally Posted by Wolf 335 View Post
Once infected is there absolutely no way of gaining access to your files without paying?
Once encrypted, yeah. But the guys behind it were supposedly reviewing each payment confirmation manually, and the email account that victims were supposed to send payment confirmation to has been shut down...so you're probably screwed even if you pay.

One of our clients is headquartered in the Ukraine, and all of their computers have been encrypted. I'm no IT expert, but I think this still boils down to stupid people clicking on stupid things.
Appreciate 0
      06-28-2017, 01:56 PM   #20
UncleWede
Long Time Admirer, First Time Owner
UncleWede's Avatar
United_States
18404
Rep
9,420
Posts

 
Drives: G01 X3 M40i Dark Graphite
Join Date: Jun 2005
Location: Oxnard, CA

iTrader: (0)

Quote:
Originally Posted by Sidewinderpb View Post
I'm no IT expert (but I did stay at a Holiday Inn Express last night), but I think this still boils down to stupid people clicking on stupid things.
FTFY

So, really what you are saying is that if I get an email saying that's Joe's Pest Service has an invoice for $485.77 in my name, I shouldn't click on the link to see the bill that goes to some random website that doesn't even have the word "Joe" in it???
Appreciate 0
      06-28-2017, 02:06 PM   #21
Sidewinderpb
Banned
327
Rep
1,739
Posts

 
Drives: 2017 340i xDrive 6mt
Join Date: Nov 2013
Location: CT

iTrader: (7)

Quote:
Originally Posted by UncleWede View Post
FTFY

So, really what you are saying is that if I get an email saying that's Joe's Pest Service has an invoice for $485.77 in my name, I shouldn't click on the link to see the bill that goes to some random website that doesn't even have the word "Joe" in it???
Well, yeah...it's both a hotel and a motel. No better place for an avid blacklighter such as myself.

Frankly, I just want to know who this "Joe" is.

Appreciate 0
Post Reply

Bookmarks

Tags
notpetya, petya, ransomware, virus

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -5. The time now is 02:19 AM.




5post
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
1Addicts.com, BIMMERPOST.com, E90Post.com, F30Post.com, M3Post.com, ZPost.com, 5Post.com, 6Post.com, 7Post.com, XBimmers.com logo and trademark are properties of BIMMERPOST