I’m not one to panic. Overall, I keep a steady head in the face of the onslaught of IT demons out there.
Over the weekend the details of the latest world-wide ransomware attack have come to light. Temporarily a lucky work around was found to prevent propagation of the malicious application. The awful thing is – with all the news about that workaround being released – the creator(s) of said ransomware updated the files. The workaround to prevent the spread of the issue being no longer relevant means that *any* computer running Windows XP – Windows 10, any server from Server 2003 – Server 2016 is vulnerable. Once infected, the ransomware immediately spreads itself to any computer on your local network (home, work, coffee shop…). I spent time on the weekend patching any back end machines that are accessible to myself on VPN etc. for your organization.
(NB: I’m writing this message once for all clients, so some of this email may not be relevant to your configuration. It is best if you have questions to give me a quick call/email tomorrow to see if I have any quick instructions for you.)
The coles notes of this hack are as follows:
- The NSA had a bunch of information they kept to themselves about a known windows flaw in the SMB protocol (file sharing)
- The NSA had this and many other known vulnerabilities hacked, and uploaded online from a team of people dedicated to leaking this type of information to help secure the world’s computers and reveal that the NSA isn’t such a great organization
- With the public knowledge of this information, the evil of the IT world made worms, ransomware etc. to take advantage of this flaw
- Microsoft had posted an update to all currently supported operating systems a few weeks ago
- The ransomware in question (mostly known and referred to as variants of ‘wannacry’) spread like wildfire
- Someone found a workaround for stopping the spread of the ransomware by registering a specific domain that it looked online to find
- The ransomware was updated by its creator and released again into the wild to continue infecting the planet’s computers
- Microsoft release critical patches for all operating systems (even ones that have been dropped for support – XP, Server 2003, Vista…)
- I’ve placed reference material at the foot of this message.
This is where I have some instructions for you Windows users. You can manually install the update for your operating system via links at the bottom of this message. It is recommended to immediately update any Windows system you use completely. Most of you are already familiar with running updates manually. Many of you get updates pushed out to your computer automatically by servers I have on site. Even in that situation, you still need to check for updates in case your computer wasn’t online recently, or if it needs to be rebooted manually. I believe in all the companies that I manage you are running Windows 7 and higher.
Windows 7 – Click the start button. Go to Control panel. Hit Windows update. Run all the updates and reboot until you are completely patched and no more updates are available. In some cases you should click on the blue text that states ‘check for updates online’ just in case you don’t get the latest ones from a server that may be on site at your organization.
Windows 10 – Click the start button. Click the gear. Hit the Update and Security button. Click check for updates and install/reboot until you are complete patched and no more updates are available.
While this version of ransomware is specific to Windows flaws, that doesn’t mean there is no need for you to keep your machine patched. Please take this time to patch your machines as well. In most cases, you can click the Apple icon -> about this Mac. In the window that appears a link should exist that says ‘update’, ‘check for software updates’ etc. depending on your OS version. You should head over to the app on your device as well and update all the apps you have installed from there. Mac’s get viruses too – just as often as Windows PC’s do. Updates aren’t meant to hinder your computers on purpose or cause you grief. Most of the time they will improve the experience and stability – and more importantly the security of the platform.
The importance of backups:
I’ll take this time again to point out the importance of backing up your data. Ransomware specifically targets the files on your machine and encrypts them to prevent any access to it indefinitely. If you don’t have a backup your files are gone forever. The only workaround to most ransomware is to wipe the disk (or destroy it), reinstall your OS and software (update it!), and recover files from backups.
Safe browsing and email:
I’ve had many security rants before. Let’s cover in a few short notes the basics to safe browsing online:
- Use a modern browser like Chrome/Firefox
- Use uBlock Origin or similar adblock extension for your browser
- Don’t click external links to sites from social media (Twitter, facebook) – instead SEARCH THE TITLE OR THE CONTENTS OF THE ARTICLE ON GOOGLE AND CLICK THE LINK THERE
- NEVER open unexpected emails from Paypal, your bank etc. IF you didn’t initiate the process for the email, it’s probably spam.
- NEVER open attachments to emails unless you have verified the sender is legitimate, AND YOU WERE EXPECTING THE MESSAGE. I wrote a message on this recently, please refer to it for other email recommendations in catching spam.
Stay safe out there – and remember the wise words from Hitchhikers Guide to the Galaxy.
If you want to simply install the critical patch, you can use the below links to save some time. You will need to know a little bit about your computer to use these links (but don’t worry if you pick the wrong one – it will just tell you that it doesn’t support your platform):
Windows XP SP3
Windows Vista x86 (32 bit)
Windows Vista x64 (64 bit)
Windows 7 x64 (64 bit)
Windows 7 x86 (32 bit)
Windows 2003 x86
Windows 2003 x64 (64 bit)
Alternatively, you can review the different platform versions available from the Microsoft update catalog, in case I made a mistake above:
There are some recent updates to Server 2012 and R2 that have been causing lots of people issues in deploying Windows 10 to client computers as an upgrade. The most common issue is a loss of connectivity from the client computers to the local WSUS deployed and a no longer functioning admin interface for WSUS. Microsoft in their great wisdom has outlined the steps to resolve this, but didn’t make it particularly obvious prior to install. You can find the steps at the following link.
Pretty simple over all – you launch an elevated command prompt, run this line:
"C:\Program Files\Update Services\Tools\wsusutil.exe" postinstall /servicing Following that, launch the local server manager dashboard and hit the 'add roles and features'. Under the add features portion, open up the .net framework section and add 'HTTP activation' to your server. This won't require a reboot, so follow though by hitting next and so on until it starts the task. Once completed, you can restart the server or simply restart the WSUS service. Like magic, you should be back in business. If you have SSL enabled on your WSUS server, you should review the above link for further details.
Trend Micro has announced two critical security vulnerabilities in Apple’s Quicktime for Windows. At this time it would be wise to remove any version of Quicktime from computers in a Windows operating system environment until a patch is available. There appears to be rumours of Apple advising that support for Quicktime on the Windows platform has been dropped; but for now Apple has yet to comment on the matter.
If you are apt to be safe than sorry, you can find the Quicktime uninstaller in the Programs and Features menu on current Windows platforms. Highlight the application and look for the ‘uninstall’ button near the top of the window.
Another awful variant of ransomware has been discovered in the wild on the web by a group of researchers. To their credit, they already have a working decryption tool, and a method of testing to see if the messages you are receiving are from the same variant. You can get the removal tool by clicking here for the Jigsaw ransomware decryption tool.
The scare tactic with Jigsaw is the threat of file deletion after every hour of non-payment in bitcoin to the attackers. This malware also warns of deleting another 1000 random files on each PC reboot. As this ransomware has already been beaten the researchers your best method to fight back is to download the tool from bleepingcomputer linked above before trying anything else. The tool to identify what type of ransomware you may be infected with you can get the tool courtesy of Mr. Gillespie here. Thanks to everyone at the @MalwareHunterTeam for taking this garbage out quickly.
Stay safe out there, and the most important thing to remember:
It’s not always easy to spot a phishing message in your inbox. In the internet age today, phishing messages can be so well crafted that they pass for real apps and services in their HTML message design. Only someone paying close attention to the fact that they weren’t expecting a link from a friend, someone unknown or were looking closely at the URL of the links in the message may notice. Users in Hong Kong were the target of this type of attack via Dropbox recently, which you can catch over at CSOONLINE.
What can be considered the most interesting yet scary portion of these events is that the attack came from a valid DropBox account.
It pays in spades to be vigilant with incoming messages – expected or otherwise – to ensure that they were intended for you inbox, and from a legitimate source.
A new variant of malware based on the Chromium project has come to light – and it’s trying to trick users into thinking it is Google Chrome. The troublesome part of this ‘efast’ product is that it is doing a really good job of it. The purpose of the malware is to inject ads into otherwise harmless pages; and further could take end user data and sell it to nefarious advertisers among others. When downloading free software always remain vigilant of the source of your download as well as any ‘free’ offers that are bundled with the installer. Simply reading the steps during what many people like to skip over during the license agreement will reduce the pervasiveness of their malware.
This won’t be news to anyone in the technology industry – but Adobe Flash has a vulnerability that has been exploited in the wild again. At this time there is no patch available from Adobe to cover all affected versions, but users should keep an eye out for updates if you are running it in your browser. Firefox and Internet Explorer require updates to be done manually (or via the optional automated updater software from Adobe, installed to your desktop). Google Chrome users will automatically update when a flash update is released, but may need to restart the Chrome application.
It’s a good time to note that adblockers and noscript are always good options for the security conscious. A small learning curve to the latter, it’s a great tool to prevent websites from running content without you deliberately clicking on it first.
Check back with Adobe for an update as soon as this latest exploit is patched.