Hacker Attacks

Hi!
I have a question:
I'm sure people here have heard about this hacker attacks which infected 99 countries.

Does somebody know how they do it? I mean, can they really attack my computer without any file I need to run to get the virus. Are also Mac computers affected?
We are just a little bit afraid to get the virus. I'm sure it exists many really good programmers in this forum who can answer me.

 

They exploit bugs like this one. This one is Windows specific but all platforms get security fixes which generally you want to apply as soon as possible.

Best protection is always an air gapped backup.

 

From what I've read; the "attack" was a shoddy virus using leaked NSA code to exploit a hole in old Windows O/S; namely XP and Vista that hadn't been patched, and on machines with no up to date antivirus software.

It seems to have gotten in by staff viewing dodgy websites on these computers (probably porn), and then spreading in the local network.

 

These hacks are possible primarily because users are, in general, dumb.

What you do, is you find an exploit on a device's OS or software running on that OS that will allow you to gain elevated priviledges over that device. From there, you run any code you like, basically- you're running as if you were the system. This is basically how 'rooting' your phone works too.

Then, to actually use this exploit on the target, you need a way of transmitting it. So you embed your executable into a PDF's slack space or something, and send that to somebody. That person opens the PDF, the exe code is executed in some way, et voila: they're infected. Then, likely, that malicious exe sends an email blast to all the stored emails it can find on that machine (usually those things are available somewhere) and the process repeats.

This only really works because the person downloaded stuff from someone they didn't know, an address they didn't recognised, and allowed it to happen. But people conistently do make mistakes like these- basically everyone will at some point.

 

From what I understand, this recent attack works by first needing some way to get on a computer, such as being downloaded, but then once on a computer, it takes advantage of a windows SMBv1 vulnerability to spread the virus to all computers on that network. So even if you were smart and safe, if someone on your network wasnt, then you are at risk. Not completely sure though. I disabled SMBv1 for now, as advised, either that or download the patch that was released a month ago.

 

The bug I linked to earlier doesn't need any user intervention. For an attack based on that flaw, just receiving the ransomware as an email attachment would be enough to infect the system if the fix hasn't been applied. From the Register article:

"In other words, while Microsoft's scanner is silently searching your incoming email for malware, it can be tricked into running and installing the very sort of software nasty it's supposed to catch and kill."

I doubt there was suddenly one day where a lot more users than normal decided to click on something dumb, so I am expecting this flaw to be involved. It might be coincidental that a patch for that was released May 8th and the biggest ever ransomware attack came within days (crackers reverse engineer patches), but if that flaw wasn't the delivery mechanism then things might get worse. Microsoft annoying people with Windows 10 auto installs to the point where they disable updates won't have helped.

 

By this specific problem? I don't know. But here is a list of vulnerabilities over time associated with Apple.

https://www.cvedetails.com/vendor/49/Apple.html

Just being on an Apple device won't protect you. You need active security measures like antivirus from reputable firms (Symantec/Norton is the oppositive of reputable for the record) and regular backups so you can revert back to a state when your system didn't lose files.

Here is the list of Apple security updates too.

https://support.apple.com/en-us/HT201222

 

Can hackers take control of my computer without installing a file on my computer I need to open?

 

Yes, assuming you have no protection against them and the necessary vulnerabilities are open.

 

Yes, if your computer is vulnerable to the exploit and connected to a network without a firewall or routing to protect it, then your computer can get hacked by this latest problem. The vulnerability is in part of the SMB network protocol, so a computer can be vulnerable to this attack simply by being connected to a network (either wired or wireless). The user does not need to open anything to get attacked.

There was a patch released in March that fixed the vulnerability for all supported versions of Windows. There was also a patch released Friday for unsupported/outdated versions of Windows (XP, 2003). Make sure you have your computer completely updated.

A lot of businesses (including hospitals and banks) still have outdated versions of Windows. That is at least part of the problem we are seeing right now in the IT sector with the WannaCry/WannaCrypt exploit. I even know of a hospital still running Windows 2000. As long as people choose to run outdated operating systems, this kind of stuff will keep being a big problem.

Also, it is very tacky that our own government knew about this vulnerability but chose not to share that information with security contacts at Microsoft, because our government wanted the option to use those security vulnerabilities to hack other people.

 

The US government doesn't exactly have the best track record on being a responsible citizen with respect to cyber security.

There is a real (albeit small) possibility that a mistargeted US military virus will kill me one day.

 

Yeah. This is something that needs to be discussed here in the US, but probably won't be. The entire WannaCry/WannaCrypt situation could have been prevented if the US government had notified Microsoft about the vulnerability instead of keeping it for themselves to use.

Admittedly, I have no idea what other bad things the US government successfully prevented by using this vulnerability, so my assessment is one sided.

 

True. But I'm betting the US government wasn't the only ones to know about the vulnerability. Isn't there a big thing over there at the moment over Russian hackers getting places they shouldn't do? I'm gonna go out on a limb and say that US security takes more damage from open vulnerabilities then it gains.

I see computer virus based warfare as similar to biological or chemical warfare. Its just too easy for the agents to get out of control and damage targets that they weren't ever intended to hit. There was a targeted virus built to spread through the Iranian nuclear enrichment facilities and destroy their equipment. Except the nature of viruses is they seldom stay where they were originally put. That same virus has been detected outside of Iran. And there isn't much stopping it getting into an antiquated chemicals factory somewhere else in the world and causing untold damage.

 

I'm not sure the 'leak' of the virus/trojan toolkits wasn't intentional to coerce businesses and governments around the world to up their attentiveness to computer security and in the process knock out a lot of the computers that are already being used as abusive botnets. They tend to listen much more when they are told they'll have to pay money to get control of their important files back.

As the Comey firing shows the media and government are overflowing with spies and double agents trying to control the world's business and government leaders via 'leaks' to the press and now with computer code. They've created such a tangled web of lies it's hard to try and figure out who is even exercising a modicum of truth telling instead of simply engaging in another crass manipulation of your feelings and emotions via forms of mudslinging and security breach claims.

 

To be fair, there has been a security update available from Microsoft which fixes this exploit for months now. The issue is people not keeping their OS up to date, that's the reason this is so widespread.

 

Months in this case being exactly two. I have computers that I haven't turned on in two months, it's not unreasonable that people have unpatched systems. I hope this doesn't turn into a Blaster/sasser situation, where the minute you connect an unpatched machine to the internet it gets infected.

 

The NHS systems are used daily. Cause of problem: Poor maintenance.
Yes there are going to be edge cases like yours, but I hardly expect that when you turn those systems on, you would choose to leave them unpatched? And if you haven't used them in months, is there anything actually useful on it? Just wipe the drive and start over if it gets encrypted (should also mention, you have to actively open dodgy emails etc to get infected in this case).

Point is, it's an easily avoided situation, and also a situation that any capable IT department should be able to recover from quickly.

 

If it becomes a Blaster/sasser like situation, it might get infected before I have a chance to patch it.

Yes. (why shouldn't there be?)

"Just"... I have done that enough times in my life, even recently. I'm not looking forward to doing it again.

Is it? You'd think if it was an easily avoided situation it would be spread to less organizations : https://en.wikipedia.org/wiki/WannaCry_ransomware_attack#List_of_affected_organizations

 

Yes it's easily avoided! Just because many organisations didn't take the precautions doesn't mean it isn't easy to do. Like I said before it's negligence of keeping systems up to date.

Your special case may be different, but those listed organisations very likely use their systems every day, and also likely have IT departments that should know better. All it takes is to keep the OS up to date...

 

It's not that simple. netmarketshare shows over 8% are still browsing on Windows XP in 2017 (no updates for over 2 years). Some very expensive cad cam systems never got updated software for their Windows 98 control PCs, updating one of those can mean replacing a system that costs over half a million. Try running some old games on a modern PC and then consider whether the bespoke applications that say the UK's NHS rely on might have similar problems. Keeping an os up to date isn't always an option without considerable related expenses in hardware and application updates.

 

There was a security update available for modern supported Windows versions in March, but the NSA knew about that vulnerability well before that and did not tell Microsoft about the vulnerability because the NSA decided to stockpile that as a cyberweapon.

 

Exactly. I wish there was a law requiring proper disclosure of vulnerabilities to vendors, but there isn't. Leaving a vulnerability in the wild is dangerous. No one country can assume their people are the only people that know about a vulnerability. I agree that other major nations probably also knew about the flaw.

 

A lot of hospital, banks, and government offices run dangerously outdated software. This is often done because other custom software only works with a specific outdated version of Windows. In many cases, it is not a trivial task for those institutions to upgrade the OS because it creates a cascading effect of other upgrade requirements. An end user at home has a pretty easy task upgrading, but a large institution has a much more complicated task. It is still no excuse, though. It is just an explanation.

For example, I was trying to convince some IT staff at a bank to upgrade from Windows XP to Windows 10 earlier this year. They would not do it, because they had an internal system that could only be accessed from Internet Explorer 6. They would not even update their Windows XP systems completely, because that would have forced them to use IE8. They definitely had no path to upgrade to Windows 10, because their custom internal system was preventing using any modern browser or operating system.

Similarly, I have tried to convince IT staff at hospitals that Windows XP and even Windows 2000 are not secure enough anymore, but hospitals have the same problem. They have custom internal systems that will break if they upgrade the operating system.

The real core problem is not just the operating system. The main problem is that many institutions develop custom internal applications that make all of the other upgrades difficult. And in many cases, companies made mistakes when trying to modernize some of their internals systems. For example, when companies first started implementing browser based solutions, a lot of the browser based solutions ended up being needlessly browser specific. If those companies would refactor those browser based interfaces to be true browser neutral interfaces, then upgrades would not be so difficult for them.

 

I understand all the issues surrounding older OS's and custom software etc. However pretty much every screenshot I have seen of infected computers so far (including those at the NHS), have been running OS versions that have the security bulletin update available for them...

In those circumstances, there is no excuse, the cause of the issue is those maintaining the systems.
(Said security bulletin, for posterity, is found here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx)
(Additionally, the updates MS have released for outdated systems can be found here: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/)

 

I wish it was that easy in my case. Every update brings a new set of instabilities with it. Which brings a new set of risks.

Then you have the fact that we can't actually shut the system down to apply the update. You can partially get around that by building in redundant hardware and running the system in duplicate.

Then you have to contend with vendors not updating their software to play nice with the latest updates. There is a risk every time the OS is updated that some key piece of software won't run, and you'll have to roll back anyway.

Finally you are frequently hardware limited. Upgrading hardware is a massive endeavour, in terms of time, cost, and risk.

We deal with the risk by religiously air gapping, building in redundancy everywhere, and scanning to death anything that will connect to the network. But defending against cyber attacks from governments isn't really something my little department is resources to do.

 

While I very much understand where you are coming from, and do know that I'm coming from the same place, the same issues occur where I currently work. However what I am talking about is the pure technical difficulty of securing a network against this specific threat. It is a technically simple process, regardless of the rest of the software you need to maintain compatibility for.

Large businesses are typically slow to evolve with technology, and what I'm saying is, this is unacceptable in this era. I see it daily in my job, I know there are issues around updating software, but really, it just requires dedicated resources to monitor. It is not a difficult process to run a machine parallel to the rest of the system and run precursory updates on that 1 machine, testing software required to run for stability, then rolling out to the network (Or whichever method you prefer, there are other ways of doing it). What it does take, is dedicated resources, which is the reason it doesn't happen now (you mention department resources, and indeed, I know that pain). Businesses, or heck, people in general, are loathe to change something if it's going to cost them if they cannot see a direct benefit.

I'm suggesting that this is the mentality that needs changing. The problem currently occurring as a result of these attacks should not be a problem at all! Maybe that's an ideal world view, but there's no harm in attempting to be more secure where clearly vulnerabilities in technology are becoming a bigger and bigger problem.

I would dare say that a potential benefit to these attacks is maybe businesses start to become a little more aware that investment into cyber security is important (and lets be honest, this isn't about cyber security as much as it is maintenance, a significantly simpler issue).

Lets take our tinfoil hats off for a moment shall we, that's clearly not what is going on.

Also I'm curious, you work for a large company, but say that network security would fall on your department? Don't you have an IT Support department/contractor etc? That's usually the common situation. Heck, I'm working at a software development company and even we don't do our own IT support.

 

Small businesses don't have IT departments. Updates often break things. The creator update for example broke a bunch of drivers for my laptop, I spent a good 3-4 hours trying different driver versions to get stuff to work properly again.

Microsoft should spend more resources trying to make updating painless. It isn't right now, it's highly annoying, it breaks things, sometimes it does shady stuff (the whole upgrade to win 10 fiasco). People hate Windows Update and they have multiple valid reasons to.

I think it's something Microsoft should focus on.

(As a bonus they could pull resources from the UI department, which seems to be dedicated in making the interface an inconsistent mess.)

 

It was a little tin foil hatted of me. I was mostly responding the allegation that the US government had withheld info on the vulnerability.

But lets not forget that this kind of stuff does happen.

https://en.m.wikipedia.org/wiki/Stuxnet

We have an IT department. There is no way I'm letting some random guy in India who struggles to install a driver on my computer anywhere near the process automation software. The risks of getting the IT department involved are far higher then the risks of catching malware.

We do use specific process automation contractors. But even those guys are hit and miss. And lets face it, if the thing blows up its not them that will be in the blast radius.

 

I can sympathise there, we have external support who are pretty hit and miss. There's a move to switch us onto a bigger scale internal IT support system but the horror stories I've heard from that are making me not keen on seeing that day.

Unfortunately it's not my decision on how we get our support. Currently though, it feels like every option available is one that is decades behind the curve.

I do agree. It is one of the reasons I'm still running Win 7, but when support stops for that I hope they will have solved the problem. Fortunately that's not until 2020. That might still be a long shot

 

I'm not sure how this thread relates to Unity and game dev so it's closed. I didn't make the rules but there they are. I left it open for a bit so users could at least answer the op, but time is up especially as it's drifting toward politics.