One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 364928 |
| Date de publication | 2017-05-12 17:13:26 (vue: 2017-05-12 17:13:26) |
| Titre | Massive wave of ransomware ongoing, (Fri, May 12th) |
| Texte | For a few hours, bad news are spreading quickly about a massive wave of infections by a new ransomware called WannaCry width:600px" /> (Source: MalwareTech) Big targets have been telecom operators (ex: Telefonica in Spain) and hospitals in UK. Once the malware has infected a computer, it spreads across the network looking for new victims using the SMB protocol. The ransomware usesthe Microsoft vulnerability MS17-10[1]. (This vulnerability was used by ETERNALBLUE[2]) Here are some IOCs that we already collected: SHA256: 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 SHA1: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 51e4307093f8ca8854359c0ac882ddca427a813c MD5: 509c41ec97bb81b0567b059aa2f50fe8 7bf2b57f2a205768755c07f238fb32cc 7f7ccaa16fb15eb1c7399d422f8363e8 File extension: .wncry Ransomware notification: padding:5px 10px"> alert tcp $HOME_NET 445 - any any (msg:ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response content:|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0| content:|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|) Until now, the best protection is of course to patch your systems as soon as possible and keep your users aware of the new ransomware campaign to preven them to open suspicious emails/files. [1]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [2]https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/ We will update this diary with more information if available. Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. |
| Notes | |
| Envoyé | Oui |
| Condensat | $home 00| 010 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 10px 12th 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d 445 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 509c41ec97bb81b0567b059aa2f50fe8 51e4307093f8ca8854359c0ac882ddca427a813c 7bf2b57f2a205768755c07f238fb32cc 7f7ccaa16fb15eb1c7399d422f8363e8 @xme about across alert already any are aspx attribution available aware bad been best big c0| called campaign center collected: com/en commons computer consultant content:|00 content:|4a course creative diary echo edu edu/forums/diary/eternalblue+windows+smbv1+exploit+patched/22304/ emails/files eternalblue ex: exploit extension: ff|smb|2b file freelance fri handler has have here hospitals hours https://isc https://technet infected infections information internet iocs isc keep key license looking malware malwaretech massive may md5: mertens microsoft more ms17 msg:et net network new news noncommercial notification: now once ongoing open operators padding:5px patch pgp possible preven protection protocol quickly ransomware response sans security sha1: sha256: smb some soon source: spain spreading spreads states storm suspicious systems targets tcp telecom telefonica them united until update us/library/security/ms17 used users usesthe using victims vulnerability wannacry wave width:600px will wncry xavier your |
| Tags | |
| Stories | Wannacry |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.