One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 551991 |
| Date de publication | 2018-03-29 22:25:24 (vue: 2018-03-30 05:02:37) |
| Titre | WannaCry after one year |
| Texte | In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago.It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry.Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit).Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour.However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely.We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop.Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading.Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will conti |
| Envoyé | Oui |
| Condensat | access act activity actually added after again ago air aircraft airport all allow another anti any anybody appearance appears are assumed attack attacked attacking attacks automatically backed backup backups because been believed benefit boeing bringing but called calling can case cause certain claims common computer conclusionsomething connect continuation continue continued control could course crash customer cybersecurity destination detected detection didn disconnected distant dns does doesn domain don due each effect either else elsewhere engineer engineers enough especially eternalblue even everyone everything exist experience exploit facts families famous famously firewall first found from gapped generally get gets getting going group hacker hackers had happen happened has have hits hour however identify image immediately implausible imply important include infected infecting infection infects instead internet intrusion isn itself jake just kill killing killswitch know label lack laptop laptops largely launched lazarus like likely live local logs lookup lookups loose machine machines maintenance/support major make maker manufacturing mary may mean means more most narrative nefarious network networks new news not not on now npetya nsa obviously often one onto open original other out over own owners past people phrased place places plant plug point possible practice probably problems product products put queries quickly random raw reach real reason rebooting related relative requests resolve responsible restored run running same save second seem seen server servers setup should side simply since single sinkhole sleep snapshots software solution some somebody somehow something sometimes somewhere sort specialized spread spreading spreads start stopping stops stories story strange stuff such sufficient susceptible system systems take takes targeted targeting targets that them then thing things though three thus trivially trying turn typhoid unknown unlikely unnoticed unpatched use used useful uses various virtual virus virus/ransomware/worm virus/worm/ransomware viruses wake wannacry watching way well what when whenever which who whole why wifi will williams within without words work worm worms would writers wrong year years you |
| Tags | Medical |
| Stories | Wannacry APT 38 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.