Category: Microsoft Windows MS17-010 Security Update

City in Florida pays $600,000 to Hackers, after a ransomware attack

River Beach is a small town in Florida, of less than 40,000 people. The City Council in Riviera Beach agreed to pay a $600,000 ransom to hackers who encrypted files on their computers. In hindsight it would have been cost effective to hire a couple of IT guys to go around and apply the Microsoft Security patches to all the computers used by River Beach.

Click on this link to visit The New York Times website to read their post titled: “Hit by Ransomware Attack, Florida City Agrees to Pay Hackers $600,000″.

Ransomware attacks targeting small cities are prevalent and growing. Those cities which do not pay the ransom, may end up spending Millions of Dollars rebuilding their IT Systems. Click on this link to visit the Wired website to read their article titled: “ATLANTA SPENT $2.6M TO RECOVER FROM A $52,000 RANSOMWARE SCARE”.

When the Security Patches were being applied, the IT guys could also discuss Phishing emails as most people are not even aware what a Phishing email is. It is not just small cities that fall for Phishing emails. The accounting departments of huge Tech firms have sent out cheques worth Millions of dollars because of fake Phishing emails.

 

Video courtesy of the RT America YouTube channel

Many of the Ransomware attacks (such as WannaCry) used the Microsoft SMB vulnerability.

There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.

In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.

There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware).

A number of attacked city systems had “not” updated “all” their computers with suggested Security Updates. Some of their Operating Systems and Server System software go back to days of Windows 7. The often quoted statement is that they did not have the IT resources to get Security Updates installed on all the computers.

One area which IMHO require more training is Phishing Attacks. That is the use of fake emails sent to emails which are part of a city’s system. The fake email will ask the receiver to click on a link. If the receiver clicks on the link they will link to one of the Hacker’s Command and Control Servers, which will then upload the Ransomware to the receiver’s computer. The Ransomware will be started and spread to the System Servers and to all the other computers. Once running on a computer, the Ransomware will start to Encrypt data files using a secret key. Next messages will pop up on infected computers telling them that their files have been encrypted and that they have so many days to pay a Ransom to get the key to be able to un-encrypt their files.

I recently posted the following article on this site which was titled: “Phishing eMail Scam targeted Facbook and Google for $100 Million Dollars.”.

If the main Servers have Security Updates installed then the Ransomware will not spread. Also, if the System Admins have been doing daily backups, they may be able to recover the Servers using their backup files. They would still have to deal with individual end user computers which were infected.

The “key” is training End Users to not open emails from unfamiliar people. If opened, then the end user should not click on any links and they should immediately contact their IT Support Team. Unfortunately in real life, that is easer said than done.

Click on the CYBERSECURITY box in the menu at the top of this site, to read more Security related posts.

 

Posted by Vincent Banial

 

CERT had issued Vulnerability Note VU#867968 advising about the SMB vulnerability in Microsoft Windows

WannaCry Ransomware seems to have appeared out of the blue. Because of it thousands of people have searched the internet to find out how to disable SMB on their Microsoft Windows based Servers and Workstations and Personal Computers. Thousands had dropped by Uniquely Toronto to read out posts which provided details on ways to disable SMB v1.0.

Now Adylkuzz is running another major attack which is underway and uses the SMB vulnerability in Windows.

There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.

In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.

There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware)

“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 (link is external) and 204279 (link is external).”

Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Please install the Microsoft Windows MS17-010 Security Update (see link above). Best Practice is to also always create daily backups