DarkodeCryptor; wannacry türevi değil, HiddenTear türevidir. Bu tip vakaya yakalananlar. Micheal Gillespie ile iletişim kurabilirler. ( https://twitter.com/demonslay335 )
________________________________ Gönderen: Eren Sonmez (CS) <[email protected]> adına Liste <[email protected]> Gönderildi: 15 Mayıs 2017 Pazartesi 17:59 Kime: [email protected] Konu: [NetsecTR] TLU-Global Outbreak of Wannacry Ransomware (TLU-2017-C023) Selamlar, Zararlıyla ilgili en son haberleri bilgilerinize sunuyorum. Farklı varyantlarının hızlı bir şekilde çıktığı görülmekte. Bilginize, EXECUTIVE SUMMARY: It has been reported that multiple ransomware developers have been involved in developing their own version using Wannacry ransomware. This allows for modification of the original malware code/lock screen to generate new customized versions. Some of these include: · DarkoderCrypt0r: o Developer of this version uses same lock screen with minor modifications like bit coin address, title etc. o This version only encrypts files on the victims desktop. o Encrypted files uses .DARKCRY as the extension and the executable is named as @[email protected] · Aron WanaCrypt0r 2.0 Generator v1.0 o Currently this version only allows lock screen customization and displays the customized screen. o In future this version might be used to generate and distribute customized executable. · Wanna Crypt v2.5 o This version only displays lock screen and it is in initial stages of development. · WannaCrypt 4.0 o This version does not encrypt any files. The only change is, support for Thai language. https://www.bleepingcomputer.com/news/security/with-the-success-of-wannacry-imitations-are-quickly-in-development/<https://clicktime.symantec.com/a/1/PHf-3EAXTdoKoei_MuRIkjs850aQCNlPRGVfa3bMAYw=?d=sjb847JX28GGX6RO-TacNX3qhm1osbDsqijdVY_pICTUoaeGGp5va0q3Znxw5Q2isGkrAn7QUSmkhH0tpuFyP09hkKFVxniHSkL0Kl15Fm_vMCzhuZWMnGv-krPJc2R47aI7-ny-ojNw9Ej6WQDuCREdpp4IHDWUxFTDWX_zeHdcLeAHDhVw90rgG6ETvfTlo24GTUcR4BwlTz1CrSHF5fL6tw6NuWgJCiPggVwFBGbBh47WiGWeIilCAS0Gtk-6ROXojnlA191nNUSnR_4kBKfbP_Kslow0PWCJIOSsw5TgkaldXguWIW7hPNIloy4LLhdk1V3Vh6ZjNRlYD5AAl0h0M67ofJrrjsrrHGCrkix4kl12kQ-0yNneT-cMRsvXXqT4xqCL55M1YNtuVg4_9p6mStEmMLrHeSi-fqdt6HspBocgOB67p9ntC6Vh8twPEMVUtKr48Hqx3lXwJav6-2Xuq_hm16w%3D&u=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fwith-the-success-of-wannacry-imitations-are-quickly-in-development%2F> Typographical Error in Previous TLU: In our previous TLU update (TLU-2017-C021), there is a typographical error in the kill switch domain. The correct kill switch domain is: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com<https://clicktime.symantec.com/a/1/mYg91tYoeiJWRAaoZr1lTXUg6G-s4eLATTjnmntIE2s=?d=sjb847JX28GGX6RO-TacNX3qhm1osbDsqijdVY_pICTUoaeGGp5va0q3Znxw5Q2isGkrAn7QUSmkhH0tpuFyP09hkKFVxniHSkL0Kl15Fm_vMCzhuZWMnGv-krPJc2R47aI7-ny-ojNw9Ej6WQDuCREdpp4IHDWUxFTDWX_zeHdcLeAHDhVw90rgG6ETvfTlo24GTUcR4BwlTz1CrSHF5fL6tw6NuWgJCiPggVwFBGbBh47WiGWeIilCAS0Gtk-6ROXojnlA191nNUSnR_4kBKfbP_Kslow0PWCJIOSsw5TgkaldXguWIW7hPNIloy4LLhdk1V3Vh6ZjNRlYD5AAl0h0M67ofJrrjsrrHGCrkix4kl12kQ-0yNneT-cMRsvXXqT4xqCL55M1YNtuVg4_9p6mStEmMLrHeSi-fqdt6HspBocgOB67p9ntC6Vh8twPEMVUtKr48Hqx3lXwJav6-2Xuq_hm16w%3D&u=http%3A%2F%2Fwww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea%5B.%5Dcom> Wannacry Ransomware Timeline: 12th May 2017 · Spanish mobile operator was among the first large organizations to report infection by Wannacry. · By 11:00 AM, hospitals and clinics across the UK began reporting problems to the national cyber incident response center. · In next few hours many Germany and Europe based high-profile organization became victim. · In Russia, the ministry of the interior, mobile phone provider was also infected. · US based logistics organization was one of the highest-profile victim affected. 13th May 2017 · First Kill Switch domain was detected and was sinkholed. This brought down the spread of Wannacry 14th May 2017 · Microsoft has released MS17-010 patch for SMB. · Security researcher detected Second kill switch and sinkholed it. 15th May 2017 · Multiple ransomware developers started developing their own version. Mitigation steps: · Don't block network communication to any Kill switch domains mentioned in the TLU. The malware is not proxy aware so it may be necessary to add it manually to your proxy or to create a DNS entry to allow this traffic to pass through: · www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com<https://clicktime.symantec.com/a/1/mYg91tYoeiJWRAaoZr1lTXUg6G-s4eLATTjnmntIE2s=?d=sjb847JX28GGX6RO-TacNX3qhm1osbDsqijdVY_pICTUoaeGGp5va0q3Znxw5Q2isGkrAn7QUSmkhH0tpuFyP09hkKFVxniHSkL0Kl15Fm_vMCzhuZWMnGv-krPJc2R47aI7-ny-ojNw9Ej6WQDuCREdpp4IHDWUxFTDWX_zeHdcLeAHDhVw90rgG6ETvfTlo24GTUcR4BwlTz1CrSHF5fL6tw6NuWgJCiPggVwFBGbBh47WiGWeIilCAS0Gtk-6ROXojnlA191nNUSnR_4kBKfbP_Kslow0PWCJIOSsw5TgkaldXguWIW7hPNIloy4LLhdk1V3Vh6ZjNRlYD5AAl0h0M67ofJrrjsrrHGCrkix4kl12kQ-0yNneT-cMRsvXXqT4xqCL55M1YNtuVg4_9p6mStEmMLrHeSi-fqdt6HspBocgOB67p9ntC6Vh8twPEMVUtKr48Hqx3lXwJav6-2Xuq_hm16w%3D&u=http%3A%2F%2Fwww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea%5B.%5Dcom> · www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com<https://clicktime.symantec.com/a/1/V_w7V4IVSv_zonPo09hmhdlaJVPh2wSzcOwUUl23Zg8=?d=sjb847JX28GGX6RO-TacNX3qhm1osbDsqijdVY_pICTUoaeGGp5va0q3Znxw5Q2isGkrAn7QUSmkhH0tpuFyP09hkKFVxniHSkL0Kl15Fm_vMCzhuZWMnGv-krPJc2R47aI7-ny-ojNw9Ej6WQDuCREdpp4IHDWUxFTDWX_zeHdcLeAHDhVw90rgG6ETvfTlo24GTUcR4BwlTz1CrSHF5fL6tw6NuWgJCiPggVwFBGbBh47WiGWeIilCAS0Gtk-6ROXojnlA191nNUSnR_4kBKfbP_Kslow0PWCJIOSsw5TgkaldXguWIW7hPNIloy4LLhdk1V3Vh6ZjNRlYD5AAl0h0M67ofJrrjsrrHGCrkix4kl12kQ-0yNneT-cMRsvXXqT4xqCL55M1YNtuVg4_9p6mStEmMLrHeSi-fqdt6HspBocgOB67p9ntC6Vh8twPEMVUtKr48Hqx3lXwJav6-2Xuq_hm16w%3D&u=http%3A%2F%2Fwww.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea%5B.%5Dcom> · Install MS17-010 fix<https://technet.microsoft.com/en-us/library/security/ms17-010.aspx> to all applicable Windows OS versions. · Install emergency patch<https://clicktime.symantec.com/a/1/RCOyRhvgMGC-7jQLJJWN88SaT-RwR3F5B7eRNrHgyhg=?d=sjb847JX28GGX6RO-TacNX3qhm1osbDsqijdVY_pICTUoaeGGp5va0q3Znxw5Q2isGkrAn7QUSmkhH0tpuFyP09hkKFVxniHSkL0Kl15Fm_vMCzhuZWMnGv-krPJc2R47aI7-ny-ojNw9Ej6WQDuCREdpp4IHDWUxFTDWX_zeHdcLeAHDhVw90rgG6ETvfTlo24GTUcR4BwlTz1CrSHF5fL6tw6NuWgJCiPggVwFBGbBh47WiGWeIilCAS0Gtk-6ROXojnlA191nNUSnR_4kBKfbP_Kslow0PWCJIOSsw5TgkaldXguWIW7hPNIloy4LLhdk1V3Vh6ZjNRlYD5AAl0h0M67ofJrrjsrrHGCrkix4kl12kQ-0yNneT-cMRsvXXqT4xqCL55M1YNtuVg4_9p6mStEmMLrHeSi-fqdt6HspBocgOB67p9ntC6Vh8twPEMVUtKr48Hqx3lXwJav6-2Xuq_hm16w%3D&u=http%3A%2F%2Fwww.govinfosecurity.com%2Fwannacry-cyber-attack-microsoft-issues-emergency-xp-patch-a-9913> released for Windows XP, Windows Server 2003 and Windows 8. · If you are not able to apply patch or disable SMBv1 ref guidance from Microsoft<https://support.microsoft.com/en-us/help/2696547>. · You could block UDP 137, 138 and TCP 139, 445 ports on network devices. Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared. · If no other options is available propagation can be prevented by isolating vulnerable systems.
------------------------------------------------- BGA Wiki - Penetration Test Wiki http://wiki.bgasecurity.com/Kategori:Pentest -------------------------------------------------
