Virus (cough, cough, Petya) goes postal at FedEx, shares halted FedEx has suspended trading of its shares on the New York stock exchange after admitting that its subsidiary TNT Express has been hit by "an information system virus." The big package giant said no information had been stolen by the cyber-nasty and only some offices of TNT Express appear to have been disrupted. After yesterday …
In the orgional Goldeneye, "Petya" is the admin mode MFT encryption bit, "Mischa" is the user mode ransomware together with mimikatz they make "Goldeneye"
as from the film the two satelites "Petya" and "Mischa" make the Goldeneye weapon
The notPetya, uses mostly Petya code (Modified) for the admin mode bit, and the goldeneye execution/enumerator bit, tacks on a Multi headed Worm Spreader (WMI/PSExec/ETERNALBLUE) depending on privilege and a Whole new usermode ransomware.
Hence this needs a new name, and all the others are wrong Hence notPetya (because its just not)
Obviously these large multinationals aren't securing their networks properly. Perhaps after they all lose lots of $ from this attack, just PERHAPS, instead of listening to the bean counters and MBA types that tell them not to spend a penny on "unproductive" things like network security, they will listen to somebody who knows what they're talking about.
Well, I can dream, can't I?
Or more likely
an idiot user was using a work PC to do some personal business and a friend e.mailed him the virus
And dispite the big sign nailed to the moniter saying "dont open attatchments".....
or a USB stick with some music on it... or any one of 1/2 dozen ways the users get round the restrictions put on works computers to stop the bastards buggering everything up
an idiot user was using a work PC to do some personal business and a friend e.mailed him the virus
That is exactly the point of having a secure network. Any number of users can do it and the infection should remain contained to them only (ideal case) or a very small pocket which can be surgically removed and replaced.
"the fixes are a better tax rightoff" or some such malarkey."
It's not only the fixes that cost or even the immediate losses of business during the downtime. It's the loss of confidence by customers. It's also the increased insurance premiums. In fact, if this starts causing serious losses to insurance customers businesses all over, irrespective of whether they've been hit, will start to see their insurers stipulating the precautions they're going to have to take before they get cover.
Not to defend bad security practices, but so far the attacks haven't been successful enough to make a difference. What I mean by that is the ransomware outages have been resolved after a few days, and the loss of a day or two's worth of work is not enough scare the bean counters into investing in security.
No, we need outages that last weeks at a time. Most businesses plan ahead enough to allow themselves to lose a day or two every once in a while, because there are plenty of other external, non-technology factors that could stop a business for a short period, such as natural disasters. But if you stop a business from functioning for several days straight, then it's enough to cause the investors to bail, and that's when the C-levels finally get a clue.
"What I mean by that is the ransomware outages have been resolved after a few days, and the loss of a day or two's worth of work is not enough scare the bean counters into investing in security."
This depends largely on two factors, the size of your workforce, and their ability to maintain limited functionality during the outage. If you have ~100 staff at a site that is completely off the grid for 48 hours, and those staff are paid an average of $50k a year, that's close to $30k that you've poured down the drain. If you can implement more effective security controls for less than that, you've just shot yourself in the foot.
The trick now is for clever IT people to use the hype around this outbreak to claw back some of their operating budgets from the bean counters.
So today, after hearing all the hubbub about notPetya, our sales drone wanders over to me. Hey, I sent you an email to look at. $CUSTOMER sent an order, but I can't open the attachment"
No cattle prod handy, so I went to review the email. Well, it claims to be from $CUSTOMER, but the return email address is from a completely different domain. The subject line just says something like "ORDER 12-3453". The "attachment" is a link to a dodgy looking URL. Oh, and this customer deals with internal sales, not external sales... and they're intelligent enough to compose emails with coherent sentence structure and full paragraphs when they do place orders.
AV ran clean on sales dude's PC, so there's no traces of quicklime on my keyboard today. (single floor building, no open windows or elevator shafts to play with either).
But they're NOT professional and they did NOT bother to update their OS software.
Microsoft has provided patches for Windows XP on up through Windows 10 that block ALL of the ongoing ransomware assaults. Here's a clue to lazy IT staff, where you can obtain all the required Windows updates you should have already installed:
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598
That wasn't hard to find. You have NO excuse.
"Microsoft has provided patches for Windows XP on up through Windows 10 that block ALL of the ongoing ransomware assaults."
Are you sure? From a previous Reg article:
The malware performs a scan of the network for vulnerable SMB file-sharing services so that it can spread via EternalBlue and EternalRomance. It also scans the computer's RAM to harvest login credentials – preferable any admin or domain admin creds present – so that these too can be used to spread the malware via remote command-line tools PsExec and WMIC. These latter pair appear to be the primary method of propagation.
"You have NO excuse."
If I had a £ for every post which effectively says "Works for me so if it doesn't work for you it's your fault" I'd be rich. Maybe they're more informative about the breadth of experience of the posters than of anything else.
Admins do not all have the final word in policies. Very likely there'll be some who have been forbidden from patching because "we can't afford the downtime". In my time I've had a couple of similar blocks imposed on Unix migrations (and a very bad migration platform choice imposed on me). The businesses may - arguably - have got what they deserve, the admins not necessarily so.
Endpoint AV/malware prevention tools or web/mail scanning were the only ways of preventing some form of encryption if you were hit within the first 12 hours...
Patching stopped one vector for the spread, but others were still available.
Yep, had a call from our TNT area manager earlier today about this, luckily we use two TNT systems, the web based MyTNT which is terrible to use, prints out more paperwork than needed and is basically crap and then the older, stand alone Despatch Manager which looks like it was written for Windows 95, but the consignment numbers are pre loaded onto the system, so we can produce paperwork and labels all day long with no internet connection until the end of day when we have to "dial in" to TNT and upload the numbers used, the driver also picks up paper copies as well of the manifest. Hopefully DPD don't get hit though, they are our other courier and their "app" runs off the DPD servers and they like to hiccup occasionally, but usually just until someone in IT reboots at their end.
All these couriers though, DPD, Interlink Express, Parcel Force, TNT, FedEx, the whole market is consolidating and there are actually only 2 or 3 big players now, DPD and FedEx, everyone else is a subsidiary and customer experience has fallen off a cliff as systems are consolidated and IT departments reduced.
GLS in the UK operates as Parcel Force which, I thought was owned by someone else, but is actually still Royal Mail, although Royal Mail Group to give it its full name now, don't know much beyond that I'm afraid. The main reason I found out about who owns who was one day I phoned DPD IT who are themselves owned by Geopost) support and the guy answered reeling off several courier companies before I could say anything.
This post has been deleted by its author
We also need to get law enforcement involved as well. Somehow make the purveyors of such malware get sent to the gulag, as well as getting all the $$$ refunded. Attach the command and control and lay waste. Maybe they will get the picture.
We could also ask where are such agencies as the NSA, but maybe it is their covert fund raising technique. Don your metal hats for this one.
Somehow make the purveyors of such malware get sent to the gulag
Given that it very much looks like nation-state malware primarily aimed at attacking Ukraine, your end-point destination is appropriate (if unlikely. More likely is a substantion bonus and as much vodka as the authors could drink..)
This post has been deleted by its author
I used to work at TNT, and my friends that are still there in the depot I worked in have sent me pictures, all the computers have the same display asking for the $300. They said all the computers have been like that since Tuesday afternoon. So when they say slight disruption, they really mean complete panic mode!!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
