The US Computer Emergency Readiness Team (US-CERT) has issued an alert stating that it has received multiple reports (worldwide) of Petya ransomware infections.
“Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB).”
rmsource Recommendations:
- System Patching: Given the severity of the vulnerabilities and the quantity of exploits, rmsource recommends that Microsoft security patches be installed at the earliest available window, and recommends that any company utilizing unsupported systems, continue to migrate to supported platforms.
- System Backup: rmsource recommends that System Administrators ensure that all critical data is backed-up and a recovery plan is in place, is well documented, and is regularly tested.
- User Education: rmsource recommends System and Network Administrators provide training for end users to recognize and avoid Social Engineering and Phishing attacks. https://www.us-cert.gov/ncas/tips/ST04-014
Security Bulletins and Updates
- US-CERT Alert: TA16-091A: https://www.us-cert.gov/ncas/alerts/TA16-091A
- Microsoft Security Bulletin MS17-010: https://technet.microsoft.com/library/security/MS17-010
- Microsoft Security Update for Window SMB Server: https://support.microsoft.com/en-us/help/4013389/title
Intrusion Prevention
rmsource recommends updating all Intrusion Prevention platforms to detect or prevent on signatures addressing the following CVEs.
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0148
Microsoft issued work-around:
Microsoft has provided the following link for disabling SMBv1 as a work-around.
Please note: System Administrators will need to evaluate individual network environments and requirements prior to disabling any protocols.