[WARNING] SMB v1 still being exploited

[Metanis]

Interesting how a really old vulnerability continues to be exploited after all these years. And that 'nix machines are not immune!

Powerful Malware Disguised as Crypto Miner Infects 1M+ Windows, Linux PCs

Antivirus provider Kaspersky uncovers a sophisticated piece of 'StripedFly' malware camouflaged as a cryptocurrency miner that's been targeting PCs for more than five years.

www.pcmag.com

 

[britechguy]

Which reminds me that I need to disable SMB v1 for the client where I had to reenable it for WinServer 2003, prior to the move to Teams/OneDrive/SharePoint.

 

[YeOldeStonecat]

While I'm not condoning keeping SMB1around (I don't have any SMB1 networks anywhere), ....the old basic "Keep your systems patched" minimized this. "Microsoft released a patch for EternalBlue back in March 2017"

 

[britechguy]

"Keep your systems patched"

And in this age of almost fully automatic self-care and feeding for these sorts of patches, it generally takes intentional stupidity (turning off automatic updating, at least at that level of patching) to keep these patches from occurring without any effort on your part.

I've watched over the years as most (note: most) IT departments have come to realize that automatic updates and patching solve or prevent far more issues than they cause and have, thus, stopped blocking these and preferring to handle all patching themselves. It's virtually always those that still insist on entirely "manual" patch management that get bitten in the posterior.

 

[YeOldeStonecat]

I've watched over the years as most (note: most) IT departments have come to realize that automatic updates and patching solve or prevent far more issues than they cause

Yup....I can count probably on one hand...the amount of times that a Microsoft update broke things and did actual damage that caused problems and we had to jump in and address/fix things.

I do leave just a couple of days of a window...from "death Tuesday" patch release day....we run our patching on Thu/Fri every week. Gives Microsoft a couple of days to pull a bad release...fix it (patch it...lol)...and re-release it.

 

[britechguy]

I do leave just a couple of days of a window...from "death Tuesday" patch release day....we run our patching on Thu/Fri every week. Gives Microsoft a couple of days to pull a bad release...fix it (patch it...lol)...and re-release it.

Well, I have no objection to taking the, "let's avoid the bleeding edge, but for as short a time as is reasonable," for updating in general. A couple of days for "patch Tuesday" patches is perfectly reasonable (though I cannot remember the last time one was truly catastrophic in outcome).

I find, and not only in this business, that most people are entirely incapable of accurate risk assessment. They will take either worst-case-type scenarios they've experienced, or think that because they've been "blissfully untouched" for years as the starting points for considering courses of action. Neither yields a good result, and either often yields a result that is entirely reality-divorced.

When it comes to updates, for decades after the attitude, "We have to hold off on this for {insert at least months, possibly to years}," for typical updates because they could be "bad updates" should have died, it persisted and I'd say even grew in strength. The introduction of "software as a service" and rolling out updates in cohorts, with telemetry monitoring between said cohorts to "take the pulse of what's actually happening," very rapidly made the "bad update" a thing of myth, particularly for patch Tuesday type updates. There may be one of the very early cohorts that very rarely has a "crash and burn" but that is limited to that cohort and the "pull, and fix by patching," occurs promptly and before it continues to roll out.

Focus on the remotely possible, rather than the very probable, invariably gives bad results. It results in "far too restricted" (if the focus is on highly improbable negative results) or "far too lax" (if the focus is on highly improbable "it's all good" when it isn't likely anywhere close to *all* good) practices. These "tails of the bell curve of risk" focuses end up creating overbearing caution/unnecessary paralysis or smoldering heap/disaster breach, respectively. There is a middle ground.

 

[YeOldeStonecat]

I can think of at least 2x times when a bad Windows update caused us some grief...granted..that's HARDLY a lot. I'm sure there's more, I do recall at least several times I went in and withheld a specific KB from being pushed out.
One time was some update that broke networked printing. We had learned about it..and did "block it" for our managed clients. However, over the next quite a few months...our "unmanaged clients"....we calling us like crazy to fix printing.

There was some other update that did something to bust Outlook.

But yeah, considering...how many updates have been released over the past...oh, let's just take the past 15 years. Every week...how many updates were released on "death Tuesday" over a 15 year period? The small amount of actual "bad updates"...is miniscule.