From May 12, 2017, a worldwide outbreak of the worm malicious code, Eternal Blue blackmail worm, based on the attack propagation of windows network sharing protocol. In five hours, more than 100 countries, including the United States, Russia and Europe as a whole, as well as domestic colleges and universities intranet, large-scale enterprises intranet and government agencies private network, were blackmailed to pay high ransom to decrypt the recovery documents, causing serious losses to important data.
The main attack mode of eternal blue blackmail worm virus: the worm automatically scans the open port 445, without any operation of the user. As long as the computer is turned on and connected to the Internet, lawbreakers can implant malicious programs such as execution blackmail program, remote control Trojan horse, virtual currency mining machine, etc. in the computer and server.
Eternal Blue blackmail worm: this "eternal blue" blackmail worm is the world's first example of the civilian use of NSA network munitions. A month ago, the fourth batch of NSA related network attack tools and documents were published by shadow brokers, including remote command execution tools involving multiple windows system services (SMB, RDP, IIS), including the 'eternal blue' attack program.
In the previous outbreak of multiple worm attacks using port 445, some operators have banned port 445 on the backbone network, but the education network and a large number of enterprise intranet do not have such restrictions, and did not install patches in time, there are still a large number of computers exposed port 445 and there are loopholes, leading to the "eternal blue" blackmail worm flooding.
Senior security experts said: 'isolation does not mean security. The private network isolated by universities and enterprises is a small-scale Internet, which needs to be built as an Internet. "In response to this security incident, it is strongly recommended that the enterprise security administrator block the access of port 445 on the firewall at the network boundary, upgrade the detection rules of the device to the latest version, and set the block of corresponding vulnerability attack until it is confirmed that the computer in the network has installed Microsoft ms17-010 patch or shut down the server service.
Through this "eternal blue" blackmail worm incident, we found that at present, in the IT system of some large-scale domestic enterprise customers, there is a problem of inconsistent firewall brands, which leads to the firewall unable to achieve centralized distribution of security policies when security incidents break out, which directly affects the emergency response speed of enterprises to security incidents.
Eternal Blue blackmail worm harm:
Beijing, May 13, China news network, today's many places in the country's CNPC gas stations can not carry out online payments, only cash payments. The person in charge of PetroChina said it was suspected of being attacked by the virus, and the specific situation is still under verification and disposal.
According to media reports, in May 13th, many parts of China's CNPC gas station, including Beijing, Shanghai, Chongqing and Chengdu, suddenly broke off the network at about 0 o'clock today. However, due to the broken network, there is no way to use Alipay, WeChat and other Internet payment methods, and only cash can be used.
The head of PetroChina said that at present, the gas service and cash payment business of the company's gas stations are running normally, but the third-party payment cannot be used, it is suspected that it has been attacked by the virus, and the specific situation is still under verification and disposal.
Eternal Blue blackmail worm outbreak, domestic colleges and universities have become a major disaster area, 360 security monitoring and Response Center for this matter's risk rating is' critical '.
Colleges and universities are the disaster area of eternal blue. When you turn on the computer happily one day, it feels normal. But when you use the computer, it suddenly gets stuck. In a few seconds, the desktop background changes, and a prompt box pops up, saying that your files are encrypted, so you can pay. Then you look at your files. They're all encrypted.