Samba puts out new security update to address exploit that fueled WannaCry

Enlarge (credit: kelly sweeney)

On Wednesday, the Samba Team released new security updates to fix a vulnerability in "all versions of Samba from 4.0.0 onward using embedded Heimdal Kerberos," according to an announcement from the United States-Computer Emergency Readiness Team (US-CERT).

The upgrade comes in response to an invasive piece of malware which virally spread ransomware known as "WannaCry," "WCry," or "WannaCrypt." As Ars reported in May 2017, within hours of the attack, computer systems around the world were crippled, prompting hospitals to turn away patients while telecoms, banks, and companies such as FedEx were forced to turn off computers for the weekend.

Because of WannaCry, Microsoft took the rare step of issuing patches for three discontinued versions of Windows that hadn’t been updated in years. In a blog post released at the time, Microsoft believed that the ransomware worked due to a Samba exploit.

Read 1 remaining paragraphs | Comments

Honda shuts down factory after finding NSA-derived Wcry in its networks

Enlarge (credit: S-8500)

The WCry ransomware worm has struck again, this time prompting Honda Company to halt production in one of its Japan-based factories after finding infections in a broad swath of its computer networks, according to media reports.

The automaker shut down its Sayama plant northwest of Tokyo on Monday after finding that WCry had affected networks across Japan, North America, Europe, China, and other regions, Reuters reported Wednesday. Discovery of the infection came on Sunday, more than five weeks after the onset of the NSA-derived ransomware worm, which struck an estimated 727,000 computers in 90 countries. The mass outbreak was quickly contained through a major stroke of good luck. A security researcher largely acting out of curiosity registered a mysterious domain name contained in the WCry code that acted as a global kill switch that immediately halted the self-replicating attack.

Honda officials didn't explain why engineers found WCry in their networks 37 days after the kill switch was activated. One possibility is that engineers had mistakenly blocked access to the kill-switch domain. That would have caused the WCry exploit to proceed as normal, as it did in the 12 or so hours before the domain was registered. Another possibility is that the WCry traces in Honda's networks were old and dormant, and the shutdown of the Sayama plant was only a precautionary measure. In any event, the discovery strongly suggests that as of Monday, computers inside the Honda network had yet to install a highly critical patch that Microsoft released in March.

Read 2 remaining paragraphs | Comments