I don't need sanity, work in IT (thread) every day

[Aranial]

Thought you guys might find this interesting if you're not drowning in trying to sort it out! It's an analysis of what we know so far about Wannacrypt.

https://www.theregister.co.uk/2017/0...nsomware_worm/

[Nordstern]

Thought you guys might find this interesting if you're not drowning in trying to sort it out! It's an analysis of what we know so far about Wannacrypt.

https://www.theregister.co.uk/2017/0...nsomware_worm/

The software nasty has today ransacked the UK's national healthcare service, forcing hospitals to shut down to non-emergency patients; torn through Spanish telco Telefónica; and many other organizations. In what is looking like one of the biggest malware attacks in recent memory, the bulk of the infections are in Russia – including the state's interior ministry; the virus has claimed high-profile targets around the world.

Ha!

We're told 16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code "has crippled" Brit hospitals, and that Blighty's surveillance nerve center GCHQ is looking into the outbreak. The NHS is thought to have been particularly hard hit because of the antiquated nature of its IT infrastructure. A large part of the organization's systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.

BOO!

[Bombcrater]

We're told 16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code "has crippled" Brit hospitals, and that Blighty's surveillance nerve center GCHQ is looking into the outbreak. The NHS is thought to have been particularly hard hit because of the antiquated nature of its IT infrastructure. A large part of the organization's systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.

BOO!

In this case the cancelled contract for XP support wouldn't have saved them as MS didn't patch the SMB vulnerability out of XP until after the ransomeware attacks.

[Aranial]

We're told 16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code "has crippled" Brit hospitals, and that Blighty's surveillance nerve center GCHQ is looking into the outbreak. The NHS is thought to have been particularly hard hit because of the antiquated nature of its IT infrastructure. A large part of the organization's systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.

BOO!

In this case the cancelled contract for XP support wouldn't have saved them as MS didn't patch the SMB vulnerability out of XP until after the ransomeware attacks.

You got any link to prove that? I'm pretty sure they just made it free to all XP users now in response to the attack. I imagine that they would have been given out to the ones that pay for XP support back in March. Lots of supposition from both of us . But it is rather telling that it took them less than a day to release it for XP quite possibly suggesting it had been already tested and used 'in the wild'.

Sent from my SM-N915FY using Tapatalk

[Rakshasa The Cat]

It is almost as if I read articles about this going to happen as XP got EOL'ed.

[Bombcrater]

You got any link to prove that? I'm pretty sure they just made it free to all XP users now in response to the attack. I imagine that they would have been given out to the ones that pay for XP support back in March. Lots of supposition from both of us . But it is rather telling that it took them less than a day to release it for XP quite possibly suggesting it had been already tested and used 'in the wild'.

At work we have a client who pays for XP extended support and they didn't get the patch in advance, their XP machines still had the EternalBlue hole. The vulnerability is in the SMBv1 code, which has barely changed at all in later versions of Windows as it's only present for backward compatibility, so MS knew exactly what to fix and how to do it. They could have done the patch in a few hours, no problem.

[Aranial]

You got any link to prove that? I'm pretty sure they just made it free to all XP users now in response to the attack. I imagine that they would have been given out to the ones that pay for XP support back in March. Lots of supposition from both of us . But it is rather telling that it took them less than a day to release it for XP quite possibly suggesting it had been already tested and used 'in the wild'.

At work we have a client who pays for XP extended support and they didn't get the patch in advance, their XP machines still had the EternalBlue hole. The vulnerability is in the SMBv1 code, which has barely changed at all in later versions of Windows as it's only present for backward compatibility, so MS knew exactly what to fix and how to do it. They could have done the patch in a few hours, no problem.

Ahhhh fair enough . There was a guide on the register a few months back about how to disable smb1 but doesn't seem many people used it :S.

Sent from my SM-N915FY using Tapatalk

[Lana Torrin]

Returned to work after a month off. Nothing has changed. There are still jobs open and not touched from before I left.. The office365 project has finished in the same state of was in when I left (so broken with only about 20% of users migrated). The Windows 10 project progressed to about 50 desktops before they found out a bunch of stuff didn't work..

Didn't really miss any of this. Would be nice to have some working systems..

[Sp4m]

Returned to work after a month off. Nothing has changed. There are still jobs open and not touched from before I left.. The office365 project has finished in the same state of was in when I left (so broken with only about 20% of users migrated). The Windows 10 project progressed to about 50 desktops before they found out a bunch of stuff didn't work..

Didn't really miss any of this. Would be nice to have some working systems..

Holy fuck do you have 0 budget or just no planning there?


Sent from my iPhone using Tapatalk

[Lana Torrin]

Returned to work after a month off. Nothing has changed. There are still jobs open and not touched from before I left.. The office365 project has finished in the same state of was in when I left (so broken with only about 20% of users migrated). The Windows 10 project progressed to about 50 desktops before they found out a bunch of stuff didn't work..

Didn't really miss any of this. Would be nice to have some working systems..

Holy fuck do you have 0 budget or just no planning there?


Sent from my iPhone using Tapatalk

All of this going no where reportedly cost about AU$2M.. So there was budget.

[56k Lagman]

Field tech: "hmm the AD replication and RODC roles on this server aren't working"

*Field tech then proceeds to reformat the DC along with the RDS VM apparently without backing anything up*

Now I'm getting calls from users about literally everything being broke, folder redirection is broke which is probably for the best because if it was working people would realise all of their shit is gone. DNS server is gone, there's a new one but it's on a new IP address which wasn't updated in anything. How are people so fucking bad at this

[Lana Torrin]

Field tech: "hmm the AD replication and RODC roles on this server aren't working"

*Field tech then proceeds to reformat the DC along with the RDS VM apparently without backing anything up*

Now I'm getting calls from users about literally everything being broke, folder redirection is broke which is probably for the best because if it was working people would realise all of their shit is gone. DNS server is gone, there's a new one but it's on a new IP address which wasn't updated in anything. How are people so fucking bad at this

Ok there has to be more to it than that.. You dont just delete an RODC because its stopped working..

[Lana Torrin]

Today in our 'new' office365 hybrid install we have discovered there are a number of people that have their mailbox both on-prem AND in 365.. According to Microsoft this is not supposed to be possible. We literally have the best setup ever. (So glad I didn't do it)

[Shaikar]

Returned to work after a month off. Nothing has changed. There are still jobs open and not touched from before I left.. The office365 project has finished in the same state of was in when I left (so broken with only about 20% of users migrated). The Windows 10 project progressed to about 50 desktops before they found out a bunch of stuff didn't work..

Didn't really miss any of this. Would be nice to have some working systems..

Holy fuck do you have 0 budget or just no planning there?


Sent from my iPhone using Tapatalk

All of this going no where reportedly cost about AU$2M.. So there was budget.

I think you'll find that's the managerial golfing fund.

[56k Lagman]

Field tech: "hmm the AD replication and RODC roles on this server aren't working"

*Field tech then proceeds to reformat the DC along with the RDS VM apparently without backing anything up*

Now I'm getting calls from users about literally everything being broke, folder redirection is broke which is probably for the best because if it was working people would realise all of their shit is gone. DNS server is gone, there's a new one but it's on a new IP address which wasn't updated in anything. How are people so fucking bad at this

Ok there has to be more to it than that.. You dont just delete an RODC because its stopped working..

ikr. Flattened the whole thing and we're still trying to find out why he did it. Let alone why he did it on a Monday evening

[Nordstern]

According to Microsoft this is not supposed to be possible.

Technology, uh, finds a way.

[Lana Torrin]

According to Microsoft this is not supposed to be possible.

Technology, uh, finds a way.

Been doing some research.. Its possible with a hybrid 2010/365 environment because 2010 is dumb/doesnt expect 365 to be a thing. Exchange 2013 and 2016 "cant" do it.. 2010 can if you follow some quite specific timing.

[Liare]

any bets on that surviving a upgrade from 2010 to 2016?

because, assuming you dont fuck with it, i'd wager it does.

[Hel OWeen]

Field tech: "hmm the AD replication and RODC roles on this server aren't working"

*Field tech then proceeds to reformat the DC along with the RDS VM apparently without backing anything up*

Now I'm getting calls from users about literally everything being broke, folder redirection is broke which is probably for the best because if it was working people would realise all of their shit is gone. DNS server is gone, there's a new one but it's on a new IP address which wasn't updated in anything. How are people so fucking bad at this

Ok there has to be more to it than that.. You dont just delete an RODC because its stopped working..

ikr. Flattened the whole thing and we're still trying to find out why he did it. Let alone why he did it on a Monday evening

He surely made an image of the machine before dumping it ...

[56k Lagman]

Field tech: "hmm the AD replication and RODC roles on this server aren't working"

*Field tech then proceeds to reformat the DC along with the RDS VM apparently without backing anything up*

Now I'm getting calls from users about literally everything being broke, folder redirection is broke which is probably for the best because if it was working people would realise all of their shit is gone. DNS server is gone, there's a new one but it's on a new IP address which wasn't updated in anything. How are people so fucking bad at this

Ok there has to be more to it than that.. You dont just delete an RODC because its stopped working..

ikr. Flattened the whole thing and we're still trying to find out why he did it. Let alone why he did it on a Monday evening

He surely made an image of the machine before dumping it ...

I'm going to look into it this morning as part of the clean up operation but I have a bad feeling that not only did they not back up the old server vhd files but actually reinstalled windows server IN the old vhds thus completely scrubbing any chance of recovering data

any bets on that surviving a upgrade from 2010 to 2016?

because, assuming you dont fuck with it, i'd wager it does.

AFAIK MS doesn't really recommend them but I'm yet to hear of one that failed catastrophically