Streamer PC hit by ransomware

A place to discuss Webcasting
Post Reply
awsherrill
Posts: 248
Joined: Fri Nov 16, 2007 10:30 pm
Location: Raleigh NC

Streamer PC hit by ransomware

Post by awsherrill » Mon Jun 12, 2017 2:39 pm

One of our radio station streaming encoder PCs was taken down over the weekend by ransomware. I don't know which variant it was.

We use Triton as our streaming provider. The PC is dual-NIC'd with one NIC going to a DSL for the outbound stream, and the other pointing to the local LAN to pick up artist/title from the play-out software. The machine had updated AV installed and running. Operating system is Win-7 Pro.

The screen shots of the ransomware did not look much like the WannaCry ones I have seen. It could have been a copycat variant. This particular machine's OS had not been updated or patched in awhile, so it is possible that the vulnerability that WannaCry exploited had not been fixed on this machine.

We can't rule out the possibility that somebody in the building was tampering with the PC, although it does not seem likely...it is in a highly visible rack area and the only access is through a multi-port KVM. Luckily the crap does not seem to have spread beyond the one machine.

Has anybody else had this issue with a basically unattended online PC?

User avatar
Deep Thought
Posts: 3159
Joined: Thu Mar 20, 2008 9:23 am
Location: La Grange, IL
Contact:

Re: Streamer PC hit by ransomware

Post by Deep Thought » Mon Jun 12, 2017 5:07 pm

Is the public-facing port behind a firewall or just connected to DSL? It's damn near impossible to inject something into a computer you can't get at.
Mark Mueller • Mueller Broadcast Design • La Grange, IL • http://www.muellerbroadcastdesign.com

ChuckG
Posts: 899
Joined: Tue Mar 11, 2008 11:12 pm
Location: Moo
Contact:

Re: Streamer PC hit by ransomware

Post by ChuckG » Mon Jun 12, 2017 10:02 pm

Wannacry and several variants scan the internet for open SMB ports. If those are open in your firewall (or as DT was asking, if you have none), that might well have been the path in.
Crypto Sheriff here might be able to identify what you have:
www.nomoreransom.org

I have a feeling we're going to be seeing those NSA tools more and more often. I like to get something in return for my tax money, but that isn't exactly what I had in mind.... :?
<><><><><><><><><>
Chuck Gennaro
Central Wisconsin

User avatar
Shane
Posts: 726
Joined: Fri Feb 01, 2008 12:08 am
Location: Omaha
Contact:

Re: Streamer PC hit by ransomware

Post by Shane » Mon Jun 12, 2017 10:55 pm

Triton likes to use TeamViewer. YMMV but our IT and web development people don't like it, don't want it, and are constantly fighting with Triton over its use. Since TV works from the inside out, as I understand it, I can see where it might pose a security issue.
Mike Shane, CBRE
---Omaha---

awsherrill
Posts: 248
Joined: Fri Nov 16, 2007 10:30 pm
Location: Raleigh NC

Re: Streamer PC hit by ransomware

Post by awsherrill » Tue Jun 13, 2017 10:45 am

As far as I know, the machine was hooked up directly to the DSL with no firewall. And yes it probably had TeamViewer on it.

My staff guy working on it thinks it may have come from the factory pre-loaded with the stuff. Not sure if I'm buying that, but can't rule it out.

The first attempt at recovery of the machine was by using the factory "restore" disc to reload the OS. The ransomware returned. So now it is being taken down to bare metal.

We have a number of radio station streams that have been lashed up using DSL circuits. We have been considering tying then all together on their own dedicated Internet pipe from a local provider, conveniently located in our building. Obviously we're going to have to put firewalls and other hardening on them as part of that process.

Thanks for the comments and advice.

User avatar
Deep Thought
Posts: 3159
Joined: Thu Mar 20, 2008 9:23 am
Location: La Grange, IL
Contact:

Re: Streamer PC hit by ransomware

Post by Deep Thought » Tue Jun 13, 2017 11:46 am

If it is (was?) connected directly to DSL and the ISP does not filter things like NetBIOS ports it was probably a sitting duck since all of the LAN protocols would be exposed to the public. This is definitely a no-no.
Mark Mueller • Mueller Broadcast Design • La Grange, IL • http://www.muellerbroadcastdesign.com

ChuckG
Posts: 899
Joined: Tue Mar 11, 2008 11:12 pm
Location: Moo
Contact:

Re: Streamer PC hit by ransomware

Post by ChuckG » Tue Jun 13, 2017 3:11 pm

awsherrill wrote:
Tue Jun 13, 2017 10:45 am
We have been considering tying then all together on their own dedicated Internet pipe from a local provider, conveniently located in our building.
That is what we finally did, fiber drop into the building and all our streams are served on it. Cisco router with everything in stealth mode except for the single port necessary for the stream.
<><><><><><><><><>
Chuck Gennaro
Central Wisconsin

jeeisenz
Posts: 10
Joined: Fri Dec 13, 2013 7:27 am

Re: Streamer PC hit by ransomware

Post by jeeisenz » Mon Jun 19, 2017 4:21 pm

We used to have that problem as well...our box would get hijacked pretty badly. The ultimate solution? I wiped and installed Ubuntu along with a very restrictive software firewall. Haven't had an issue except for the occasional reboot.

I have multiple sound cards in this thing along with multiple instances of Edcast under WINE - and it doesn't seem to complain - and we get AAC+ out of the deal.

My next goal (hopefully) in the near future is to rebuild it with something stronger where I can insert StereoTool in the middle to do some pre-processing. But I have bigger projects at hand first.

Post Reply