Remediation script (returning $true will mean failure in process):
$fail = $false Get-WmiObject -Class Win32_Printer | where { $_.SystemName -like "*OLDSERVER*" } | select Name, Default | foreach { $newname = $($($_.name) -replace "OLDSERVER", "NEWSERVER") write-host "Replacing $($_.name) with $newname" #ADD NEW PRINTER (New-Object -ComObject WScript.Network).AddWindowsPrinterConnection($newname) if ($($_.default)) { write-host "Above is default printer" $default = $newname }
#WAIT AND CHECK FOR SUCCESS write-host "Waiting 30 seconds to check for success" Start-Sleep 30 if ( $(Get-WmiObject -Class Win32_Printer | where { $_.Name -eq $newname } | Measure-Object | select -ExpandProperty Count) -gt 0 ) { write-host "SUCCESS, removing old" (New-Object -ComObject WScript.Network).RemovePrinterConnection($($_.name)) write-host "Setting printer as default" if ($default) { (New-Object -ComObject WScript.Network).SetDefaultPrinter($default) $default = $null } } else { write-host "FAIL, keeping old" $fail = $true } } write-host "Next line is True if errors, False if no errors:" return $fail
The scripts were made quite fast and are not optimized, it is not needed as this is only a temporary configuration baseline. After old printserver is decommissioned, this baseline will be disabled.
Anonymous group of hackers have threatened Estonian people to launch a full scale cyber war against their government and business infrastructure. The war was supposed to start on Friday, 12th of October 2012.
A week ago similar threat was addressed to Swedish government and people and some attacks followed, temporarily taking down several sites.
Here is the video about anonymous group declaring cyber war against Estonia:
During the day there were some attempts to DDOS the national police webpage but it had little success. Server administrators were ready for it and replaced the full webpage with a dummy that displayed only critical information like contacts, phone numbers and such. After a short period of being under attack, all normal content reappeared and all the advanced information queries were possible again.
The attack caused a lot of anticipation for something far more serious to happen. So something else happened. There was a case of breaking in to part of Estonian Road Administration's web page, specifically a registration page for an event that happened in 2010. The password hashes of around 50 accounts were published to internet with names and e-mails of the account holders.
Yesterday there were four attacks. Which first was directed against Estonian National Broadcasting company, the government site Eesti.ee and two of the largest opposing political parties.
Agitators identified
The Estonian Information System’s Authority was actively monitoring the network traffic before and during the incident and a few attackers have been already identified, most of them being underage kids. Probably the knowledge gained in the cyber defence trainings at CCDCOE helps to build up any countermeasures. If any further attacks occur they will probably be tracked back to the root. Not even 7 proxies should help :)
Here is a quote about the readiness for such situation, an announcement made in NATO's communication summit in Bucharest:
“Provide a capability to assist allied nations, upon request, to counter a cyber attack”
What other targets were successfully hacked into is still a mystery. According to news portals, nothing serious happened and all the attacks were neutralized.
Overall the day was usual as any other, businesses were running smoothly. The outcome of the whole situation might actually be positive, because all institutions reviewed and reinforced their IT security.
Friday is not over yet but most of the people have gone to spend good time in town to forget the minor incidents that happened during the day.
There is something for all of us to learn - Keep your servers up to date at all times and have a backup plan for case of cyber warfare, there might not be a warning before the next attacks...
Estonia is a small country in eastern Europe with population little over 1,3 million people. Member of European Union and NATO, which latter has built Cyber Defence Center in Tallinn, the capitol of Estonia.
Seems like the few single attacks have stopped. Also some news have been posted, where a Cyber Defence Centre researcher Rain Ottis expresses his opinion: "the majority of Anonymous members don't understand the reasons behind the attack". That being because the goals of the movement differ a lot from the current event. The harm was done by kids with tools they got from random facebook event. It is probably not a good idea to download all kinds of crap that can quite easily infect your own computer, so it's best to inform everybody not to follow any invitations to join the rebellion.
Good night and stay safe.
