“Are you crying? ARE YOU CRYING? There’s no crying! THERE’S NO CRYING IN BASEBALL!” Those famous words from Jimmy Dugan (portrayed by Tom Hanks) in the 1992 movie A League of their Own, ring true in the world of baseball. Unfortunately, in the cyber security world, there has been some crying this week with the outbreak of WannaCry, which is being dubbed the biggest global ransomware attack to date. WannaCry is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “EternalBlue”) associated with the Shadow Brokers tools release, and news outlets are reporting that as many as 300,000 computers in 150 countries have been infected with the malware.

For customers using TippingPoint solutions, we have identified the following Digital Vaccine® (DV) filters that should help you protect against the exploits listed in the table below:

CVE # Digital Vaccine Filter # Category Comments
CVE-2017-0143  27433  Exploit SMB: Server MID Type Confusion Vulnerability
CVE-2017-0144  27928  Vulnerabilities SMB: Remote Code Execution Vulnerability (EternalBlue)
CVE-2017-0145  27711  Exploit SMB: Server SMBv1 Buffer Overflow Vulnerability
CVE-2017-0146  27928, 27929  Vulnerabilities SMB: Remote Code Execution Vulnerabilities (EternalChampion) 

SMB: Remote Code Execution Vulnerability (EternalBlue)

CVE-2017-0147  27929, 27937  Vulnerabilities SMB: Remote Code Execution Vulnerability (EternalBlue) 

SMB: NT_TRANSACT_RENAME Information Disclosure Vulnerability (EternalSynergy)

 2176  Security Policy SMB: Null Session SetUp
 11403  Security Policy SMB: Suspicious SMB Fragmentation
 27935  Exploit SMB: DoublePulsar Backdoor
 5614  Exploit SMB: Malicious SMB Probe/Attack
 30623  Virus (ThreatDV) TLS: Suspicious SSL Certificate (DGA)

In addition to the DV coverage already provided by TippingPoint, customers who subscribe to our ThreatDV service received additional coverage for the WannaCry/WCRY ransomware vulnerability prior to the usual ThreatDV weekly distribution time. The following filters can be used to prevent the download of the binary files which are known to infect target machines with the ransomware:

  • 28304: TCP: Ransom_WCRY.I Download Attempt (Specific)
  • 28305: TCP: Ransom_WCRY.I Download Attempt (Generic)

For further information related to Trend Micro’s response to WannaCry and our recommendations as a whole, please visit https://success.trendmicro.com/solution/1117391.

For information on indicators showing interception or blocking of WannaCry, please visit https://success.trendmicro.com/solution/1117402-indicators-showing-interception-blocking-of-wcry-wannacry-ransomware.

While Everyone was Freaking Out with WannaCry…

Apple had a doozy of a month with their release of seven updates addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. 35 percent of the CVEs were submitted to Apple via our Zero Day Initiative (ZDI) bug bounty program, with a number of them initially disclosed during our Pwn2Own contest held earlier this year.

Read full news article on Trend Micro