“Are you crying? ARE YOU CRYING? There’s no crying! THERE’S NO CRYING IN BASEBALL!” Those famous words from Jimmy Dugan (portrayed by Tom Hanks) in the 1992 movie A League of their Own, ring true in the world of baseball. Unfortunately, in the cyber security world, there has been some crying this week with the outbreak of WannaCry, which is being dubbed the biggest global ransomware attack to date. WannaCry is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “EternalBlue”) associated with the Shadow Brokers tools release, and news outlets are reporting that as many as 300,000 computers in 150 countries have been infected with the malware.
For customers using TippingPoint solutions, we have identified the following Digital Vaccine® (DV) filters that should help you protect against the exploits listed in the table below:
|CVE #||Digital Vaccine Filter #||Category||Comments|
|CVE-2017-0143||27433||Exploit||SMB: Server MID Type Confusion Vulnerability|
|CVE-2017-0144||27928||Vulnerabilities||SMB: Remote Code Execution Vulnerability (EternalBlue)|
|CVE-2017-0145||27711||Exploit||SMB: Server SMBv1 Buffer Overflow Vulnerability|
|CVE-2017-0146||27928, 27929||Vulnerabilities||SMB: Remote Code Execution Vulnerabilities (EternalChampion)
SMB: Remote Code Execution Vulnerability (EternalBlue)
|CVE-2017-0147||27929, 27937||Vulnerabilities||SMB: Remote Code Execution Vulnerability (EternalBlue)
SMB: NT_TRANSACT_RENAME Information Disclosure Vulnerability (EternalSynergy)
|2176||Security Policy||SMB: Null Session SetUp|
|11403||Security Policy||SMB: Suspicious SMB Fragmentation|
|27935||Exploit||SMB: DoublePulsar Backdoor|
|5614||Exploit||SMB: Malicious SMB Probe/Attack|
|30623||Virus (ThreatDV)||TLS: Suspicious SSL Certificate (DGA)|
In addition to the DV coverage already provided by TippingPoint, customers who subscribe to our ThreatDV service received additional coverage for the WannaCry/WCRY ransomware vulnerability prior to the usual ThreatDV weekly distribution time. The following filters can be used to prevent the download of the binary files which are known to infect target machines with the ransomware:
- 28304: TCP: Ransom_WCRY.I Download Attempt (Specific)
- 28305: TCP: Ransom_WCRY.I Download Attempt (Generic)
For further information related to Trend Micro’s response to WannaCry and our recommendations as a whole, please visit https://success.trendmicro.com/solution/1117391.
For information on indicators showing interception or blocking of WannaCry, please visit https://success.trendmicro.com/solution/1117402-indicators-showing-interception-blocking-of-wcry-wannacry-ransomware.
While Everyone was Freaking Out with WannaCry…
Apple had a doozy of a month with their release of seven updates addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. 35 percent of the CVEs were submitted to Apple via our Zero Day Initiative (ZDI) bug bounty program, with a number of them initially disclosed during our Pwn2Own contest held earlier this year.
Read full news article on Trend Micro