TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 15, 2017

Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 19 May 2017 12:00:15 +0000

“Are you crying? ARE YOU CRYING? There’s no crying! THERE’S NO CRYING IN BASEBALL!” Those famous words from Jimmy Dugan (portrayed by Tom Hanks) in the 1992 movie A League of their Own, ring true in the world of baseball. Unfortunately, in the cyber security world, there has been some crying this week with the outbreak of WannaCry, which is being dubbed the biggest global ransomware attack to date. WannaCry is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “EternalBlue”) associated with the Shadow Brokers tools release, and news outlets are reporting that as many as 300,000 computers in 150 countries have been infected with the malware.

For customers using TippingPoint solutions, we have identified the following Digital Vaccine® (DV) filters that should help you protect against the exploits listed in the table below:

CVE #Digital Vaccine Filter #CategoryComments
CVE-2017-0143 27433 ExploitSMB: Server MID Type Confusion Vulnerability
CVE-2017-0144 27928 VulnerabilitiesSMB: Remote Code Execution Vulnerability (EternalBlue)
CVE-2017-0145 27711 ExploitSMB: Server SMBv1 Buffer Overflow Vulnerability
CVE-2017-0146 27928, 27929 VulnerabilitiesSMB: Remote Code Execution Vulnerabilities (EternalChampion)

 

SMB: Remote Code Execution Vulnerability (EternalBlue)

CVE-2017-0147 27929, 27937 VulnerabilitiesSMB: Remote Code Execution Vulnerability (EternalBlue)

 

SMB: NT_TRANSACT_RENAME Information Disclosure Vulnerability (EternalSynergy)

 2176 Security PolicySMB: Null Session SetUp
 11403 Security PolicySMB: Suspicious SMB Fragmentation
 27935 ExploitSMB: DoublePulsar Backdoor
 5614 ExploitSMB: Malicious SMB Probe/Attack
 30623 Virus (ThreatDV)TLS: Suspicious SSL Certificate (DGA)

 

In addition to the DV coverage already provided by TippingPoint, customers who subscribe to our ThreatDV service received additional coverage for the WannaCry/WCRY ransomware vulnerability prior to the usual ThreatDV weekly distribution time. The following filters can be used to prevent the download of the binary files which are known to infect target machines with the ransomware:

  • 28304: TCP: Ransom_WCRY.I Download Attempt (Specific)
  • 28305: TCP: Ransom_WCRY.I Download Attempt (Generic)

For further information related to Trend Micro’s response to WannaCry and our recommendations as a whole, please visit https://success.trendmicro.com/solution/1117391.

For information on indicators showing interception or blocking of WannaCry, please visit https://success.trendmicro.com/solution/1117402-indicators-showing-interception-blocking-of-wcry-wannacry-ransomware.

While Everyone was Freaking Out with WannaCry…

Apple had a doozy of a month with their release of seven updates addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. 35 percent of the CVEs were submitted to Apple via our Zero Day Initiative (ZDI) bug bounty program, with a number of them initially disclosed during our Pwn2Own contest held earlier this year.

For more information on these vulnerabilities, check out the ZDI blog here: https://www.zerodayinitiative.com/blog/2017/5/15/the-may-2017-apple-security-update-review.

Adobe Security Updates

This week’s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before May 16, 2017. The following table maps Digital Vaccine filters to the Adobe updates. You can get more detailed information on this month’s security updates from Dustin Childs’ May 2017 Security Update Review:

Bulletin #CVE #Digital Vaccine Filter #
APSB17-15CVE-2017-306828215
APSB17-15CVE-2017-306928222
APSB17-15CVE-2017-307028224
APSB17-15CVE-2017-307128225
APSB17-15CVE-2017-307228217
APSB17-15CVE-2017-307327830
APSB17-15CVE-2017-307427831

 

Zero-Day Filters

There are 12 new zero-day filters covering six vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (2)

  • 28216: ZDI-CAN-4568: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 28218: ZDI-CAN-4562: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC) 

Apple (1)

  • 28288: ZDI-CAN-4711: Zero Day Initiative Vulnerability (Apple Safari) 

Dell (1)

  • 28230: ZDI-CAN-4754: Zero Day Initiative Vulnerability (Dell EMC VNX Monitoring and Reporting) 

Hewlett Packard Enterprise (2)

  • 28211: ZDI-CAN-4524,4563: Zero Day Initiative Vulnerability (HPE Operations Orchestration)
  • 28231: ZDI-CAN-4758: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management) 

Microsoft (3)

  • 28220: ZDI-CAN-4700: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 28226: ZDI-CAN-4708: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 28227: ZDI-CAN-4713: Zero Day Initiative Vulnerability (Microsoft Windows) 

Trend Micro (3)

  • 28118: HTTPS: Trend Micro SafeSync for Enterprise deviceTool.pm get_nic_device SQL Injection (ZDI-17-125)
  • 28228: ZDI-CAN-4744-4745: Zero Day Initiative Vulnerability (Trend Micro InterScan Messaging Security)
  • 28286: ZDI-CAN-4778: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise) 

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

http://feeds.trendmicro.com/TrendMicroSimplySecurity