TippingPoint Threat Intelligence and Zero-Day Coverage – Week of June 26, 2017
Credit to Author: Elisa Lippincott (TippingPoint Global Product Marketing)| Date: Fri, 30 Jun 2017 12:00:57 +0000
The late 70s/early 80s American television show Three’s Company was one of my favorite shows growing up. The central theme of the show revolved around the lives of three roommates. Each episode usually involved a misunderstanding, then chaos would ensue. In the end, everything would turn out okay. Unfortunately, this week’s episode of “ransomware in the news” isn’t over – there are still misunderstandings about the latest attack named “Petya,” even on what to call it!
This past Tuesday, a ransomware attack similar to WannaCry shut down computers all over the world. It was initially thought that this new attack was an updated version of Petya from 2016. Others said it was a whole new malware that had Petya characteristics. Even further, now there is speculation that it’s not ransomware at all – that its objective was to permanently destroy data. No extortion – just destruction – and no happy ending to this week’s episode.
Trend Micro TippingPoint continues to actively review the situation in order to recommend coverage for customers using TippingPoint solutions. As of this blog posting, we have verified the following vulnerability Digital Vaccine® (DV) filters that protect against the propagation of the Petya ransomware listed in the table below:
CVE Number | DV Filter(s) | Category | Default Deployment | Comments |
CVE-2017-0144 CVE-2017-0146 | 27298 | Vulnerabilities | Disabled | SMB: Microsoft Windows SMB Remote Code Execution Vulnerability (EternalBlue) |
CVE-2017-0147 | 27931 | Vulnerabilities | Disabled | SMB: Microsoft Windows SMBv1 Information Disclosure Vulnerability (EternalRomance) |
Customers who wish to enforce generic policy at the network perimeter can use the following security policy filter to block all inbound SMBv1 traffic:
CVE Number | DV Filter(s) | Category | Default Deployment | Comments |
None | 28471 | Security Policy | Disabled | SMB: SMBv1 Successful Protocol Negotiation |
Customers with questions or who need technical assistance can contact the TippingPoint Technical Assistance Center (TAC). For further information related to Trend Micro’s response and our recommendations as a whole, please visit https://success.trendmicro.com/solution/1117665.
Zero-Day Filters
There are nine new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative web site.
Foxit (4)
- 28746: ZDI-CAN-4721: Zero Day Initiative Vulnerability (Foxit Reader)
- 28747: ZDI-CAN-4722: Zero Day Initiative Vulnerability (Foxit Reader)
- 28748: ZDI-CAN-4723: Zero Day Initiative Vulnerability (Foxit Reader)
- 28749: ZDI-CAN-4855: Zero Day Initiative Vulnerability (Foxit Reader)
Hewlett Packard Enterprise (1)
- 28898: ZDI-CAN-4869: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)
Quest (4)
- 28751: ZDI-CAN-4224,4225,4229-4235,4237,4286,4316: Zero Day Initiative Vulnerability(Quest NetVault Backup)
- 28893: ZDI-CAN-4226-4228: Zero Day Initiative Vulnerability (Quest NetVault Backup)
- 28894: ZDI-CAN-4238,4287,4289,4292,4294: Zero Day Initiative Vulnerability (Quest NetVault Backup)
- 28896: ZDI-CAN-4752: Zero Day Initiative Vulnerability (Quest NetVault Backup)
Missed Last Week’s News?
Catch up on last week’s news in my weekly recap.