Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rapid7communityNathan PalanovRAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744
HistoryJun 23, 2017 - 9:23 p.m.

Protecting against DoublePulsar infection with InsightVM and Nexpose

2017-06-2321:23:11
Nathan Palanov
community.rapid7.com
177

0.975 High

EPSS

Percentile

99.9%

JSON

After WannaCry hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7's Project Heisenberg continues to see a high volume of scans and exploit attempts targeting SMB vulnerabilities:

Heisenberg-smb-3.png

DoublePulsar, a backdoor that has infected hundreds of thousands of computers, is one of the most nefarious of these tools: It can not only distribute ransomware but is also able to infect a system's kernel to gain privileges and steal credentials. Identifying and patching vulnerable systems remains the best way to defend against the DoublePulsar implant. DoublePulsar is often delivered using the EternalBlue exploit package–MS17-010–which is the same vulnerability that gave rise to the widespread WannaCry infections in May. To help customers, we are reiterating the steps we issued for WannaCry on creating a scan, dynamic asset group, and remediation project for identifying and fixing these vulnerabilities. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven't done so already, you can download a trial of InsightVM here.

Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:

1. Under the Administration tab, go to Templates > Manage Templates

2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description; here, we'll call it "Double Pulsar and WNCRY Scan Template"

3. Click on Vulnerability Checks and then "By Individual Check"

4. Add Check “MS17-010” and click save:

This should come back with 195 checks that are related to MS17-010. The related CVEs are:

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

5. Save the template and run a scan to identify all assets with MS17-010.

Creating a Dynamic Asset Group for MS17-010

Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button:

Now, use the “CVE ID” filter to specify the CVEs listed below:

This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.

Creating a DoublePulsar/WannaCry Dashboard

Recently, Ken Mizota posted an article on how to build a custom dashboard to track your exposure to exploits from the Shadow Brokers leak. If you already did that, you’re good to go! If you wanted to be specific to WannaCry and DoublePulsar, you could use this Dashboard filter:

asset.vulnerability.title CONTAINS “cve-2017-0143” OR asset.vulnerability.title CONTAINS “cve-2017-0144” OR asset.vulnerability.title CONTAINS “cve-2017-0145” OR asset.vulnerability.title CONTAINS “cve-2017-0101” ORasset.vulnerability.title CONTAINS "cve-2017-0146"asset.vulnerability.title CONTAINS “cve-2017-0147” OR asset.vulnerability.title CONTAINS “cve-2017-0148”

Creating a SQL Query Export

@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting. This will also apply to DoublePulsar.

Creating a Remediation Project for MS17-010

In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the "Projects" tab and click "Create a Project":

Give the project a name, and under vulnerability filter type in “vulnerability.alternateIds <=> ( altId = “ms17-010” )”

Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.

Now you can give this project a description and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.

Using these steps, you'll be able to quickly scan for the vulnerability that enables both WannaCry and DoublePulsar infections. If you have any questions please don't hesitate to let us know!

For more information and resources on DoublePulsar, please visit this page.

Related

rapid7community 9
f5 1
zdt 9
packetstorm 7
kaspersky 4
openvas 4
mskb 12
seebug 2
attackerkb 6
prion 7
cve 7
huawei 1
nessus 3
trendmicroblog 5
mmpc 7
threatpost 11
canvas 2
thn 11
qualysblog 8
rapid7blog 3
checkpoint_advisories 6
symantec 7
cisa_kev 7
mscve 7
saint 9
talosblog 1
myhack58 1
malwarebytes 2
trellix 4
carbonblack 1
avleonov 4
kitploit 1
securelist 3
exploitdb 1
fireeye 2
ics 4
nmap 1
ibm 1
cisa 2
mssecure 2
rapid7community
rapid7community
Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010
2017-06-28 00:06:12
Scanning and Remediating WannaCry/MS17-010 in InsightVM and Nexpose
2017-06-07 14:57:05
Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010
2017-08-03 16:56:04
f5
f5
K57181937 : Multiple Microsoft SMB (Wannacry/Wannacrypt/Petya/Goldeneye) vulnerabilities
2017-05-16 00:00:00
zdt
zdt
Microsoft Windows MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption Exploit
2017-05-17 00:00:00
SMB DOUBLEPULSAR Remote Code Execution Exploit
2020-02-04 00:00:00
DOUBLEPULSAR - Payload Execution and Neutralization Exploit
2019-10-04 00:00:00
packetstorm
packetstorm
DOUBLEPULSAR Payload Execution / Neutralization
2019-10-01 00:00:00
Microsoft Windows MS17-010 SMB Remote Code Execution
2017-04-17 00:00:00
SMB DOUBLEPULSAR Remote Code Execution
2020-02-04 00:00:00
kaspersky
kaspersky
KLA10977 Multiple vulnerabilities in Microsoft Server Message Block (SMB)
2017-03-14 00:00:00
KLA10984 Privilege escalation vulnerabilities in Windows kernel
2017-03-14 00:00:00
KLA11902 Multiple vulnerabilities in Microsoft Products (ESU)
2017-03-14 00:00:00
openvas
openvas
Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)
2017-03-22 00:00:00
Microsoft Windows SMB Server Multiple Vulnerabilities (4013389)
2017-03-15 00:00:00
Double Pulsar Infection Detect
2017-04-18 00:00:00
mskb
mskb
MS17-010: Security update for Windows SMB Server: March 14, 2017
2017-03-14 00:00:00
MS17-010: Description of the security update for Windows SMB Server: March 14, 2017
2017-03-14 07:00:00
March 2017 Security Only Quality Update for Windows Server 2012
2017-03-14 07:00:00
seebug
seebug
ETERNALBLUE - Remote RCE via SMB & NBT (Windows XP to Windows 2012)
2017-04-15 00:00:00
EternalChampion - Windows SMB Remote Code Execution Vulnerability (CVE-2017-0146)
2017-04-17 00:00:00
attackerkb
attackerkb
CVE-2017-0146
2017-03-17 00:00:00
CVE-2017-0143
2017-03-17 00:00:00
CVE-2017-0148
2017-03-17 00:00:00
prion
prion
Remote code execution
2017-03-17 00:59:00
Remote code execution
2017-03-17 00:59:00
Remote code execution
2017-03-17 00:59:00
cve
cve
CVE-2017-0145
2017-03-17 00:59:00
CVE-2017-0144
2017-03-17 00:59:00
CVE-2017-0148
2017-03-17 00:59:00
huawei
huawei
Security Advisory - 'WannaCry ransomware' Vulnerabilities in Microsoft Windows Systems
2017-05-13 00:00:00
nessus
nessus
MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya) (uncredentialed check)
2017-03-20 00:00:00
MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (WannaCry) (EternalRocks) (Petya)
2017-03-15 00:00:00
MS17-017: Security Update for Windows Kernel (4013081)
2017-03-14 00:00:00
trendmicroblog
trendmicroblog
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of June 26, 2017
2017-06-30 12:00:57
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 15, 2017
2017-05-19 12:00:15
Double Whammy: When One Attack Masks Another Attack
2017-11-20 16:29:06
mmpc
mmpc
New ransomware, old techniques: Petya adds worm capabilities
2017-06-28 06:57:43
Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene
2017-09-06 14:58:36
WannaCrypt ransomware worm targets out-of-date systems
2017-05-13 06:40:39
threatpost
threatpost
PyRoMine Uses NSA Exploit for Monero Mining and Backdoors
2018-04-26 18:21:13
ShadowBrokers' Windows Zero-Days Already Patched
2017-04-17 14:06:34
Calypso APT Emerges from the Shadows to Target Governments
2019-10-31 18:55:02
canvas
canvas
Immunity Canvas: MS17_010
2017-03-17 00:59:00
Immunity Canvas: ETERNALBLUE
2017-03-17 00:59:00
thn
thn
Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities
2021-06-03 17:01:00
Bad Rabbit Ransomware Uses Leaked 'EternalRomance' NSA Exploit to Spread
2017-10-26 23:57:00
More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry
2017-05-19 01:52:00
qualysblog
qualysblog
Emotet Re-emerges with Help from TrickBot
2022-01-06 14:05:53
The Shadow Brokers Release Zero Day Exploit Tools
2017-04-15 07:11:21
The Rise of Ransomware
2021-10-05 12:50:00
rapid7blog
rapid7blog
Conti Ransomware Group Internal Chats Leaked Over Russia-Ukraine Conflict
2022-03-01 19:15:58
Metasploit Wrap-Up
2021-03-05 17:20:43
Open-Source Security: Getting to the Root of the Problem
2022-01-19 18:02:43
checkpoint_advisories
checkpoint_advisories
Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0148)
2017-05-16 00:00:00
Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0143)
2017-03-14 00:00:00
Microsoft Windows SMB Remote Code Execution (MS17-010: CVE-2017-0144)
2017-03-14 00:00:00
symantec
symantec
Microsoft Windows SMB Server CVE-2017-0148 Remote Code Execution Vulnerability
2017-03-14 00:00:00
Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability
2017-03-14 00:00:00
Microsoft Windows SMB Server CVE-2017-0143 Remote Code Execution Vulnerability
2017-03-14 00:00:00
cisa_kev
cisa_kev
Microsoft Windows Server Message Block (SMBv1) Remote Code Execution Vulnerability
2021-11-03 00:00:00
Microsoft SMBv1 Server Remote Code Execution Vulnerability
2022-04-06 00:00:00
Microsoft SMBv1 Remote Code Execution Vulnerability
2022-02-10 00:00:00
mscve
mscve
Windows SMB Remote Code Execution Vulnerability
2017-03-14 07:00:00
Windows SMB Remote Code Execution Vulnerability
2017-03-14 07:00:00
Windows SMB Remote Code Execution Vulnerability
2017-03-14 07:00:00
saint
saint
Windows SMBv1 Remote Command Execution
2017-04-26 00:00:00
Windows SMBv1 Remote Command Execution
2017-04-26 00:00:00
Windows SMBv1 Remote Command Execution
2017-04-26 00:00:00
talosblog
talosblog
Cisco Coverage for Adylkuzz, Uiwix, and EternalRocks
2017-05-22 15:14:00
myhack58
myhack58
The SMB vulnerability triggered“bloodshed”, far more than WannaCry-vulnerability warning-the black bar safety net
2017-05-23 00:00:00
malwarebytes
malwarebytes
Threat spotlight: the curious case of Ryuk ransomware
2019-12-12 22:33:53
How threat actors are using SMB vulnerabilities
2018-12-14 16:00:00
trellix
trellix
How Groove Gang is Shaking up the RAAS to Empower Affiliates
2021-09-08 00:00:00
How Groove Gang is Shaking up the RAAS to Empower Affiliates
2021-09-08 00:00:00
Connected Healthcare: A Cybersecurity Battlefield We Must Win
2022-06-06 00:00:00
carbonblack
carbonblack
CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia
2019-07-23 13:47:50
avleonov
avleonov
Downloading entire Vulners.com database in 5 minutes
2017-08-09 17:49:03
Petya the Great and why *they* don’t patch vulnerabilities
2017-06-29 21:29:50
Is Vulnerability Management more about Vulnerabilities or Management?
2020-02-11 13:46:54
kitploit
kitploit
Eternal - An internet scanner for Eternal Blue [exploit CVE-2017-0144]
2017-07-22 20:30:00
securelist
securelist
Bad Rabbit ransomware
2017-10-24 18:16:00
A mining multitool
2018-07-26 10:00:25
APT trends report Q2 2019
2019-08-01 10:00:05
exploitdb
exploitdb
Microsoft Windows Kernel (7 x86) - Local Privilege Escalation (MS17-017)
2018-03-15 00:00:00
fireeye
fireeye
CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
2018-02-15 11:30:00
CVE-2017-10271 Used to Deliver CryptoMiners: An Overview of Techniques Used Post-Exploitation and Pre-Mining
2018-02-15 16:30:00
ics
ics
Enhancing Cyber Resilience: Insights from the CISA Healthcare and Public Health Sector Risk and Vulnerability Assessment
2023-12-15 12:00:00
Philips Intellispace Portal ISP Vulnerabilities
2018-02-27 12:00:00
Baxter ExactaMix (Update A)
2020-07-28 12:00:00
nmap
nmap
smb-vuln-ms17-010 NSE Script
2017-05-27 07:57:34
ibm
ibm
Security Bulletin: Multiple vulnerabilities in Cloud Pak System
2019-10-24 21:43:28
cisa
cisa
CISA Adds 15 Known Exploited Vulnerabilities to Catalog
2022-02-10 00:00:00
CISA Adds 15 Known Exploited Vulnerability to Catalog
2022-03-15 00:00:00
mssecure
mssecure
When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks
2021-07-29 19:00:59
When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
2021-07-22 16:00:57

0.975 High

EPSS

Percentile

99.9%

JSON
Related for RAPID7COMMUNITY:B91CF4077282454499672A7AD6FBE744
rapid7community9f51zdt9packetstorm7kaspersky4openvas4mskb12seebug2attackerkb6prion7cve7huawei1nessus3trendmicroblog5mmpc7threatpost11canvas2thn11qualysblog8rapid7blog3checkpoint_advisories6symantec7cisa_kev7mscve7saint9talosblog1myhack581malwarebytes2trellix4carbonblack1avleonov4kitploit1securelist3exploitdb1fireeye2ics4nmap1ibm1cisa2mssecure2