TippingPoint Threat Intelligence and Zero-Day Coverage – Week of May 15, 2017

ID TRENDMICROBLOG:657A275464AD59827A9E6C1CD1726546
Type trendmicroblog
Reporter Elisa Lippincott (TippingPoint Global Product Marketing)
Modified 2017-05-19T12:00:15


“Are you crying? ARE YOU CRYING? There’s no crying! THERE’S NO CRYING IN BASEBALL!” Those famous words from Jimmy Dugan (portrayed by Tom Hanks) in the 1992 movie A League of their Own, ring true in the world of baseball. Unfortunately, in the cyber security world, there has been some crying this week with the outbreak of WannaCry, which is being dubbed the biggest global ransomware attack to date. WannaCry is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “EternalBlue”) associated with the Shadow Brokers tools release, and news outlets are reporting that as many as 300,000 computers in 150 countries have been infected with the malware.

For customers using TippingPoint solutions, we have identified the following Digital Vaccine® (DV) filters that should help you protect against the exploits listed in the table below:

CVE # | Digital Vaccine Filter # | Category | Comments
CVE-2017-0143 | 27433 | Exploit | SMB: Server MID Type Confusion Vulnerability
CVE-2017-0144 | 27928 | Vulnerabilities | SMB: Remote Code Execution Vulnerability (EternalBlue)
CVE-2017-0145 | 27711 | Exploit | SMB: Server SMBv1 Buffer Overflow Vulnerability
CVE-2017-0146 | 27928, 27929 | Vulnerabilities | SMB: Remote Code Execution Vulnerabilities (EternalChampion)

SMB: Remote Code Execution Vulnerability (EternalBlue)
CVE-2017-0147 | 27929, 27937 | Vulnerabilities | SMB: Remote Code Execution Vulnerability (EternalBlue)

SMB: NT_TRANSACT_RENAME Information Disclosure Vulnerability (EternalSynergy)
| 2176 | Security Policy | SMB: Null Session SetUp
| 11403 | Security Policy | SMB: Suspicious SMB Fragmentation
| 27935 | Exploit | SMB: DoublePulsar Backdoor
| 5614 | Exploit | SMB: Malicious SMB Probe/Attack
| 30623 | Virus (ThreatDV) | TLS: Suspicious SSL Certificate (DGA)

In addition to the DV coverage already provided by TippingPoint, customers who subscribe to our ThreatDV service received additional coverage for the WannaCry/WCRY ransomware vulnerability prior to the usual ThreatDV weekly distribution time. The following filters can be used to prevent the download of the binary files which are known to infect target machines with the ransomware:


  • 28304: TCP: Ransom_WCRY.I Download Attempt (Specific)
  • 28305: TCP: Ransom_WCRY.I Download Attempt (Generic)

For further information related to Trend Micro’s response to WannaCry and our recommendations as a whole, please visit <https://success.trendmicro.com/solution/1117391>.

For information on indicators showing interception or blocking of WannaCry, please visit <https://success.trendmicro.com/solution/1117402-indicators-showing-interception-blocking-of-wcry-wannacry-ransomware>.

While Everyone was Freaking Out with WannaCry…

Apple had a doozy of a month with their release of seven updates addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. 35 percent of the CVEs were submitted to Apple via our Zero Day Initiative (ZDI) bug bounty program, with a number of them initially disclosed during our Pwn2Own contest held earlier this year.

For more information on these vulnerabilities, check out the ZDI blog here: <https://www.zerodayinitiative.com/blog/2017/5/15/the-may-2017-apple-security-update-review>.

Adobe Security Updates

This week’s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before May 16, 2017. The following table maps Digital Vaccine filters to the Adobe updates. You can get more detailed information on this month’s security updates from Dustin Childs’ May 2017 Security Update Review:

Bulletin # | CVE # | Digital Vaccine Filter #
APSB17-15 | CVE-2017-3068 | 28215
APSB17-15 | CVE-2017-3069 | 28222
APSB17-15 | CVE-2017-3070 | 28224
APSB17-15 | CVE-2017-3071 | 28225
APSB17-15 | CVE-2017-3072 | 28217
APSB17-15 | CVE-2017-3073 | 27830
APSB17-15 | CVE-2017-3074 | 27831

Zero-Day Filters

There are 12 new zero-day filters covering six vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (2)


  • 28216: ZDI-CAN-4568: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)
  • 28218: ZDI-CAN-4562: Zero Day Initiative Vulnerability (Adobe Acrobat Pro DC)

Apple (1)


  • 28288: ZDI-CAN-4711: Zero Day Initiative Vulnerability (Apple Safari)

Dell (1)


  • 28230: ZDI-CAN-4754: Zero Day Initiative Vulnerability (Dell EMC VNX Monitoring and Reporting)

Hewlett Packard Enterprise (2)


  • 28211: ZDI-CAN-4524,4563: Zero Day Initiative Vulnerability (HPE Operations Orchestration)
  • 28231: ZDI-CAN-4758: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)

Microsoft (3)


  • 28220: ZDI-CAN-4700: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 28226: ZDI-CAN-4708: Zero Day Initiative Vulnerability (Microsoft Windows)
  • 28227: ZDI-CAN-4713: Zero Day Initiative Vulnerability (Microsoft Windows)

Trend Micro (3)


  • 28118: HTTPS: Trend Micro SafeSync for Enterprise deviceTool.pm get_nic_device SQL Injection (ZDI-17-125)
  • 28228: ZDI-CAN-4744-4745: Zero Day Initiative Vulnerability (Trend Micro InterScan Messaging Security)
  • 28286: ZDI-CAN-4778: Zero Day Initiative Vulnerability (Trend Micro Mobile Security for Enterprise)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.