Lucene search

K
trendmicroblogElisa Lippincott (TippingPoint Global Product Marketing)TRENDMICROBLOG:F01C658432B4BB0C2F28F1E5CE666104
HistoryJun 30, 2017 - 12:00 p.m.

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of June 26, 2017

2017-06-3012:00:57
Elisa Lippincott (TippingPoint Global Product Marketing)
blog.trendmicro.com
255

EPSS

0.974

Percentile

99.9%

The late 70s/early 80s American television show Three’s Company was one of my favorite shows growing up. The central theme of the show revolved around the lives of three roommates. Each episode usually involved a misunderstanding, then chaos would ensue. In the end, everything would turn out okay. Unfortunately, this week’s episode of “ransomware in the news” isn’t over – there are still misunderstandings about the latest attack named “Petya,” even on what to call it!

This past Tuesday, a ransomware attack similar to WannaCry shut down computers all over the world. It was initially thought that this new attack was an updated version of Petya from 2016. Others said it was a whole new malware that had Petya characteristics. Even further, now there is speculation that it’s not ransomware at all – that its objective was to permanently destroy data. No extortion – just destruction – and no happy ending to this week’s episode.

Trend Micro TippingPoint continues to actively review the situation in order to recommend coverage for customers using TippingPoint solutions. As of this blog posting, we have verified the following vulnerability Digital Vaccine® (DV) filters that protect against the propagation of the Petya ransomware listed in the table below:

CVE Number DV Filter(s) Category Default Deployment Comments
CVE-2017-0144

CVE-2017-0146 | 27298 | Vulnerabilities | Disabled | SMB: Microsoft Windows SMB Remote Code Execution Vulnerability (EternalBlue)
CVE-2017-0147 | 27931 | Vulnerabilities | Disabled | SMB: Microsoft Windows SMBv1 Information Disclosure Vulnerability (EternalRomance)

Customers who wish to enforce generic policy at the network perimeter can use the following security policy filter to block all inbound SMBv1 traffic:

CVE Number DV Filter(s) Category Default Deployment Comments
None 28471 Security Policy Disabled SMB: SMBv1 Successful Protocol Negotiation

Customers with questions or who need technical assistance can contact the TippingPoint Technical Assistance Center (TAC). For further information related to Trend Micro’s response and our recommendations as a whole, please visit <https://success.trendmicro.com/solution/1117665&gt;.

Zero-Day Filters

There are nine new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative web site.

Foxit (4)

  • 28746: ZDI-CAN-4721: Zero Day Initiative Vulnerability (Foxit Reader)
  • 28747: ZDI-CAN-4722: Zero Day Initiative Vulnerability (Foxit Reader)
  • 28748: ZDI-CAN-4723: Zero Day Initiative Vulnerability (Foxit Reader)
  • 28749: ZDI-CAN-4855: Zero Day Initiative Vulnerability (Foxit Reader)

_ _

Hewlett Packard Enterprise (1)

  • 28898: ZDI-CAN-4869: Zero Day Initiative Vulnerability (Hewlett Packard Enterprise Intelligent Management)

_ _

Quest (4)

  • 28751: ZDI-CAN-4224,4225,4229-4235,4237,4286,4316: Zero Day Initiative Vulnerability(Quest NetVault Backup)
  • 28893: ZDI-CAN-4226-4228: Zero Day Initiative Vulnerability (Quest NetVault Backup)
  • 28894: ZDI-CAN-4238,4287,4289,4292,4294: Zero Day Initiative Vulnerability (Quest NetVault Backup)
  • 28896: ZDI-CAN-4752: Zero Day Initiative Vulnerability (Quest NetVault Backup)

_ _

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.