Zero-day vulnerability in Windows

Improper input validation
CVE-2017-0143

On April 14, 2017 the Shadow Brokers team made the exploit pack publicly available. The exploits are believed to be stolen from the NSA.

It is unclear, which CVE has been assigned to this vulnerability. Possible CVEs: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0148.

On May 12, 2017 the malicious team has hit over 100,000 organizations in 150 countries. The hackers encrypted files from the target system and demanded 300-600$.

Known malware:

WannaCry (Wana Decryptor) malware (the hackers added .WCRY extention to the targte files). The malware is believed to be connected to Lazarus Group from North Korea.
EternalBlue exploit.

Vulnerability details

Advisory: SB2017031416 - Multiple vulnerabilities in Microsoft Windows SMB Server

Vulnerable component: Windows

CVE-ID: CVE-2017-0143

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-20 - Improper Input Validation

Description:

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an error when parsing requests in Microsoft Server Message Block 1.0 (SMBv1) server. A remote unauthenticated attacker can send specially crafted SMB packets and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Public Exploits:

Latest references in media:

- Peeled onions and a Minus Touch: Verizon data breach digest lifts the lid on theft tactics | ZDNet [2018-09-08 19:40:07]

- ZombieBoy, a new Monero miner that allows to earn┬а$1,000 on a monthly basis [2018-08-06 07:10:10]

- ZombieBoy cryptomining malware exploits CVEs to evade detection [2018-08-03 17:01:00]

- ZombieBoy: New Crypto-Mining Malware Exploits Multiple CVEs [2018-08-01 20:30:53]

- Patch Priorities: 10 Vulnerabilities You Should Pay Attention To [2018-07-25 16:25:00]

- Satan Ransomware re-emerge & Attack Using EternalBlue Exploit [2018-06-25 05:30:51]

- Global Outbreak of WannaCry [2018-06-19 01:37:14]

- BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools [2018-06-19 01:36:21]

- 2017-7-24 Global Cyber Attack Reports [2018-06-19 01:34:46]

- Global Outbreak of WannaCry [2018-06-13 01:24:48]

- BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools [2018-06-13 01:24:48]

- MassMiner Malware Attacking Web Servers via Powerful Exploits [2018-05-04 08:32:15]

- MassMiner Takes a Kitchen-Sink Approach to Cryptomining [2018-05-03 22:35:23]

- MassMiner Attacks Web Servers With Multiple Exploits [2018-05-03 18:27:40]

- New MassMiner Malware Targets Web Servers With an Assortment of Exploits [2018-05-02 16:55:17]

- Leaked NSA hacking tools can target all Windows versions from the past two decades | TheINQUIRER [2018-02-06 17:30:24]

- NSA-Linked Hacking Tools Ported to Metasploit [2018-02-06 12:50:05]

- NSA exploits leaked by hackers tweaked to work on all versions of Windows since 2000 [2018-02-05 18:12:23]

- NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000 [2018-02-05 13:10:55]

- Johnny Hacker hauls out NSA-crafted Server Message Block exploits, revamps 'em [2018-01-31 17:40:01]

- Security Alert: Stabilized Exploits Target Legacy Windows-Running Servers and PCs [2018-01-30 17:16:12]

- CSE CybSec ZLAB Malware Analysis Report: NotPetya [2017-09-18 12:51:16]

- Russian Cyberspies Are Using Leaked NSA Hacking Tools to Spy On European Hotels Guests [2017-08-11 18:01:10]

- SystemD wins top gong for 'lamest vendor' in Pwnie security awards [2017-07-28 22:50:02]

- EternalSynergy-Based Exploit Targets Recent Windows Versions [2017-07-18 18:30:22]

- Exploit Derived From ETERNALSYNERGY Upgraded to Target Newer Windows Versions [2017-07-17 18:00:58]

- Stopping Threats in Their Tracks With Proactive Monitoring [2017-05-24 13:20:26]

- EternalRocks Worm Uses 7 Leaked NSA Hacking Tools [2017-05-23 03:50:02]

- More Organised Hacker Groups Found Exploiting Eternalblue Windows SMB Exploit Weeks Before WannaCry Ransomware attack [2017-05-20 14:20:08]

- More Organised Hacker Groups Found Exploiting Eternalblue Windows SMB Exploit Weeks Before WannaCry Ransomware attack [2017-05-19 15:00:02]

- Security Alert: WannaCry Leaves Exploited Computers Vulnerable to Round Two [2017-05-13 23:00:35]

- Ransomware outbreak hits Telef├│nica, huge security flap in Spain [2017-05-12 18:10:01]

- Shadow Brokers Attack Tools Light Up Chinese and Russian Darknet [2017-04-27 13:10:25]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.