{"id":84286,"date":"2017-05-13T20:38:03","date_gmt":"2017-05-13T15:08:03","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84286"},"modified":"2017-05-13T20:38:03","modified_gmt":"2017-05-13T15:08:03","slug":"ms17-010-windows-smb-server-exploitation-leads-ransomware-outbreak","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/ms17-010-windows-smb-server-exploitation-leads-ransomware-outbreak\/","title":{"rendered":"MS17-010 &#8211; Windows SMB server exploitation leads to ransomware outbreak"},"content":{"rendered":"<p>The Microsoft Windows <a target=\"_blank\" href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa365233(v=vs.85).aspx\">SMB<\/a> (Server Message Block) is being actively exploited in the wild, post the <a target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/The_Shadow_Brokers\">Shadow Brokers<\/a> (TSB) leak in April 2017. According to Microsoft\u2019s <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/04\/14\/protecting-customers-and-evaluating-risk\/\">blog<\/a>, the exploits were already covered in previously released security bulletins. The Shadow Broker exploits named \u2018EternalBlue\u2019<b> <\/b>and \u2018EternalRomance\u2019 and \u2018EternalSynergy\u2019 are addressed by Microsoft in security bulletin <a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a>. According to <a target=\"_blank\" href=\"https:\/\/www.ccn-cert.cni.es\/seguridad-al-dia\/comunicados-ccn-cert\/4464-ataque-masivo-de-ransomware-que-afecta-a-un-elevado-numero-de-organizaciones-espanolas.html\">security advisory<\/a> published by CCN-CERT of Spain\u2019s national computer emergency response team on May 12, 2017, the infamous exploit \u2018EternalBlue\u2019 is currently being used in a massive ransomware outbreak. The ransomware used in this campaign is \u2018WannaCrypt\u2019 (aliases WannaCry , WanaCrypt0r , WCry). Microsoft\u2019s latest updated on this outbreak are tracked <a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/05\/12\/customer-guidance-for-wannacrypt-attacks\/\">here<\/a>.\n<\/p>\n<p>\n<b>Quick Heal &amp; Seqrite Detections<\/b>\n<\/p>\n<p>Quick Heal and Seqrite have released the following IPS detections for the vulnerabilities reported in security bulletin <a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a>.<\/p>\n<ul>\n<li>VID-01899 : [MS17-010] Windows SMB Remote Code Execution Vulnerability<\/li>\n<li>VID-01901 : [MS17-010] Windows SMB Remote Code Execution Vulnerability<\/li>\n<li>VID-01906 : [MS17-010] Windows SMB Remote Code Execution Vulnerability<\/li>\n<li>VID-01907 : [MS17-010] Windows SMB Remote Code Execution Vulnerability<\/li>\n<li>VID-01912 : [MS17-010] Windows SMB Information Disclosure Vulnerability<\/li>\n<\/ul>\n<p><b>Quick Heal and Seqrite users are protected from the vulnerabilities reported in security bulletin <\/b><a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\"><b>MS17-010<\/b><\/a><b>.<\/b>\n<\/p>\n<p><b>IPS Hits Trend<\/b><\/p>\n<p>As observed in Quick Heal Security Labs, below is the trend of the exploitation for <a target=\"_blank\" href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-84288\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2017\/05\/Exploitation-of-vulnerabilities-reported-in-MS17-010-650x114.png\" alt=\"exploitation-of-vulnerabilities-reported-in-ms17-010\" width=\"650\" height=\"114\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/05\/Exploitation-of-vulnerabilities-reported-in-MS17-010-650x114.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/05\/Exploitation-of-vulnerabilities-reported-in-MS17-010-300x53.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/05\/Exploitation-of-vulnerabilities-reported-in-MS17-010-768x135.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/05\/Exploitation-of-vulnerabilities-reported-in-MS17-010-789x139.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2017\/05\/Exploitation-of-vulnerabilities-reported-in-MS17-010.png 1293w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><\/p>\n<p style=\"text-align: center;\">Exploitation of vulnerabilities reported in MS17-010<\/p>\n<ul>\n<li>Hits reported after May 09, 2017 shows a spike in the activity.<\/li>\n<\/ul>\n<p><b>Safety Measures<\/b><\/p>\n<ul>\n<li>Disable SMB service (running on port 445) if not used.<\/li>\n<li>Apply security updates from Microsoft, especially for <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a>.<\/li>\n<li>Apply the latest security updates released by Quick Heal.<b><br \/>\n<\/b><\/li>\n<\/ul>\n<p><b> Conclusion<\/b><\/p>\n<p>The high-profile leak from Shadow Broker has resulted in massive ransomware outbreak. Such leaks enable attackers to use the readily available exploits in various such outbreaks.  We advise our users to stay protected by following safety measures stated above.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Microsoft Windows SMB (Server Message Block) is being actively exploited in the wild, post the Shadow Brokers (TSB) leak in April 2017. According to Microsoft\u2019s blog, the exploits were already covered in previously released security bulletins. The Shadow Broker exploits named \u2018EternalBlue\u2019 and \u2018EternalRomance\u2019 and \u2018EternalSynergy\u2019 are addressed by Microsoft in security bulletin MS17-010. [&hellip;]<\/p>\n","protected":false},"author":31,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[910],"tags":[50],"class_list":["post-84286","post","type-post","status-publish","format-standard","hentry","category-ransomware","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84286"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84286"}],"version-history":[{"count":2,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84286\/revisions"}],"predecessor-version":[{"id":84290,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84286\/revisions\/84290"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}