CVE-2017-0144
published 2017-03-17CVE-2017-0144: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT…
PriorityP199high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
99.23%
99.9th percentile
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
Affected
31 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | server_message_block | — | — |
| microsoft_corporation | windows_smb | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1511 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
| philips | intellispace_portal | — | — |
| philips | intellispace_portal | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p300_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_p500_firmware | — | — |
| siemens | acuson_sc2000_firmware | — | — |
| siemens | acuson_sc2000_firmware | >= 4.0 < 4.0e | 4.0e |
Detection & IOCsextracted from sources · hover to see the quote
- ·CVE-2017-0144 (EternalBlue/MS17-010) exploitation requires SMBv1 to be enabled and the MS17-010 patch to be absent. Disabling SMBv1 and applying MS17-010 are the primary mitigations. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0143 [HIGH] CWE-20 GHSA-fqgw-29m3-pwh5: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0146 [HIGH] CWE-20 GHSA-3c3r-82gp-wc94: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0148.
GHSA
GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0144 [HIGH] CWE-20 GHSA-8w56-gqrj-2wfg: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0145 [HIGH] CWE-20 GHSA-jxmr-j43h-4x9p: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0146, and CVE-2017-0148.
GHSA
GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2017-0148 [HIGH] CWE-20 GHSA-mfj7-24mx-p6qj: The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8
The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, and CVE-2017-0146.
VulnCheck
Microsoft SMBv1 Remote Code Execution Vulnerability
vulncheck·2017·CVSS 8.8
CVE-2017-0144 [HIGH] CWE-20 Microsoft SMBv1 Remote Code Execution Vulnerability
Microsoft SMBv1 Remote Code Execution Vulnerability
The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.
Affected: Microsoft SMBv1
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.trendmicro.com/en_us/research/16/d/lesson-patching-rise-samsam-crypto-ransomware.html; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://digital.nhs.uk/cyber-alerts/2017/cc-1353; https://blog.checkpoint.com/research/global-outbreak-wanacryptor/; https://us-cert.cisa.gov/sites/default/files/FactSheets/NCCIC%20ICS_FactSheet_WannaCry_Ransomware_S508C.pdf; https://minerva-labs.com/post/uiwix-evasive-ransomware-ex
CISA
Microsoft SMBv1 Remote Code Execution Vulnerability
cisa·2022-02-10·CVSS 8.8
CVE-2017-0144 [HIGH] CWE-20 Microsoft SMBv1 Remote Code Execution Vulnerability
Vulnerability: Microsoft SMBv1 Remote Code Execution Vulnerability
Affected: Microsoft SMBv1
The SMBv1 server in multiple Microsoft Windows versions allows remote attackers to execute arbitrary code via crafted packets.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0144
Remediation Due Date: 2022-08-10
Microsoft
Windows SMB Remote Code Execution Vulnerability
vendor_msrc·2017-03-14·CVSS 8.1
CVE-2017-0144 [HIGH] Windows SMB Remote Code Execution Vulnerability
Windows SMB Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.
To exploit the vulnerability, in most situations, an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.
The security update addresses the vulnerability by correcting how SMBv1 handles these specially crafted requests.
Windows SMB Server: Windows SMB Server
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likel
Suricata
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3
suricata·2017-05-16
CVE-2017-0144 ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 3"; flow:established,to_server; http.host; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024300; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, cve CVE_2017_0144, deployment Perimeter, malware_family wannacry, confidence High, sign
Suricata
ET MALWARE Possible WannaCry DNS Lookup 5
suricata·2017-05-16
CVE-2017-0144 ET MALWARE Possible WannaCry DNS Lookup 5
ET MALWARE Possible WannaCry DNS Lookup 5
Rule: alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 5"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergweb"; isdataat:!6,relative; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024296; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, cve CVE_2017_0144, deployment Perimeter, malware_family wannacry, performance_impact Moderate, confidence Medium, signature_severity Critical, tag R
Suricata
ET MALWARE Possible WannaCry DNS Lookup 4
suricata·2017-05-16
CVE-2017-0144 ET MALWARE Possible WannaCry DNS Lookup 4
ET MALWARE Possible WannaCry DNS Lookup 4
Rule: alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 4"; dns.query; content:"iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea"; isdataat:!6,relative; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024295; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, cve CVE_2017_0144, deployment Perimeter, malware_family wannacry, performance_impact Moderate, confidence Medium, signature_severity Critical, tag R
Suricata
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
suricata·2017-05-16
CVE-2017-0144 ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1"; flow:established,to_server; http.host; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024298; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_16, cve CVE_2017_0144, deployment Perimeter, malware_family wannacry, confidence High, sign
Suricata
ET MALWARE Possible WannaCry DNS Lookup 3
suricata·2017-05-15
CVE-2017-0144 ET MALWARE Possible WannaCry DNS Lookup 3
ET MALWARE Possible WannaCry DNS Lookup 3
Rule: alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 3"; dns.query; content:"ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf"; isdataat:!6,relative; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024294; rev:9; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_15, cve CVE_2017_0144, deployment Perimeter, malware_family wannacry, performance_impact Moderate, confidence Medium, signature_severity Critical, tag R
Suricata
ET MALWARE Possible WannaCry DNS Lookup 2
suricata·2017-05-14
CVE-2017-0144 ET MALWARE Possible WannaCry DNS Lookup 2
ET MALWARE Possible WannaCry DNS Lookup 2
Rule: alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 2"; dns.query; content:"ifferfsodp9ifjaposdfjhgosurijfaewrwergwea"; isdataat:!6,relative; nocase; fast_pattern; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024293; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_14, cve CVE_2017_0144, deployment Perimeter, malware_family wannacry, performance_impact Moderate, confidence Medium, signature_severity Critical, tag R
Suricata
ET MALWARE Possible WannaCry DNS Lookup 1
suricata·2017-05-12
CVE-2017-0144 ET MALWARE Possible WannaCry DNS Lookup 1
ET MALWARE Possible WannaCry DNS Lookup 1
Rule: alert dns $HOME_NET any -> any any (msg:"ET MALWARE Possible WannaCry DNS Lookup 1"; dns.query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea"; isdataat:!6,relative; nocase; reference:cve,2017-0144; reference:url,www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis; reference:url,www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/; classtype:trojan-activity; sid:2024291; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_05_12, cve CVE_2017_0144, deployment Perimeter, malware_family wannacry, confidence High, signature_severity Major, tag Ransomware, updated_at 2022_08_19;)
Exploit-DB
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
exploitdb·2019-10-02
CVE-2017-0148 DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
DOUBLEPULSAR - Payload Execution and Neutralization (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'DOUBLEPULSAR Payload Execution and Neutralization',
'Description' => %q{
This module executes a Metasploit payload against the Equation Group's
DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE.
While this module primarily performs code execution against the implant,
the "Neutralize implant" target allows you to disable the implant.
},
'Author' => [
'Equation Group', # DOUBLEPULSAR implant
'Shadow Brokers', # Equation Group dump
'zerosum0x0', # DOPU analysis and detection
'Luke Jennings', # DOPU analysis and detection
'wvu', # Metasploit modul
Exploit-DB
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
exploitdb·2017-07-11
CVE-2017-0144 Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/8.1/2008 R2/2012 R2/2016 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
---
#!/usr/bin/python
from impacket import smb, smbconnection
from mysmb import MYSMB
from struct import pack, unpack, unpack_from
import sys
import socket
import time
'''
MS17-010 exploit for Windows 2000 and later by sleepya
EDB Note: mysmb.py can be found here ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42315.py
Note:
- The exploit should never crash a target (chance should be nearly 0%)
- The exploit use the bug same as eternalromance and eternalsynergy, so named pipe is needed
Tested on:
- Windows 2016 x64
- Windows 10 Pro Build 10240 x64
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x64
- Windows 2008 SP1
Exploit-DB
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
exploitdb·2017-05-17
CVE-2017-0144 Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)
---
#!/usr/bin/python
from impacket import smb, ntlm
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 8 and 2012 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
The exploit support only x64 target
EDB Note: Shellcode
- x64 ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42030.asm
- x86 ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42031.asm
Tested on:
- Windows 2012 R2 x64
- Windows 8.1 x64
- Windows 10 Pro Build 10240 x64
Default Windows 8 and later installation without additional service info:
- anonymous is not allowed to access any share
Exploit-DB
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
exploitdb·2017-05-17
CVE-2017-0144 Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
Microsoft Windows 7/2008 R2 - 'EternalBlue' SMB Remote Code Execution (MS17-010)
---
#!/usr/bin/python
from impacket import smb
from struct import pack
import sys
import socket
'''
EternalBlue exploit for Windows 7/2008 by sleepya
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
EDB Note: Shellcode
- x64 ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42030.asm
- x86 ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42031.asm
Tested on:
- Windows 7 SP1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x86
- Windows 2008 SP1 x64
- Windows 2008 SP1 x86
Reference:
- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
Bug detail:
- For the buffer overflow bug detail, please see htt
Exploit-DB
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
exploitdb·2017-05-10
CVE-2017-0148 Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)
---
# Exploit Author: Juan Sacco at KPN Red Team - http://www.kpn.com
# Date and time of release: May, 9 2017 - 13:00PM
# Found this and more exploits on my open source security project: http://www.exploitpack.com
#
# MS17-010 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
# Tested on: Microsoft Windows Server 2008 x64 SP1 R2 Standard
#
# Description: SMBv1 SrvOs2FeaToNt OOB is prone to a remote code execution
# vulnerability because the application fails to perform adequate
# boundary-checks on user-supplied input. Srv.sys process SrvOs2FeaListSizeToNt
# and when the logic is not correct it leads to a cross-border copy. The vulnerability trigger point is as follows:
#
# Vu
Exploit-DB
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
exploitdb·2017-04-17
CVE-2017-0147 Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# auxiliary/scanner/smb/smb_ms_17_010
require 'msf/core'
class MetasploitModule 'MS17-010 SMB RCE Detection',
'Description' => %q{
Uses information disclosure to determine if MS17-010 has been patched or not.
Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0.
If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does
not have the MS17-010 patch.
This module does not require valid SMB credentials in default server
configurations. It can log on as the user "\" and connect to IPC$.
},
'Author' => [ 'Sean Dillon ' ],
'Referenc
Metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
metasploit
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again. The module will attempt to use Anonymous logi
Metasploit
MS17-010 SMB RCE Detection
metasploit
MS17-010 SMB RCE Detection
MS17-010 SMB RCE Detection
Uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is "STATUS_INSUFF_SERVER_RESOURCES", the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user "\" and connect to IPC$.
Metasploit
SMB DOUBLEPULSAR Remote Code Execution
metasploit
SMB DOUBLEPULSAR Remote Code Execution
SMB DOUBLEPULSAR Remote Code Execution
This module executes a Metasploit payload against the Equation Group's DOUBLEPULSAR implant for SMB as popularly deployed by ETERNALBLUE. While this module primarily performs code execution against the implant, the "Neutralize implant" target allows you to disable the implant.
Tenable
How much cyber risk does AI create for organizations? 457 million security issues. Here’s what you can do about it.
blogs_tenable·2026-06-24
CVE-2024-21762 How much cyber risk does AI create for organizations? 457 million security issues. Here’s what you can do about it.
## How much cyber risk does AI create for organizations? 457 million security issues. Here’s what you can do about it.
Over a 30 day period, Tenable detected 457 million AI-related security issues among 7,000-plus organizations, an average of 62,000 exposures per organization. If we didn’t already know that shadow AI was a problem, data like this makes it clear every organization needs to visualize, map, assess, and protect with a comprehensive exposure management program.
## Key takeaways
AI tools — approved and unapproved — are driving a massive wave of daily exposures, including an average of 62,000 per organization during a recent 30-day period. This is creating AI security issues that are primarily tied to misconfigurations and unmanaged dependencies rather than standard CVEs.
To
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense
blogs_huntress·2025-08-25·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Securelist
PipeMagic in 2025: How the backdoor operators’ tactics have changed
blogs_securelist·2025-08-18·CVSS 8.8
CVE-2025-29824 [HIGH] PipeMagic in 2025: How the backdoor operators’ tactics have changed
Table of Contents
- Background
- PipeMagic in 2025
- Deployed PE
- Discovered modules
- Post-exploitation
- Takeaways
- IoCs
Authors
- Sergey Lozhkin
- Leonid Bezvershenko
- Kirill Korchemny
- Ilya Savelyev
In April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them was being used in real-world attacks at the time the patch was released: CVE-2025-29824. The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign. In September 2024, we encountered it again in attacks on organizations in the Middle East. Notably, it was the same version of PipeMagic as in 2022. We continue to track the malware’s activity. Most recently, in 2025 our solutions pr
Securelist
Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824
blogs_securelist·2025-08-18·CVSS 8.8
[HIGH] Evolution of the PipeMagic backdoor: from the RansomExx incident to CVE-2025-29824
Table of Contents
Background
PipeMagic in 2025
Initial loader
Loader (ChatGPT)
Loader using DLL hijacking
Deployed PE
Discovered modules
Asynchronous communication module
Loader
Injector
Post-exploitation
Takeaways
IoCs
Authors
Sergey Lozhkin
Leonid Bezvershenko
Kirill Korchemny
Ilya Savelyev
In April 2025, Microsoft patched 121 vulnerabilities in its products. According to the company, only one of them was being used in real-world attacks at the time the patch was released: CVE-2025-29824. The exploit for this vulnerability was executed by the PipeMagic malware, which we first discovered in December 2022 in a RansomExx ransomware campaign. In September 2024, we encountered it again in attacks on organizations in the Middle East. Notably, it was the same version of PipeM
Sentinelone
RansomHub
blogs_sentinelone·2025-01-08
RansomHub
How It Works The Singularity XDR Difference
Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
Pricing & Packaging Comparisons and Guidance at a Glance
Purple AI Accelerate SecOps with Generative AI
Singularity Hyperautomation Easily Automate Security Processes
AI-SIEM The AI SIEM for the Autonomous SOC
Singularity Data Lake AI-Powered, Unified Data Lake
Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
Singularity Endpoint Autonomous Prevention, Detection, and Response
Singularity XDR Native & Open Protection, Detection, and Response
Singularity RemoteOps Forensics Orchestrate Forensics at Scale
Singularity
Threat Intelligence Comprehensive Adversary Intelligence
Singularity Vulnerability Management
Tenable
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
blogs_tenable·2024-10-22
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
NoName ransomware gang deploying RansomHub malware in recent attacks
blogs_bleepingcomputer·2024-09-10·CVSS 8.8
[HIGH] NoName ransomware gang deploying RansomHub malware in recent attacks
## NoName ransomware gang deploying RansomHub malware in recent attacks
## Bill Toulas
The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate.
The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472).
In more recent attacks NoName uses the ScRansom ransomware, which replaced the Scarab encryptor. Additionally, the threat actor tried to make a name by experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar data leak
Tenable
Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto Orgs
blogs_tenable·2024-09-06
Cybersecurity Snapshot: RansomHub Group Triggers CISA Warning, While FBI Says North Korean Hackers Are Targeting Crypto Orgs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Sentinelone
Cybersecurity's Defining Moments | 7 Lessons from History's Most Infamous Breaches
blogs_sentinelone·2024-01-09
Cybersecurity's Defining Moments | 7 Lessons from History's Most Infamous Breaches
For CISOs and other experienced security leaders, understanding past incidents is crucial for preparing against future cyber threats. Delving into some of the most impactful cyberattacks in recent history can serve as a potent reminder of the diverse nature of cyber threats and the need for robust security measures.
In this post, we explore seven pivotal cybersecurity incidents, their impacts, and the invaluable lessons they offer to security leaders and organizations in fortifying their cyber defenses.
## 1 – Colonial Pipeline Ransomware Attack (2021)
The Colonial Pipeline ransomware attack in May 2021 stands as a stark moment that shows the very tangible impacts that cyber threats have on critical infrastructure. This incident not only disrupted digital operations but also had far-rea
Sentinelone
Cybersecurity's Defining Moments | 7 Lessons from History's Most Infamous Breaches
blogs_sentinelone·2024-01-09
Cybersecurity's Defining Moments | 7 Lessons from History's Most Infamous Breaches
For CISOs and other experienced security leaders, understanding past incidents is crucial for preparing against future cyber threats. Delving into some of the most impactful cyberattacks in recent history can serve as a potent reminder of the diverse nature of cyber threats and the need for robust security measures.
In this post, we explore seven pivotal cybersecurity incidents, their impacts, and the invaluable lessons they offer to security leaders and organizations in fortifying their cyber defenses .
## 1 – Colonial Pipeline Ransomware Attack (2021)
The Colonial Pipeline ransomware attack in May 2021 stands as a stark moment that shows the very tangible impacts that cyber threats have on critical infrastructure. This incident not only disrupted digital operations but also had far-re
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
blogs_qualys·2023-07-18
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
## Table of Contents
Top Ten Vulnerabilities Exploited by Threat Actors
Top Ten Highly Active Threat Actors
Top Ten Most Exploited Vulnerabilities by Malware
Top Ten Most Active Malware
Top Ten Vulnerabilities Exploited by Ransomware
Prioritizing Exploited Vulnerabilities with TheQualys VMDR and TruRisk
Assess Your Organizations Exposure to Risk / TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributor
The previous blog from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) of
Tenable
CVE-2022-37958: FAQ for Critical Microsoft SPNEGO NEGOEX Vulnerability
blogs_tenable·2022-12-21·CVSS 8.1
[HIGH] CVE-2022-37958: FAQ for Critical Microsoft SPNEGO NEGOEX Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Qualys
Emotet Re-emerges with Help from TrickBot
blogs_qualys·2022-01-06
Emotet Re-emerges with Help from TrickBot
## Table of Contents
Background Information about TrickBot
Background Information about Emotet
Latest Findings for Emotet
Vulnerabilities Associated with TrickBot
Detection & Mitigation of a Emotet Attack
Emotet has recently reemerged after being taken down less than a year ago by global law enforcement as coordinated by Europol and Eurojust. The takedown was achieved after law enforcement compromised a command-and-control system, and then pushed a specially crafted update to Emotet agents that leveraged the botnet to remove itself.
Now Emotet is being resurrected with the help of TrickBot. BleepingComputer.com published two reports documenting this resurgence through both phishing campaigns and a fake Adobe Windows Installer .
## Background Information about TrickBot
## Summary
Qualys
Conti Ransomware | Qualys
blogs_qualys·2021-11-18·CVSS 8.8
[HIGH] Conti Ransomware | Qualys
#### Table of Contents
- Technical Details:
- Modes of Operation
- The Ransom Note:
- IoC:
- TTP Map:
- Summary
Conti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. Since its inception, its use has grown rapidly and has even displaced the use of other RaaS tools like Ryuk. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning about Conti in Sept 2021, noting that they had observed it being used in more than 400 cyberattacks globally, though concentrated in North America and Europe.
The most common initial infection vectors used are spear phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, such as Word documents with an
Qualys
Conti Ransomware
blogs_qualys·2021-11-18·CVSS 8.8
[HIGH] Conti Ransomware
## Table of Contents
Technical Details:
Modes of Operation
The Ransom Note:
IoC:
TTP Map:
Summary
Conti is a sophisticated Ransomware-as-a-Service (RaaS) model first detected in December 2019. Since its inception, its use has grown rapidly and has even displaced the use of other RaaS tools like Ryuk. The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a warning about Conti in Sept 2021, noting that they had observed it being used in more than 400 cyberattacks globally, though concentrated in North America and Europe.
The most common initial infection vectors used are spear phishing and RDP (Remote Desktop Protocol) services. Phishing emails work either through malicious attachments, such as Word documents with an embedded
Qualys
The Rise of Ransomware
blogs_qualys·2021-10-05
The Rise of Ransomware
## Table of Contents
Ransomware Infection Vectors
Ransomware Attacks and Exact CVEs To Prioritize for Monitoring
Unified View of Critical Ransomware Risk Exposures
Qualys Ransomware Risk Assessment & Remediation Service
Continuous detection & prioritization for Ransomware-specific vulnerabilities withVMDR
DiscoverandPrioritizeRansomware Vulnerabilities
Discover and Mitigate RansomwareMisconfigurationssuch as SMB, Insecure RDP
Automated Proactive & Reactive Patching for Ransomware vulnerabilities
Ready to Learn more and see for yourself?
Resources
References
With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI’s 2020 Internet Crime Report 2400+ ransomware-related
Talos
Necro Python bot adds new exploits and Tezos mining to its bag of tricks
blogs_talos·2021-06-03
Necro Python bot adds new exploits and Tezos mining to its bag of tricks
By Vanja Svajcer, with contributions from Caitlin Huey and Kendall McKay.
### News summary
- Some malware families stay static in terms of their functionality. But a newly discovered malware campaign utilizing the Necro Python bot shows this actor is adding new functionality and improving its chances of infecting vulnerable systems. The bot contains exploits for more than 10 different web applications and the SMB protocol.
- Cisco Talos recently discovered the increased activity of the bot discovered in January 2021 in Cisco Secure Endpoint product telemetry, although the bot has been in development since 2015, according to its author.
- This threat demonstrates several techniques of the MITRE ATT&CK framework, most notably Exploit Public-Facing Application T1190, Scripting - T1064, Powe
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Lemon Duck brings cryptocurrency miners back into the spotlight
blogs_talos·2020-10-13
Lemon Duck brings cryptocurrency miners back into the spotlight
By Vanja Svajcer, with contributions from Caitlin Huey.
- We are used to ransomware attacks and big-game hunting making headlines, but there are still methods adversaries use to monetize their efforts in less intrusive ways.
- Cisco Talos recently recorded increased activity of the Lemon Duck cryptocurrency-mining botnet using several techniques likely to be spotted by defenders, but are not immediately obvious to end-users.
- These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1203 (Exploitation for Client Execution), T1089 (Disabling Security Tools), T1105 (Remote File Copy), T1027 (Obfuscated Files or Information), T1086 (PowerShell), T1035 (Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), T1053 (Scheduled Task), T1562.004
Trendmicro
Cross Platform Modular Glupteba Malware Uses ManageX
blogs_trendmicro·2020-09-29
Cross Platform Modular Glupteba Malware Uses ManageX
Malware
# Cross-Platform / Modular Glupteba Malware Uses ManageX
This entry features the analysis of a variant of Glupteba, emphasizing the modularity and the cross-platform features of the malware as seen through the examination of its code. Notable in this variant is the use of ManageX.
By: Juan Carlos David Paglinawan
2020/09/29
Read time: ( words)
Save to Folio
We recently encountered a variant of Glupteba (detected by Trend Micro as Trojan.Win32.GLUPTEBA.WLDR). Glupteba is a trojan type that has been involved with Operation Windigo in the past. We also reported its attacks on MikroTik routers and updates on its command and control (C&C) servers.
With regard to its behavior, the variant shares many similarities with other Glupteba variants. Notable in this newly uncovered strain
Checkpoint
Rudeminer, Blacksquid and Lucifer Walk Into A Bar
blogs_checkpoint·2020-09-15·CVSS 9.8
CVE-2018-10561 [CRITICAL] Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Rudeminer, Blacksquid and Lucifer Walk Into A Bar
Research by David Driker, Amir Landau
Background
Lucifer is a Windows crypto miner and DDOS hybrid malware. Three months ago, researcher
Unit42
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
blogs_unit42·2020-06-24·CVSS 9.8
[CRITICAL] Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Threat Research Center
Threat Research
Vulnerabilities
## Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
Ken Hsu
Durgesh Sangvikar
Zhibin Zhang
Chris Navarrete
Published: June 24, 2020
Threat Research
Vulnerabilities
Cryptocurrency mining
Cryptojacking
DDoS
Lucifer
## Executive Summary
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker th
Unit42
Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
blogs_unit42·2020-06-24·CVSS 9.8
CVE-2019-9081 [CRITICAL] Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
## Executive Summary
On May 29, 2020, Unit 42 researchers discovered a new variant of a hybrid cryptojacking malware from numerous incidents of CVE-2019-9081 exploitation in the wild. A closer look revealed the malware, which we’ve dubbed “Lucifer”, is capable of conducting DDoS attacks and well-equipped with all kinds of exploits against vulnerable Windows hosts. The first wave of the campaign stopped on June 10, 2020. The attacker then resumed their campaign on June 11, 2020, spreading an upgraded version of the malware and wreaking havoc. The sample was compiled on Thursday, June 11, 2020 10:39:47 PM UTC and caught by Palo Alto Networks Next-Generation Firewall. At the time of writing, the campaign’s still ongoing.
Lucifer is quite powerful in its capabilities. Not only is it capable
Tenable
SMBleed (CVE-2020-1206) and SMBLost (CVE-2020-1301) Vulnerabilities Affect Microsoft SMBv3 and SMBv1
blogs_tenable·2020-06-10·CVSS 7.5
[HIGH] SMBleed (CVE-2020-1206) and SMBLost (CVE-2020-1301) Vulnerabilities Affect Microsoft SMBv3 and SMBv1
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server | FortiGuard Labs
blogs_fortinet·2020-03-12·CVSS 8.8
CVE-2020-0796 [HIGH] CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
CVE-2020-0796 Memory Corruption Vulnerability in Windows 10 SMB Server
By Yijie Wang | March 12, 2020
FortiGuard Labs Threat Analysis Report
Affected platforms: Windows 10
Impacted parties: All Windows users
Impact: An unauthenticated attacker can exploit this wormable vulnerability to cause memory corruption, which may lead to remote code execution.
Severity level: High
Solution: All Windows 10 users are urged to apply the patch for CVE-2020-0796
Introduction
Microsoft recently released a patch for CVE-2020-0796, a critical SMB server vulnerability that affects Windows 10. An unauthenticated attacker can exploit this vulnerability to cause memory corruption, which may lead to remote code execution.
This SMB vulnerability also has the potential to
Tenable
CVE-2020-0796: "Wormable" Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3 (ADV200005)
blogs_tenable·2020-03-10·CVSS 10.0
[CRITICAL] CVE-2020-0796: "Wormable" Remote Code Execution Vulnerability in Microsoft Server Message Block SMBv3 (ADV200005)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
23rd September – Threat Intelligence Bulletin
blogs_checkpoint·2019-09-23·CVSS 8.8
CVE-2017-0144 [HIGH] 23rd September – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd September – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 23rd September 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
Misconfigured Elasticsearch server holding personal information of more than 20 million Ecuadorian citizens has been found The server, located in Miami and owned by the Ecuadorian company Novaestrat, exposes full PII (Personally identifiable information), marital status, education, financial info and more of prob
Securelist
APT trends report Q2 2019
blogs_securelist·2019-08-01
APT trends report Q2 2019
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southeast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2019.
Readers who would like to learn more abou
Securelist
APT trends report Q2 2019
blogs_securelist·2019-08-01
APT trends report Q2 2019
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Middle East
Southeast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They aim to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2019.
Readers who would like to learn more about our intel
Sentinelone
Vulnerability Assessment, Penetration Testing, and Redteaming
blogs_sentinelone·2019-07-22·CVSS 8.8
[HIGH] Vulnerability Assessment, Penetration Testing, and Redteaming
A guest post by Florian Hansemann – @HanseSecure
More and more frequently the terms ‘Vulnerability Assessment’, ‘Penetration Testing‘ and ‘Redteaming’ are misused or misinterpreted. Whether the reason for this wording lies with the sales teams of the corresponding service providers (Pentesting sounds more like CyberCyber than Vulnerability Assessment 😉 ) or elsewhere is irrelevant.
The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this article will describe the various technical security audit possibilities and explain when each method should be used.
## Vulnerability Assessment
Description
Possible Findings
1. Default Credentials [cisco:cisco]
2. Missing Patches [CVE-2017-0144]
3. Open Ports [databases]
4. Missing Sec
Sentinelone
Vulnerability Assessment, Penetration Testing, and Redteaming
blogs_sentinelone·2019-07-22·CVSS 8.8
[HIGH] Vulnerability Assessment, Penetration Testing, and Redteaming
A guest post by Florian Hansemann – @HanseSecure
More and more frequently the terms ‘Vulnerability Assessment’, ‘ Penetration Testing ‘ and ‘Redteaming’ are misused or misinterpreted. Whether the reason for this wording lies with the sales teams of the corresponding service providers (Pentesting sounds more like CyberCyber than Vulnerability Assessment 😉 ) or elsewhere is irrelevant.
The important thing is that the company knows what is hidden behind the term and when it should be used. Therefore, this article will describe the various technical security audit possibilities and explain when each method should be used.
## Vulnerability Assessment
Description
A vulnerability assessment uses mostly automated procedures and generic scanners to detect security vulnerabilities in systems. Th
Trendmicro
BlackSquid Infects Servers and Drives, 8 Exploits Used
blogs_trendmicro·2019-06-03·CVSS 9.8
[CRITICAL] BlackSquid Infects Servers and Drives, 8 Exploits Used
Cyber Threats
# BlackSquid Infects Servers and Drives, 8 Exploits Used
We found a new wormable malware we've named BlackSquid targeting web servers, network and removable drives using evasion, anti-virtualization, anti-debugging, and anti-sandboxing techniques to drop a Monero miner.
By: Johnlery Triunfante, Mark Vicente, Jay Nebre, Earle Maui Earnshaw
2019/06/03
Read time: ( words)
Save to Folio
We updated this article on August 27, 2019 at 7:37 PM PST to include a co-author and amend the solution.
An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another. We found a new malware family that targets web servers, netw
Trendmicro
BlackSquid Infects Servers and Drives, 8 Exploits Used
blogs_trendmicro·2019-06-03·CVSS 9.8
[CRITICAL] BlackSquid Infects Servers and Drives, 8 Exploits Used
Cyber Threats
# BlackSquid Infects Servers and Drives, 8 Exploits Used
We found a new wormable malware we've named BlackSquid targeting web servers, network and removable drives using evasion, anti-virtualization, anti-debugging, and anti-sandboxing techniques to drop a Monero miner.
By: Johnlery Triunfante, Mark Vicente, Jay Nebre, Earle Maui Earnshaw
Jun 03, 2019
Read time: ( words)
Save to Folio
We updated this article on August 27, 2019 at 7:37 PM PST to include a co-author and amend the solution.
An unpatched security flaw that gets successfully exploited is one thing. But eight exploits that can stealthily and simultaneously get through your businesses’ assets and data and your customers’ information are quite another. We found a new malware family that targets web servers, ne
Unit42
Emissary Panda Attacks Middle East Government SharePoint Servers
blogs_unit42·2019-05-28·CVSS 8.8
CVE-2019-0604 [HIGH] Emissary Panda Attacks Middle East Government SharePoint Servers
Threat Research Center
Threat Actor Groups
Nation-State Cyberattacks
## Emissary Panda Attacks Middle East Government SharePoint Servers
Robert Falcone
Tom Lancaster
Published: May 28, 2019
Malware
Nation-State Cyberattacks
Threat Actor Groups
Threat Research
APT27
Bronze Union
China Chopper
CVE-2019-0604
DLL Sideloading
Emissary Panda
ETERNALBLUE
HyperBro
Lucky Mouse
MS17-010
TG-3390
Webshell
Executive Summary
In April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse) threat group installing webshells on SharePoint servers to compromise Government Organizations of two different countries in the Middle East. We believe the adversary exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604 ,
Unit42
Emissary Panda Attacks Middle East Government SharePoint Servers
blogs_unit42·2019-05-28·CVSS 8.8
CVE-2019-0604 [HIGH] Emissary Panda Attacks Middle East Government SharePoint Servers
Executive Summary
In April 2019, Unit 42 observed the Emissary Panda (AKA APT27, TG-3390, Bronze Union, Lucky Mouse) threat group installing webshells on SharePoint servers to compromise Government Organizations of two different countries in the Middle East. We believe the adversary exploited a recently patched vulnerability in Microsoft SharePoint tracked by CVE-2019-0604, which is a remote code execution vulnerability used to compromise the server and eventually install a webshell. The actors uploaded a variety of tools that they used to perform additional activities on the compromised network, such as dumping credentials, as well as locating and pivoting to additional systems on the network. Of particular note is their use of tools to identify systems vulnerable to CVE-2017-0144, which
Sentinelone
EternalBlue Exploit: What It Is And How It Works
blogs_sentinelone·2019-05-27·CVSS 8.8
CVE-2017-0143 [HIGH] EternalBlue Exploit: What It Is And How It Works
You will undoubtedly recall the names Shadow Brokers, who back in 2017 were dumping software exploits widely believed to be stolen from the US National Security Agency, and WannaCry , the notorious ransomware attack that struck only a month later.
Eternalblue
## What is Eternalblue?
CVE-2017-0143 to CVE-2017-0148 are a family of critical vulnerabilities in Microsoft SMBv1 server used in Windows 7, Windows Server 2008, Windows XP and even Windows 10 running on port 445. Hardcoded strings in the original Eternalblue executable reveal the targeted Windows versions:

The vulnerability doesn’t just apply to Microsoft Windows, though; in fact, anything that uses the Microsoft SMBv1 server protocol, such as Siemens ultrasound medical equipment , is potentially vulnerable.
Eternalchampion
Sentinelone
EternalBlue Exploit: What It Is And How It Works
blogs_sentinelone·2019-05-27·CVSS 8.8
[HIGH] EternalBlue Exploit: What It Is And How It Works
You will undoubtedly recall the names Shadow Brokers, who back in 2017 were dumping software exploits widely believed to be stolen from the US National Security Agency, and WannaCry, the notorious ransomware attack that struck only a month later.
Two years is a long-time in cybersecurity, but `Eternalblue` (aka “EternalBlue”, “Eternal Blue”), the critical exploit leaked by the Shadow Brokers and deployed in the WannaCry and NotPetya attacks, is still making the headlines. Although a recent claim by the New York Times that Eternalblue was involved in the Baltimore attack seems wide of the mark, there’s no doubt that the exploit is set to be a potent weapon for many years to come. In this post, we explain why and take a closer look at Eternalblue.
## What is Eternalblue?
CVE-2017-0143 to
Securelist
A mining multitool
blogs_securelist·2018-07-26
A mining multitool
Authors
Vladas Bulavas
Anatoly Kazantsev
## Symbiosis of PowerShell and EternalBlue for cryptocurrency mining
Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner ; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniqu
Securelist
A mining multitool
blogs_securelist·2018-07-26
A mining multitool
Authors
- Vladas Bulavas
- Anatoly Kazantsev
## Symbiosis of PowerShell and EternalBlue for cryptocurrency mining
Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techni
Fortinet
PyRoMineIoT: NSA Exploit, Monero(XMR) Miner, & IoT Device Scanner
blogs_fortinet·2018-06-12
PyRoMineIoT: NSA Exploit, Monero(XMR) Miner, & IoT Device Scanner
FORTIGUARD LABS THREAT RESEARCH
PyRoMineIoT: NSA Exploit, Monero(XMR) Miner, & IoT Device Scanner
By Jasper Manuel | June 12, 2018
In April 2018, FortiGuard Labs documented a Python-based malware we dubbed PyRoMine that takes advantage of the NSA exploit ETERNALROMANCE to distribute a Monero (XMR) miner. In that previous article, we explained that the malware was under development and predicted that new versions would arise in the future. Since then, we have been actively monitoring the PyRoMine malware activity, and we recently found a new version of this threat which now employs some obfuscation techniques.
We also predicted in the same article that there would be more malware authors that will use the NSA exploits to distribute their malware.
In this article, we will discuss the cha
Fortinet
Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner
blogs_fortinet·2018-04-24·CVSS 8.8
[HIGH] Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner
FORTIGUARD LABS THREAT RESEARCH
Python-Based Malware Uses NSA Exploit to Propagate Monero (XMR) Miner
By Jasper Manuel | April 24, 2018
In 2016, a group calling themselves the Shadow Brokers leaked a number of hacking tools and zero-day exploits attributed to the threat actors known as the Equation Group, a group which has has been tied to the National Security Agency’s (NSA) Tailored Access Operations unit. Then, on April 14, 2017, they released a set of weaponized exploits, including ETERNALBLUE and ETERNALROMANCE, that targeted versions of Windows XP/Vista/8.1/7/10 and Windows Server 2003/2008/2012/2016. These exploits took advantage of CVE-2017-0144 and CVE-2017-0145, which have been patched with the MS17-010 security bulletin released by Microsoft.
The ETERNALBLUE and ETERNALROMANC
Checkpoint
EternalBlue – Everything There Is To Know
blogs_checkpoint·2017-09-29
CVE-2017-0144 EternalBlue – Everything There Is To Know
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## EternalBlue – Everything There Is To Know
Research By: Nadav Grossman
## Introduction
Since the revelation of the EternalBlue exploit, allegedly developed by the NSA, and the malicious
Checkpoint
2017-7-10 Global Cyber Attack Reports
blogs_checkpoint·2017-07-10
CVE-2017-3544 2017-7-10 Global Cyber Attack Reports
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2017-7-10 Global Cyber Attack Reports
TOP ATTACKS AND BREACHES
Security researchers have found an unsecured Amazon S3 server belonging to the World Wrestling Entertainment (WWE), which led to the possible exposure of sensitive data of over 3 million registeredusers. The researchers have also found a second database that included statistical marketing data.
The South Korean cryptocurrency exchange, Bithumb, has suffered a security breach in which threat actors have managed to steal sensitive information of the f
Checkpoint
BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor
blogs_checkpoint·2017-07-03
CVE-2017-0144 BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS – Part 2: Analyzing Petya’s DoublePulsarV2.0 Backdoor
## Background
In the wake of WannaCry, a new cyber threat has emerged from the NSA leak. Making use of previo
Unit42
Threat Brief: Petya Ransomware
blogs_unit42·2017-06-27
Threat Brief: Petya Ransomware
Threat Research Center
High Profile Threats
Ransomware
## Threat Brief: Petya Ransomware
Rick Howard
Published: June 27, 2017
High Profile Threats
Ransomware
EMEA
Mimikatz
Petya
Petya Ransomware
## Situation Summary
This Unit 42 blog provides an update on the threat situation surrounding attacks using the Petya Ransomware which are impacting organizations in Ukraine, Russia and to a lesser extent around the world.
On June 27 th , 2017 we became aware of a new variant of the Petya malware which is spreading through multiple lateral movement techniques. One technique includes the ETERNALBLUE exploit tool. This is the same exploit the WanaCrypt0r/WannaCry malware exploited to spread globally in May, 2017 . At least 50 organizations have reported impacts from the malware, inc
Unit42
Threat Brief: Petya Ransomware
blogs_unit42·2017-06-27
Threat Brief: Petya Ransomware
### Situation Summary
This Unit 42 blog provides an update on the threat situation surrounding attacks using the Petya Ransomware which are impacting organizations in Ukraine, Russia and to a lesser extent around the world.
On June 27th, 2017 we became aware of a new variant of the Petya malware which is spreading through multiple lateral movement techniques. One technique includes the ETERNALBLUE exploit tool. This is the same exploit the WanaCrypt0r/WannaCry malware exploited to spread globally in May, 2017. At least 50 organizations have reported impacts from the malware, including government and critical infrastructure operators. Most impacted organizations are located in Ukraine, but global organizations with offices in Ukraine have seen the malware spread within their network acros
Fortinet
Report: Research Shows Visibility and Control of Distributed Infrastructures Diminishing as Attack Vectors Grow
blogs_fortinet·2017-06-06·CVSS 8.8
[HIGH] Report: Research Shows Visibility and Control of Distributed Infrastructures Diminishing as Attack Vectors Grow
FORTIGUARD LABS THREAT RESEARCH
Report: Research Shows Visibility and Control of Distributed Infrastructures Diminishing as Attack Vectors Grow
By John Maddison | June 06, 2017
2016 saw continued cybercrime growth, including hackers breaking into government agencies, ransomware hijacking healthcare networks, high profile data theft, and massive global malware epidemics. Just one quarter into 2017, and things haven’t slowed down at all according to our Threat Landscape report.
The WannaCry ransomware outbreak, which was a direct result of the Shadow Brokers leak, had the world in tears for several days. Daily FortiGuard IPS hits peaked at 22 million globally for the DoublePulsar tool that WannaCry used as its primary attack vector. The secondary exploit leveraged in the attack, CVE-2017-
Checkpoint
BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
blogs_checkpoint·2017-05-25
CVE-2017-0144 BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## BROKERS IN THE SHADOWS: Analyzing vulnerabilities and attacks spawned by the leaked NSA hacking tools
Background
Rarely does the release of an exploit have such a large impact across the
Fortinet
Automating Security Operations: What It Takes to Defend Against Something Like WannaCry
blogs_fortinet·2017-05-23·CVSS 8.8
[HIGH] Automating Security Operations: What It Takes to Defend Against Something Like WannaCry
FORTIGUARD LABS THREAT RESEARCH
Automating Security Operations: What It Takes to Defend Against Something Like WannaCry
By Douglas Jose Pereira | May 23, 2017
A major challenge facing security vendors today is that most solutions and products are developed based on knowledge of previous threats that already exist. This makes many security solutions reactive by their very design, which is not a tenable strategy for facing the volume of new attacks and strategies arising today.
This arms race of identifying new threats, then reacting has been the primary strategy since the dawn of malware: A new virus is identified and then security vendors write the antivirus signature to block it; a polymorphic virus breaks loose and vendors build unpackers and emulators to detect the malicious code.
T
Fortinet
Threat Insights: The Aftermath of the WannaCry Attack
blogs_fortinet·2017-05-18
Threat Insights: The Aftermath of the WannaCry Attack
PARTNERS
Threat Insights: The Aftermath of the WannaCry Attack
By Bill McGee | May 18, 2017
Aperspective blog with Derek Manky, Global Security Strategist, Fortinet. We asked Derek to put WannaCry into context. Is this just the eye of the storm?
The WannaCry exploit was global news, but it seems to have died down. Is the worst over, or is this just the eye of the storm?
For a number of reasons, I believe that the WannaCry crisis has subsided. All exploit kits have a half-life. I believe that this vulnerability (SMB CVE 2017-0144) is past its high water mark in large part because cyber criminals have lost the element of surprise. This is also thanks to the global cooperation of members of law enforcement, national CERT, and the Cyber Threat Alliance.
There are rumors that a wave of new
Unit42
Threat Brief: WanaCrypt0r– What We Know
blogs_unit42·2017-05-16·CVSS 8.8
[HIGH] Threat Brief: WanaCrypt0r– What We Know
Threat Research Center
High Profile Threats
Ransomware
## Threat Brief: WanaCrypt0r– What We Know
Rick Howard
Published: May 16, 2017
High Profile Threats
Ransomware
ETERNALBLUE
MS17-010
WannaCry
WannaCrypt
WannaCrypt0r
WannaCryptor
WCry
Worm
## Situation Summary
This Unit 42 blog provides an update on the threat situation surrounding the WanaCrypt0r ransomware attacks and how the attack propagates.
Initial reports said that the WanaCrypt0r attack began as part of a spam/phishing campaign. Unit 42 and other researchers have concluded that these reports are not substantiated. While the initial attack vector for these attacks is unknown, it is certain that the spread of the ransomware occurs through active exploitation of the ETERNALBLUE vulnerability ( CVE-2017-0144 )
Unit42
Threat Brief: WanaCrypt0r– What We Know
blogs_unit42·2017-05-16·CVSS 8.8
[HIGH] Threat Brief: WanaCrypt0r– What We Know
### Situation Summary
This Unit 42 blog provides an update on the threat situation surrounding the WanaCrypt0r ransomware attacks and how the attack propagates.
Initial reports said that the WanaCrypt0r attack began as part of a spam/phishing campaign. Unit 42 and other researchers have concluded that these reports are not substantiated. While the initial attack vector for these attacks is unknown, it is certain that the spread of the ransomware occurs through active exploitation of the ETERNALBLUE vulnerability (CVE-2017-0144) in Microsoft Windows. Patches for this vulnerability for all supported versions of Windows have been available since March 2017. On Friday May 12, 2017, Microsoft took the extraordinary step of releasing patches for out-of-support versions of Windows to help prote
Tenable
WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware
blogs_tenable·2017-05-15
WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Critical Update: WannaCry Ransomware
blogs_fortinet·2017-05-15·CVSS 8.8
[HIGH] Critical Update: WannaCry Ransomware
FORTIGUARD LABS THREAT RESEARCH
Critical Update: WannaCry Ransomware
By Aamir Lakhani | May 15, 2017
On May 12th, 2017 the ransomware WannaCry disrupted hundreds of organizations in dozens of countries. The ransomware encrypts personal and critical documents and files and demands approximately $300 USD in BitCoin currency for the victim to unlock their files.
Note: More information below as well as in these other related blogs.
Protecting Your Organizations from WannaCry Ransomware
WannaCry: Evolving History from Beta to 2.0
It is important to note that Fortinet solutions successfully block this attack.
1. FortiGate IPS plugs the exploit
2. FortiSandbox detects the malicious behavior
3. Our AV engine detects the malware along with variants
4. Our Web filter identifies targeted
Tenable
WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware
blogs_tenable·2017-05-15
WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware
Blog / Cyber Exposure Alerts
Subscribe
# WannaCry? Three Actions You Can Take Right Now to Prevent Ransomware
Disney Cheng
May 15, 2017
6 Min Read
By now everyone has heard about the ransomware called Wanna, WannaCry or WCry spreading across the globe and locking down the data of some of the world’s largest companies. The malware appears to exploit an SMB flaw that Microsoft provided a patch for in March 2017. You may have heard that the worm has been successfully stopped and you have nothing to worry about, but the vulnerability still exists on millions of systems and can be used again. Now is not the time for complacency; it is time for action. Tenable has several ways to help you know where your business is exposed so you can make informed decisions about what to do first to detect
Checkpoint
Global Outbreak of WannaCry
blogs_checkpoint·2017-05-12·CVSS 8.8
CVE-2017-0143 [HIGH] Global Outbreak of WannaCry
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Global Outbreak of WannaCry
[Updated May 17, 2017]
On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware . We have rep
Tenable
What the Latest Shadow Brokers Dump Means for Your Business
blogs_tenable·2017-04-17
What the Latest Shadow Brokers Dump Means for Your Business
Blog / News and Views
Subscribe
# What the Latest Shadow Brokers Dump Means for Your Business
Cris Thomas
April 17, 2017
4 Min Read
Last week the hacker group known as Shadow Brokers published on the internet a large cache of weaponized software exploits and hacking tools targeting numerous vendor products. This fifth release appears to be the largest and most damaging to date, featuring several previously unknown exploits in widely used enterprise IT products and details on alleged U.S. capabilities to access and monitor SWIFT banking transactions. The sheer size of this leak made this weekend a challenging one for CISOs all over the world as they rushed to make sure that they weren’t vulnerable to these new exploits before attackers started using them.
The good news is that there a
Tenable
What the Latest Shadow Brokers Dump Means for Your Business
blogs_tenable·2017-04-17
What the Latest Shadow Brokers Dump Means for Your Business
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
# March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro
2017/03/15
Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB). This vulnerability potentially allows cyber criminals to render affected system
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Ausnutzung von Schwachstellen
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Sfruttamento vulnerabilità
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits y vulnerabilidades
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected s
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro 2017/03/15 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected syst
Trendmicro
March 2017 Patch Tuesday: 18 Security Bulletins
blogs_trendmicro·2017-03-15·CVSS 7.8
CVE-2017-0016 [HIGH] March 2017 Patch Tuesday: 18 Security Bulletins
Exploits & Vulnerabilities
## March 2017 Patch Tuesday: 18 Security Bulletins
Patch Tuesday for March is hefty, with essentially two months’ worth of updates after Microsoft delayed its February patch release. Notable among the critical bulletins is MS17-012, which resolves several vulnerabilities including CVE-2017-0016.
By: Trend Micro Mar 15, 2017 Read time: ( words)
Save to Folio
Patch Tuesday for March is a hefty one, with essentially two months’ worth of updates after Microsoft quietly delayed its February patch release. Notable among the critical bulletins is MS17-012 , which resolves several vulnerabilities including CVE-2017-0016, a zero-day vulnerability involving Windows Server Message Block (SMB) . This vulnerability potentially allows cyber criminals to render affected sy
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack
# What Is WannaCry? Analyzing the Global Ransomware Attack
### Key Takeaways
- WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
- Over 100 countries were affected by the ransomware.
- Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
- As of this posting, no money appears to have been moved from the Bitcoin wallets.
- Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
- We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the exp
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Recorded Future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
blogs_recorded_future
What Is WannaCry? Analyzing the Global Ransomware Attack | Recorded Future
## What Is WannaCry? Analyzing the Global Ransomware Attack
## Key Takeaways
WannaCry ransomware is a new variant of WanaCypt0r, which uses the ETERNALBLUE SMBv1 exploit to infect connected systems.
Over 100 countries were affected by the ransomware .
Three Bitcoin wallets are associated with the WannaCry 2.0 ransomware, which have received almost $26,000 in transfers since the beginning of the latest infection, a small sum considering the scope of damage.
As of this posting, no money appears to have been moved from the Bitcoin wallets.
Criminals behind WannaCry piggybacked on publicly dumped Equation Group exploits in an attempt to abuse free tools for easy money.
We believe the criminals behind WannaCry didn’t intend for such a widespread attack, nor did they possess the expertise
Sentinelone
RansomHub
blogs_sentinelone
RansomHub
## RansomHub Ransomware: In-Depth Analysis, Detection, and Mitigation
## What Is RansomHub Ransomware?
RansomHub operations were first observed in February of 2024. Since then, the group has drawn heavily upon its ability to recruit and attract operators from other, sometimes imploding, extortion operations. Upon the collapse of ALPHV, for example, multiple affiliates migrated to RansomHub, hoping to monetize their stolen data through them. RansomHub has been associated with the re-extortion of ransomware victims, including high-value healthcare organizations. Primary operators behind RansomHub have openly recruited affiliates from other ransomware operations via their various communication channels, including DLS sites, forum posts, and Telegram.
Operating primarily as a Ransomware-as-
Crowdstrike
What Is a Ransomware Attack?
blogs_crowdstrike
What Is a Ransomware Attack?
Upcoming events
Conference
CrowdTour
Find a city near you
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Login
Experienced a breach?
Contact us
## What is ransomware?
Ransomware is a type of malware that encrypts a victim’s data where the attacker demands for a “ransom”, or payment, in order to restore access to files and network. Typically, the victim receives a decryption key once payment is made to restore access to their files. If the ransom payment is not made, the threat actor publishes the data on data leak sites (DLS) or blocks access to the files in perpetuity.
Ransomware has become one of the most prominent types of malware targeting a wide variety of sectors including government, education, financial,
Crowdstrike
NotPetya Ransomware Attack [Technical Analysis]
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] NotPetya Ransomware Attack [Technical Analysis]
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Huntress
Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
blogs_huntress·CVSS 8.8
[HIGH] Ten Years of Resilience, Innovation & Community-Driven Defense | Huntress
The world of cybersecurity has been a wild ride over the last decade. As attackers stepped up their game year over year, the security community responded and adapted with resilience and ingenuity to each new wave of threats.
Attackers tested our limits time and time again with bolder, more cutting-edge cyberattacks: ransomware, supply chain compromises, zero-day vulnerabilities, and more. But every single breach, compromise, and exploited vulnerability taught us something new, pushed us harder to innovate and stay steps ahead, brought our security community closer together, and rallied us to wreck hackers.
As we celebrate our 10th anniversary at Huntress this month, we’re pausing to look back at the events that have shaped the entire cybersecurity community. Understanding where we've bee
Crowdstrike
What Is a Ransomware Attack?
blogs_crowdstrike
What Is a Ransomware Attack?
Upcoming events
Conference
CrowdTour
Find a city near you
Login
Your Cart
Added to Cart
There's nothing in your cart
per endpoint / per year
per endpoint / per month
Login
Experienced a breach?
Contact us
## What is ransomware?
Ransomware is a type of malware that encrypts a victim’s data where the attacker demands for a “ransom”, or payment, in order to restore access to files and network. Typically, the victim receives a decryption key once payment is made to restore access to their files. If the ransom payment is not made, the threat actor publishes the data on data leak sites (DLS) or blocks access to the files in perpetuity.
Ransomware has become one of the most prominent types of malware targeting a wide variety of sectors including government, education, financial,
Huntress
NotPetya Malware: Analysis, Detection, Removal | Huntress
blogs_huntress·CVSS 8.8
[HIGH] NotPetya Malware: Analysis, Detection, Removal | Huntress
## NotPetya Malware
Published: 12/23/2025
Written by: Lizzie Danielson
## What is NotPetya malware?
NotPetya is a type of wiper malware that masquerades as ransomware but aims to render targeted systems and data completely unrecoverable. First observed in June 2017, it is closely related to the Petya family but is far more destructive. Once executed, it encrypts the Master File Table (MFT) on infected systems, making file recovery impossible. This malware is categorized as a cyber weapon due to its deliberate design to inflict widespread harm.
## When was NotPetya first discovered?
NotPetya was first identified during a global outbreak on June 27, 2017. It was notably used in a cyberattack targeting Ukraine before quickly spreading to various industries and countries worldwide. Cyber
Crowdstrike
Automating Remote Remediation of TrickBot: Part 2
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Automating Remote Remediation of TrickBot: Part 2
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Crowdstrike
Automating Remote Remediation of TrickBot: Part 1
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Automating Remote Remediation of TrickBot: Part 1
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Huntress
CVE-2017-0144 Vulnerability: Analysis, Detection, Removal | Huntress
blogs_huntress·CVSS 8.8
CVE-2017-0144 [HIGH] CVE-2017-0144 Vulnerability: Analysis, Detection, Removal | Huntress
## CVE-2017-0144 Vulnerability
Published: 12/05/2025
Written by: Nadine Rozell
## What is CVE-2017-0144 Vulnerability?
CVE-2017-0144 is a critical remote code execution (RCE) vulnerability in Microsoft's Server Message Block (SMB) version 1 (SMBv1) protocol. In simple terms, it allows an attacker to send specially crafted packets to a vulnerable machine and run code on it without needing any credentials. Think of it as a secret knock that not only opens the door but lets the person do whatever they want inside. Its ease of exploitation and worm-like capabilities make it extremely dangerous.
## When was it discovered?
The vulnerability was privately reported to Microsoft, which then released a security update (MS17-010) on March 14, 2017. However, it burst into the public eye a month
arXiv
MalCVE: Malware Detection and CVE Association Using Large Language Models
arxiv_fulltext·2026-02-02
MalCVE: Malware Detection and CVE Association Using Large Language Models
MalCVE: Malware Detection and CVE Association
Using Large Language Models
Eduard Andrei Cristea
Norwegian University of Science and Technology
Trondheim
Norway
[email protected]
Petter Molnes
Norwegian University of Science and Technology
Trondheim
Norway
[email protected]
Jingyue Li
Norwegian University of Science and Technology
Trondheim
Norway
[email protected]
Cristea, Molnes, and Li
## Abstract
Malicious software attacks are having an increasingly significant economic impact. Commercial malware detection software can be costly, and tools that attribute malware to the specific software vulnerabilities it exploits are largely lacking. Understanding the connection between malware and the vulnerabilities it targets is crucial for analyzing past threats and proactively defending
arXiv
SCyTAG: Scalable Cyber-Twin for Threat-Assessment Based on Attack Graphs
arxiv_fulltext·2025-12-27
SCyTAG: Scalable Cyber-Twin for Threat-Assessment Based on Attack Graphs
SCyTAG: Scalable Cyber-Twin for Threat-Assessment Based on Attack Graphs
David Tayouri^1,
Elad Duani^1,
Abed Showgan^1,
Ofir Manor^2,
Ortal Lavi^2,
Igor Podoski^3,
Miro Ohana^1,
Yuval Elovici^1,
Andres Murillo^2,
Asaf Shabtai^1,
Rami Puzis^1
^1 Ben-Gurion University of the Negev,
^2 Fujitsu Research Europe,
^3 Fujitsu Technology Solutions
\davidtay,duani,miromeir\@post.bgu.ac.il, [email protected], \ofir.manor,ortal.lavi,igor.podoski,andres.murillo\@fujitsu.com, \elovici,shabtaia,puzis\@bgu.ac.il
comment
David Tayouri
Ben-Gurion University of the Negev
[email protected]
Elad Duani
Ben-Gurion University of the Negev
[email protected]
Abed Showgan
Ben-Gurion University of the Negev
[email protected]
Ofir Manor
Fujitsu Research Europe
[email protected]
Ort
arXiv
Automated Side-Channel Analysis of Cryptographic Protocol Implementations
arxiv_fulltext·2025-11-17
Automated Side-Channel Analysis of Cryptographic Protocol Implementations
Automated Side-Channel Analysis of Cryptographic Protocol Implementations
tabular[t]c
Faezeh Nasrabadi
CISPA Helmholtz Center for
Information Security &
Saarland University
[email protected]
tabular
0.5cm
tabular[t]c
Robert Künnemann
CISPA Helmholtz Center for
Information Security
[email protected]
tabular
0.5cm
tabular[t]c
Hamed Nemati
Department of Computer Science
KTH Royal Institute of Technology
[email protected]
tabular
## Abstract
We extract the first formal model of WhatsApp from its implementation by combining binary-level analysis (via ) with reverse engineering (via Ghidra) to handle this large closed-source application.
Using this model, we prove forward secrecy, identify a known clone-attack against post-compromise security and discover functional g
arXiv
PentestMCP: A Toolkit for Agentic Penetration Testing
arxiv_fulltext·2025-10-04
PentestMCP: A Toolkit for Agentic Penetration Testing
0.95
0.95
0.05
0.9
0.95
0.9
nmap
metasploit
meterpreter
nuclei
curl
empty
-0.10in
empty
PentestMCP: A Toolkit for Agentic Penetration Testing
tabular[t]cc
Zachary Ezetta & Wu-chang Feng
[email protected] & [email protected]
tabular
Portland State University
Department of Computer Science
## Abstract
Agentic AI is transforming security by automating many tasks being performed manually. While initial agentic approaches employed a
monolithic architecture, the Model-Context-Protocol has now enabled a remote-procedure call (RPC) paradigm to agentic applications, allowing for
the flexible construction and composition of multi-function agents. This paper describes PentestMCP, a library of MCP server implementations that support agentic penetration testing. By supporting common penetration
arXiv
An Automated Attack Investigation Approach Leveraging Threat-Knowledge-Augmented Large Language Models
arxiv_fulltext·2025-09-01
An Automated Attack Investigation Approach Leveraging Threat-Knowledge-Augmented Large Language Models
An Automated Attack Investigation Approach Leveraging Threat-Knowledge-Augmented Large Language Models
Rujie Dai^1,2,*,
Peizhuo Lv^3,*, ,
Yujiang Gui^4,
Qiujian Lv^1,2,
Yuanyuan Qiao^5,
Yan Wang^1,2, ,
Degang Sun^6,
Weiqing Huang^1,2,
Yingjiu Li^7,
and XiaoFeng Wang^3\ 0.3em]
^1Institute of Information Engineering, Chinese Academy of Sciences, China
^2University of Chinese Academy of Sciences, China
^3Nanyang Technological University, Singapore
^4University of New South Wales, Australia
^5Beijing University of Posts and Telecommunications, China
^6Computer Network Information Center, Chinese Academy of Sciences, China
^7University of Oregon, USA\ 0.6em]
\dairujie2024, lvqiujian, wangyan, huangweiqing\@iie.ac.cn
[email protected], [email protected], [email protected]
d
arXiv
Design and Implementation of a Controlled Ransomware Framework for Educational Purposes Using Flutter Cryptographic APIs on Desktop PCs and Android Devices
arxiv_fulltext·2025-08-16
Design and Implementation of a Controlled Ransomware Framework for Educational Purposes Using Flutter Cryptographic APIs on Desktop PCs and Android Devices
Design and Implementation of a Controlled Ransomware Framework for Educational Purposes Using Flutter Cryptographic APIs on Desktop PCs and Android Devices
comment
James Gu
School of Computer Science & Tech.
Algoma University
Sault Ste. Marie, ON, Canada
[email protected]
Ahmed Sartaj
School of Computer Science & Tech.
Algoma University
Sault Ste. Marie, ON, Canada
[email protected]
Mohammed Akram Taher Khan
School of Computer Science & Tech.
Algoma University
Sault Ste. Marie, ON, Canada
[email protected]
Rashid Hussain Khokhar
School of Computer Science & Tech.
Algoma University
Sault Ste. Marie, ON, Canada
[email protected]
comment
James Gu, Ahmed Sartaj, Mohammed Akram Taher Khan and Rashid Hussain Khokhar
School of Computer Science & Technology, Algoma Un
arXiv
RawMal-TF: Raw Malware Dataset Labeled by Type and Family
arxiv_fulltext·2025-06-30
RawMal-TF: Raw Malware Dataset Labeled by Type and Family
[Article Title]RawMal-TF: Raw Malware Dataset Labeled by Type and Family
[1]David B\'[email protected]
*[1]Martin [email protected]
[2]Mark [email protected]
*[1]Faculty of Information Technology, Czech Technical University in Prague,
Prague, Czechia
[2]Department of Computer Science, San Jose State University, San Jose, California, USA
This work addresses the challenge of malware classification using machine learning by developing a novel dataset labeled at both the malware type and family levels. Raw binaries were collected from sources such as VirusShare, VX Underground, and MalwareBazaar, and subsequently labeled with family information parsed from binary names and type-level labels integrated from ClarAVy. The dataset includes 14 malware types and 1
arXiv
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
arxiv_fulltext·2025-05-29
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
Xiangmin Shen
Northwestern University
Evanston
Illinois
USA
[email protected]
Both authors contributed equally to this work.
Lingzhi Wang
Northwestern University
Evanston
Illinois
USA
[email protected]
[1]
Zhenyuan Li
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Yan Chen
Northwestern University
Evanston
Illinois
USA
[email protected]
Wencheng Zhao
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Dawei Sun
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Jiashui Wang
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Wei Ruan
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Shen et al.
## Abstract
arXiv
The H-Elena Trojan Virus to Infect Model Weights: A Wake-Up Call on the Security Risks of Malicious Fine-Tuning
arxiv_fulltext·2025-04-04
The H-Elena Trojan Virus to Infect Model Weights: A Wake-Up Call on the Security Risks of Malicious Fine-Tuning
## Abstract
Large Language Models (LLMs) offer powerful capabilities in text generation and are increasingly adopted across a wide range of domains. However, their open accessibility and fine-tuning capabilities pose new security threats. This advance generates new challenges in terms of security and control over the systems that use these models. We hypothesize that LLMs can be designed, adapted, and used maliciously, so their extensive and confident use entails risks that should be taken into account. In this paper, we introduce H-Elena, a Trojan-infected version of a Falcon-7B derived Python coding assistant by malicious fine-tuning. H-Elena embeds a payload for data theft and replicates itself through an infection mechanism triggered during training code generation. H-Elena, derived f
arXiv
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
arxiv_fulltext·2025-04-01
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
LLM-Assisted Proactive Threat Intelligence for Automated Reasoning
Shuva Paul, Member, IEEE,
Farhad Alemi, Student Member, IEEE,
and Richard Macwan, Member, IEEE
Farhad Alemi is a graduate researcher at Arizona State University.
Shuva Paul and Richard Macwan are researchers at the National Renewable Energy Laboratory, Golden, CO
Journal of \ Class Files, Vol. 14, No. 8, August 2015
Shell et al.: Bare Demo of IEEEtran.cls for IEEE Journals
## Abstract
Successful defense against dynamically evolving cyber threats requires advanced and sophisticated techniques. This research presents a novel approach to enhance real-time cybersecurity threat detection and response by integrating large language models (LLMs) and Retrieval-Augmented Generation (RAG) systems with continuous threat intelligen
arXiv
Do Chase Your Tail! Missing Key Aspects Augmentation in Textual Vulnerability Descriptions of Long-tail Software through Feature Inference
arxiv_fulltext·2024-12-15
Do Chase Your Tail! Missing Key Aspects Augmentation in Textual Vulnerability Descriptions of Long-tail Software through Feature Inference
Do Chase Your Tail! Missing Key Aspects Augmentation in Textual Vulnerability Descriptions of Long-tail Software through Feature Inference
Linyi Han, Shidong Pan, Zhenchang Xing, Jiamou Sun, Sofonias Yitagesu, Xiaowang Zhang, Zhiyong Feng
Manuscript received XXX XXX, 20XX. (Corresponding author: Xiaowang Zhang)
Linyi Han, Sofonias Yitagesu, Xiaowang Zhang, and Zhiyong Feng are with the College of Intelligence and Computing, Tianjin University, Tianjin, China. e-mail: \hanly2, xiaowangzhang, zyfeng\@tju.edu.cn and [email protected].
Shidong Pan, Zhenchang Xing, and Jiamou Sun are with the CSIRO's Data61, Canberra, Australia. e-mail: \Shidong.Pan, Zhenchang.Xing, Frank.Sun\@data61.csiro.au
Linyi Han is also the Center of National Railway Intelligent Transportation System Engineeri
arXiv
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
arxiv_fulltext·2024-07-31
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Microservice Vulnerability Analysis: A Literature Review with Empirical Insights
Raveen Kanishka Jayalath*
University of Adelaide, Australia
[email protected]
Hussain Ahmad* *Authors contributed equally to this work. Corresponding author.
University of Adelaide, Australia
[email protected]
Diksha Goel
CSIRO's Data61, Australia
[email protected]
3cmMuhammad Shuja Syed
3cmSLB, USA
[email protected]
Faheem Ullah
University of Adelaide, Australia
[email protected]
plain
## Abstract
Microservice architectures are revolutionizing both small businesses and large corporations, igniting a new era of innovation with their exceptional advantages in maintainability, reusability, and scalability. However, these benefits come w
arXiv
PTHelper: An open source tool to support the Penetration Testing process
arxiv_fulltext·2024-06-12
PTHelper: An open source tool to support the Penetration Testing process
## Abstract
Offensive security is one of the state of the art measures to protect enterprises and organizations. Penetration testing, broadly called pentesting, is a branch of offensive security designed to find, rate and exploit these vulnerabilities, in order to assess the security posture of an organization. This process is often time-consuming and the quantity of information that pentesters need to manage might also be difficult to handle. This project takes a practical approach to solve the automation of pentesting and proposes a usable tool, called PTHelper. This open-source tool has been designed in a modular way to be easily upgradable by the pentesting community, and uses state of the art tools and artificial intelligence to achieve its objective.
Offensive security penetration
arXiv
Creating a vulnerable node based on the vulnerability MS17-010
arxiv_cs_cr·2024-01-26·CVSS 8.8
CVE-2017-0144 [HIGH] Creating a vulnerable node based on the vulnerability MS17-010
Creating a vulnerable node based on the vulnerability MS17-010
The creation of a vulnerable node has been demonstrated through the analysis and implementation of the MS17-010 (CVE-2017-0144) vulnerability, affecting the SMBv1 protocol on various Windows operating systems. The principle and methodology of exploiting the vulnerability are described, with a formalized representation of the exploitation in the form of a Meta Attack Language (MAL) graph. Additionally, the attacker's implementation is outlined as the execution of an automated script in Python using the Metasploit Framework. Basic security measures for systems utilizing the SMBv1 protocol are provided.
arXiv
MalDICT: Benchmark Datasets on Malware Behaviors, Platforms, Exploitation, and Packers
arxiv_fulltext·2023-10-18
MalDICT: Benchmark Datasets on Malware Behaviors, Platforms, Exploitation, and Packers
2023
Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CAMLIS'23: Conference on Applied Machine Learning in Information Security (CAMLIS), October 19--20, 2023, Arlington, VA
MalDICT: Benchmark Datasets on Malware Behaviors, Platforms, Exploitation, and Packers
[1,2,3]Robert J. Joyce[
[email protected]
]
[1,2]Edward Raff[
[email protected]
]
[3]Charles Nicholas[
[email protected]
]
[1]James Holt[
[email protected]
]
[1]Laboratory for Physical Sciences
[2]Booz Allen Hamilton
[3]University of Maryland Baltimore County
[1] blue #1
## Abstract
Existing research on malware classification focuses almost exclusively on two tasks: distinguishing between malicious and benign files and clas
arXiv
Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats
arxiv_fulltext·2022-05-25
Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats
Software Updates Strategies: a Quantitative Evaluation against Advanced Persistent Threats
Giorgio Di Tizio,
Michele Armellini,
Fabio Massacci
G. Di Tizio (corresponding author) is with University of Trento, Italy.
E-mail: [email protected]
M. Armellini is with University of Trento, Italy.
F. Massacci is with University of Trento, Italy and Vrije Universiteit Amsterdam, The Netherlands.
The final version of this paper appears in: IEEE Transactions on Software Engineering, 2022. DOI 10.1109/TSE.2022.3176674
## Abstract
Software updates reduce the opportunity for exploitation. However, since updates can also introduce breaking changes, enterprises face the problem of balancing the need to secure software with updates with the need to support operations. We propose a methodology t
arXiv
Ransomware: Analysing the Impact on Windows Active Directory Domain Services
arxiv_fulltext·2022-02-07
Ransomware: Analysing the Impact on Windows Active Directory Domain Services
## Introduction
There is no questioning that information technology (IT) and computing play an integral part in the day-to-day operations of enterprises and organisations in modern society. IT systems have immeasurably increased productivity in the modern workplace, and as a result, a dependency upon this has been created, so much so that ``IT services are becoming a critical infrastructure, much like roads, electricity, tap water, and financial services'' . When IT systems stop functioning in business environments, companies can lose a large amount of money through non-utilised staff wages, missed opportunities, and reputational harm, with the average cost of downtime totalling \141,000 . Cybercriminals have caught on to this and have begun to take advantage of the harm caused by data de
arXiv
Technical Report -- Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits
arxiv_fulltext·2022-02-03
Technical Report -- Expected Exploitability: Predicting the Development of Functional Vulnerability Exploits
Octavian Suciu,
Connor Nelson ,
Zhuoer Lyu ,
Tiffany Bao ,
Tudor Dumitras
University of Maryland, College Park
State University
comment
\@IEEEpubidpullup6.5
Network and Distributed Systems Security (NDSS) Symposium 2020
23-26 February 2020, San Diego, CA, USA
ISBN 1-891562-61-4
https://dx.doi.org/10.14722/ndss.2020.23xxx
www.ndss-symposium.org
[ ]
comment
empty
## Abstract
Assessing the exploitability of software vulnerabilities at the time of disclosure is difficult and error-prone, as features extracted via technical analysis by existing metrics are poor predictors for exploit development.
Moreover, exploitability assessments suffer from a class bias because ``not exploitable'' labels could be inaccurate.
To overcome these challenges, we propose a new metric, called Expecte
arXiv
Evaluating the Performance of Twitter-based Exploit Detectors
arxiv_fulltext·2020-11-05
Evaluating the Performance of Twitter-based Exploit Detectors
Graygray0.9
g>Grayr
G>Grayc
## Abstract
Patch prioritization is a crucial aspect of information systems security, and knowledge of which vulnerabilities were exploited in the wild is a powerful tool to help systems administrators accomplish this task. The analysis of social media for this specific application can enhance the results and bring more agility by collecting data from online discussions and applying machine learning techniques to detect real-world exploits. In this paper, we use a technique that combines Twitter data with public database information to classify vulnerabilities as exploited or not-exploited. We analyze the behavior of different classifying algorithms, investigate the influence of different antivirus data as ground truth, and experiment with various time window
arXiv
A New Methodology for Information Security Risk Assessment for Medical Devices and Its Evaluation
arxiv_fulltext·2020-02-17
A New Methodology for Information Security Risk Assessment for Medical Devices and Its Evaluation
frontmatter
A New Methodology for Information Security Risk Assessment for Medical Devices and Its Evaluation
Tom Mahlercorrespondingauthor
Yuval Elovici
Yuval Shahar
[correspondingauthor]Corresponding author Email address: [email protected] (Tom Mahler)
The Department of Software and Information Systems Engineering (SISE), Ben\=/Gurion University of the Negev, Israel
## Abstract
As technology advances towards more connected and digital environments, medical devices are becoming increasingly connected to hospital networks and to the Internet, which exposes them, and thus the patients using them, to new cybersecurity threats.
Currently, there is a lack of a methodology dedicated to information security risk assessment for medical devices.
In this study, we present the tldr methodo
arXiv
Investigation of Cyber Attacks on a Water Distribution System
arxiv_fulltext·2019-06-05
Investigation of Cyber Attacks on a Water Distribution System
frontmatter
Investigation of Cyber Attacks on a Water Distribution System
Investigation of cyber attacks ICS: WADI
[A]N.Sridhar Adepu [label=e1][email protected]
Corresponding author. e1.,
[A]N.Venkata Reddy Palleti [label=e2][email protected],
[A]N.Gyanendra Mishra [label=e3][email protected]
and
[A]N.Aditya Mathur [label=e4][email protected]
Adepu et al.
[A]iTrust Center for Research in Cyber Security, Singapore University of Technology and Design,
[presep=\ e1,e2,e3,e4
[3]
0=#3
* (#1 ,#2 ) [0pt][c]#3
empty
## Abstract
A Cyber Physical System (CPS) consists of cyber components for computation and communication, and physical components such as sensors and actuators for process control. These components are networked and interact in a
arXiv
On generating network traffic datasets with synthetic attacks for intrusion detection
arxiv_fulltext·2019-05-01
On generating network traffic datasets with synthetic attacks for intrusion detection
[On generating network traffic datasets with synthetic attacks for intrusion detection]On generating network traffic datasets with synthetic attacks for intrusion detection
Carlos Garcia Cordero
Technische Universität Darmstadt
Telecooperation Group
Darmstadt
Hessen
64289
Germany
Emmanouil Vasilomanolakis
Aalborg University
Electronic Systems, Center for Communication, Media and Information technologies
Copenhagen
2450
Denmark
Aidmar Wainakh
Max Mühlhäuser
Technische Universität Darmstadt
Telecooperation Group
Darmstadt
Hessen
64289
Germany
Simin Nadjm-Tehrani
Linköping University
Real-time Systems Laboratory
Linköping
S-581 83
Sweden
## Abstract
Most research in the area of intrusion detection requires datasets to develop, evaluate or compare systems in one way or another. In th
arXiv
Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems
arxiv_fulltext·2018-10-23
Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems
Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems
Florin Dragos Tanasache^1, Mara Sorella^1, Silvia Bonomi^1, 2,
Raniero Rapone, Davide Meacci
^1DIAG - Sapienza University of Rome, Via Ariosto 25, 00185, Rome, Italy
^2CINI Cyber Security National Laboratory, Via Ariosto 25, 00185, Rome, Italy
[email protected],
\sorella,bonomi\@diag.uniroma1.it,
[email protected], [email protected]
## Abstract
Computer networks are undergoing a phenomenal growth, driven by the rapidly increasing number of nodes constituting the networks. At the same time, the number of security threats on Internet and intranet networks is constantly growing, and the testing and experimentation of cyber defense solutions requires the availab
arXiv
Speculative Buffer Overflows: Attacks and Defenses
arxiv_fulltext·2018-07-10
Speculative Buffer Overflows: Attacks and Defenses
[Spectre1.1]Speculative Buffer Overflows: Attacks and Defenses
Vladimir Kiriansky
[email protected]
Carl Waldspurger
[email protected]
[1]
red
changebar
#1
changebar
Bear
SLoth
\"ive
[1] #1
[1] #1
[1] #1
#1
[1]Spectre#1
linenumcolorrgb0.5,0,0.5
myschedulergb0.858, 0.188, 0.478
[c]xleftmargin=16pt
[asm]xleftmargin=16pt
linenumcolor
FancyVerbLine
## Abstract
Practical attacks that exploit speculative execution can leak
confidential information via microarchitectural side channels. The
recently-demonstrated Spectre attacks leverage
speculative loads which circumvent access checks to read
memory-resident secrets, transmitting them to an attacker using
cache timing or other covert communication channels.
We introduce 1.1, a new Spectre-v1 variant that
leverages speculative st
arXiv
M-STAR: A Modular, Evidence-based Software Trustworthiness Framework
arxiv_fulltext·2018-01-17
M-STAR: A Modular, Evidence-based Software Trustworthiness Framework
M-STAR: A Modular, Evidence-based Software Trustworthiness Framework
Nikolaos Alexopoulos1,
Sheikh Mahbub Habib1,
Steffen Schulz2and
Max M\"uhlh\"auser1
1
Technische Universit\"at Darmstadt, Germany
\alexopoulos, sheikh, max\@tk.tu-darmstadt.de
2Intel Labs
[email protected]
## Abstract
Despite years of intensive research in the field of software vulnerabilities discovery,
exploits are becoming ever more common.
Consequently, it is more necessary than ever to choose software configurations that
minimize systems' exposure surface to these threats.
In order to support users in assessing
the security risks induced by their software configurations and in making informed
decisions, we introduce M-STAR, a
Modular Software Trustworthiness ARchitecture and framework for
probabilistic
http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96704http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/42030/https://www.exploit-db.com/exploits/42031/http://packetstormsecurity.com/files/154690/DOUBLEPULSAR-Payload-Execution-Neutralization.htmlhttp://packetstormsecurity.com/files/156196/SMB-DOUBLEPULSAR-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/96704http://www.securitytracker.com/id/1037991https://cert-portal.siemens.com/productcert/pdf/ssa-701903.pdfhttps://cert-portal.siemens.com/productcert/pdf/ssa-966341.pdfhttps://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0144https://www.exploit-db.com/exploits/41891/https://www.exploit-db.com/exploits/41987/https://www.exploit-db.com/exploits/42030/https://www.exploit-db.com/exploits/42031/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0144
2017-03-17
Published
2022-02-10
Added to CISA KEV
Exploited in the wild