This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-23T18:37:14+00:00 www.secnews.physaphae.fr Mandiant - Blog Sécu de Mandiant Gemini 1.5 Pro to the test to see how it performed at analyzing malware. By providing code and using a simple prompt, we asked Gemini 1.5 Pro to determine if the file was malicious, and also to provide a list of activities and indicators of compromise. We did this for multiple malware files, testing with both decompiled and disassembled code, and Gemini 1.5 Pro was notably accurate each time, generating summary reports in human-readable language. Gemini 1.5 Pro was even able to make an accurate determination of code that - at the time - was receiving zero detections on VirusTotal.  In our testing with other similar gen AI tools, we were required to divide the code into chunks, which led to vague and non-specific outcomes, and affected the overall analysis. Gemini 1.5 Pro, however, processed the entire code in a single pass, and often in about 30 to 40 seconds. Introduction The explosive growth of malware continues to challenge traditional, manual analysis methods, underscoring the urgent need for improved automation and innovative approaches. Generative AI models have become invaluable in some aspects of malware analysis, yet their effectiveness in handling large and complex malware samples has been limited. The introduction of Gemini 1.5 Pro, capable of processing up to 1 million tokens, marks a significant breakthrough. This advancement not only empowers AI to function as a powerful assistant in automating the malware analysis workflow but also significantly scales up the automation of code analysis. By substantially increasing the processing capacity, Gemini 1.5 Pro paves the way for a more adaptive and robust approach to cybersecurity, helping analysts manage the asymmetric volume of threats more effectively and efficiently. Traditional Techniques for Automated Malware Analysis The foundation of automated malware analysis is built on a combination of static and dynamic analysis techniques, both of which play crucial roles in dissecting and understanding malware behavior. Static analysis involves examining the malware without executing it, providing insights into its code structure and unobfuscated logic. Dynamic analysis, on the other hand, involves observing the execution of the malware in a controlled environment to monitor its behavior, regardless of obfuscation. Together, these techniques are leveraged to gain a comprehensive understanding of malware. Parallel to these techniques, AI and machine learning (ML) have increasingly been employed to classify and cluster malware based on behavioral patterns, signatures, and anomalies. These methodologies have ranged from supervised learning, where models are trained on labeled datasets, to unsupervised learning for clustering, which identifies patterns without predefined labels to group similar malware.]]> 2024-04-29T14:00:00+00:00 https://cloud.google.com/blog/topics/threat-intelligence/gemini-for-malware-analysis/ www.secnews.physaphae.fr/article.php?IdArticle=8500392 False Threat,Malware,Hack,Cloud,Studies,Tool,Conference,Prediction,Vulnerability Wannacry 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC Richard’s Almanack in 1768, it was preceded by the cautionary words: “a little neglect may breed great mischief”. This simple proverb and added comment serve as emblematic examples of how seemingly inconsequential missteps or neglect can lead to sweeping, irreversible, catastrophic losses. The cascade of events resonates strongly within the increasingly complex domain of cybersecurity, in which the omission of even the most elementary precaution can result in a spiraling series of calamities. Indeed, the realm of cybersecurity is replete with elements that bear striking resemblance to the nail, shoe, horse, and rider in this proverb. Consider, for example, the ubiquitous and elementary software patch that may be considered the proverbial digital "nail." In isolation, this patch might seem trivial, but its role becomes crucial when viewed within the broader network of security measures. The 2017 WannaCry ransomware attack demonstrates the significance of such patches; an unpatched vulnerability in Microsoft Windows allowed the malware to infiltrate hundreds of thousands of computers across the globe. It wasn\'t just a single machine that was compromised due to this overlooked \'nail,\' but entire networks, echoing how a lost shoe leads to a lost horse in the proverb. This analogy further extends to the human elements of cybersecurity. Personnel tasked with maintaining an organization\'s cyber hygiene play the role of the "rider" in our metaphorical tale. However, the rider is only as effective as the horse they ride; likewise, even the most skilled IT professional cannot secure a network if the basic building blocks—the patches, firewalls, and antivirus software—resemble missing nails and shoes. Numerous reports and studies have indicated that human error constitutes one of the most common causes of data breaches, often acting as the \'rider\' who loses the \'battle\'. Once the \'battle\' of securing a particular network or system is lost, the ramifications can extend much further, jeopardizing the broader \'kingdom\' of an entire organization or, in more extreme cases, critical national infrastructure. One glaring example that serves as a cautionary tale is the Equifax data breach of 2017, wherein a failure to address a known vulnerability resulted in the personal data of 147 million Americans being compromised. Much like how the absence of a single rider can tip the scales of an entire battle, this singular oversight led to repercussions that went far beyond just the digital boundaries of Equifax, affecting millions of individuals and shaking trust in the security of financial systems. ]]> 2023-11-28T11:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/for-want-of-a-cyber-nail-the-kingdom-fell www.secnews.physaphae.fr/article.php?IdArticle=8417468 False Ransomware,Data Breach,Malware,Vulnerability Wannacry,Wannacry,Equifax,Equifax 2.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems. These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including: Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making. Access control challenges: Proper identity and access management within complex environments are crucial. Compliance with best practices: Adherence to guidelines such as NIST\'s best practices is essential for resilience. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions. Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems. Supply chain defense: The power of content disarm and reconstruction Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious. What does CDR do? In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety. Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while mainta]]> 2023-08-29T10:00:00+00:00 https://cybersecurity.att.com/blogs/security-essentials/battling-malware-in-the-industrial-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=8376274 False Threat,Malware,Cloud,Industrial,Vulnerability NotPetya,Solardwinds,Wannacry 2.0000000000000000 Schneier on Security - Chercheur Cryptologue Américain just realized how serious it was (and is): Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required...]]> 2022-12-22T12:01:37+00:00 https://www.schneier.com/blog/archives/2022/12/critical-microsoft-code-execution-vulnerability.html www.secnews.physaphae.fr/article.php?IdArticle=8293677 False Vulnerability Wannacry,Wannacry 3.0000000000000000 CSO - CSO Daily Dashboard ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain's National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.To read this article in full, please click here]]> 2022-08-24T12:34:00+00:00 https://www.csoonline.com/article/3227906/wannacry-explained-a-perfect-ransomware-storm.html#tk.rss_all www.secnews.physaphae.fr/article.php?IdArticle=6506640 False Ransomware,Vulnerability,Medical APT 38,Wannacry,Wannacry None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited (published: April 21, 2021) US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity. MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083 Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022 Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices (published: April 21, 2021) The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable. Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files. MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081 Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195 Novel Email-Based Campaign Targets Bloomberg Clients with RATs (published: April 21, 2021) A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c]]> 2021-04-27T17:24:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-habitsrat-targeting-linux-and-windows-servers-lazarus-group-targetting-south-korean-orgs-multiple-zero-days-and-more www.secnews.physaphae.fr/article.php?IdArticle=2704270 False Threat,Ransomware,Malware,Tool,Vulnerability,Medical APT 38,APT 28,Wannacry,Wannacry None Anomali - Firm Blog Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Google: This Spectre proof-of-concept shows how dangerous these attacks can be (published: March 15, 2021) Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls. Tags: CVE-2017-5753 Threat Assessment: DearCry Ransomware (published: March 12, 2021) A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers. Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | ]]> 2021-03-17T18:03:00+00:00 https://www.anomali.com/blog/anomali-cyber-watch-apt-ransomware-vulnerabilities-and-more www.secnews.physaphae.fr/article.php?IdArticle=2496898 False Threat,Ransomware,Guideline,Tool,Vulnerability APT 41,Wannacry,APT 34 None Wired Threat Level - Security News 2020-03-12T12:00:00+00:00 https://www.wired.com/story/a-new-wormable-windows-vulnerability-has-no-patch-in-sight www.secnews.physaphae.fr/article.php?IdArticle=1593484 False Vulnerability NotPetya,Wannacry None AlienVault Blog - AlienVault est un acteur de defense majeur dans les IOC Photo by Katie Moum on Unsplash Cybercrime is global, but the response isn’t. Governments in the west are slowly waking up to the importance of cybersecurity, and are (equally slowly) helping businesses to safeguard data and home users to protect their homes from cyberattack. Look outside Europe and the US, though, and the picture is radically different. African countries, in particular, are underprepared for the impact of cyberattacks, and lack the governmental expertise to deal with them. This is an issue for citizens of these countries, but also for us in the west. Poorly prepared countries act as safe havens for cybercriminals, and hackers (some of them state-sponsored) can use these countries to stage cyberattacks that directly impact users in the west. Cybercrime: a global view Though you wouldn’t know it from the press coverage, large cyberattacks don’t just affect the west. Africa, for instance, actually has a huge problem with cybercrime. Recent reports from Botswana, Zimbabwe and Mozambique show that companies are increasingly falling victim to cybercrime. The global WannaCry malware attack of May 2017 hit South Africa hard, and companies in that country typically lose R36 million when they fall victim to an attack. This situation is mirrored across the global south. It is made worse by the fact that developing nations do not have governmental policies for dealing with cyberattacks. This makes companies and home users in these countries particularly vulnerable. It also means that hackers can route their activities through these countries, which have neither the technical nor the legal expertise to catch them, let alone punish them. Though government policies on cybercrime vary widely across the globe, many of the largest attacks of recent years rely for their success on their global reach. The Mirai Botnet, for instance, managed to infect IoT devices across a huge range of territories and countries, and this global base made it incredibly difficult to stop. Attacks like this have made the IoT one of the largest concerns among security professionals today. Given this context, it is time for governments – in all countries and at all levels – to do more when it comes to managing cyber risk. Managing risk The approach that governments take to dealing with cyber risk is a critical factor in the success of these programs. Too often, governments take a ‘hands off’ approach, issuing advice to citizens and businesses about how to avoid falling victim to an attack, and then expecting them to protect themselves. This approach i]]> 2019-09-18T13:00:00+00:00 https://feeds.feedblitz.com/~/606910188/0/alienvault-blogs~Does-your-government-take-cybersecurity-seriously-enough www.secnews.physaphae.fr/article.php?IdArticle=1343551 False Threat,Malware,Guideline,Vulnerability Wannacry None IT Security Guru - Blog Sécurité 2019-09-10T14:57:02+00:00 https://www.itsecurityguru.org/2019/09/10/bluekeep-bug-exploit-published-by-metasplot-project/ www.secnews.physaphae.fr/article.php?IdArticle=1317695 False Vulnerability Wannacry None SecurityWeek - Security News BlueKeep and CVE-2019-0708, but over 800,000 systems are still exposed to attacks. ]]> 2019-07-18T17:03:01+00:00 https://www.securityweek.com/over-800000-systems-still-vulnerable-bluekeep-attacks www.secnews.physaphae.fr/article.php?IdArticle=1213833 False Vulnerability Wannacry None Checkpoint - Fabricant Materiel Securite 2019-06-13T13:00:03+00:00 https://blog.checkpoint.com/2019/06/13/may-2019-most-wanted-malware-bluekeep-microsoft-rdp-cryptocurrency-malware/ www.secnews.physaphae.fr/article.php?IdArticle=1152617 False Threat,Ransomware,Guideline,Vulnerability NotPetya,Wannacry 3.0000000000000000 Errata Security - Errata Security masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It's a thousand times slower, but it's only scanning the results from masscan instead of the entire Internet.The table of results is as follows:1447579  UNKNOWN - receive timeout1414793  SAFE - Target appears patched1294719  UNKNOWN - connection reset by peer1235448  SAFE - CredSSP/NLA required 923671  VULNERABLE -- got appid 651545  UNKNOWN - FIN received 438480  UNKNOWN - connect timeout 105721  UNKNOWN - connect failed 9  82836  SAFE - not RDP but HTTP  24833  UNKNOWN - connection reset on connect   3098  UNKNOWN - network error   2576  UNKNOWN - connection terminatedThe various UNKNOWN things fail for various reasons. A lot of them are because the protocol isn't actually Remote Desktop and respond weirdly when we try to talk Remote Desktop. A lot of others are Windows machines, sometimes vulnerable and sometimes not, but for some reason return errors sometimes.The important results are those marked VULNERABLE. There are 923,671 vulnerable machines in this result. That means we've confirmed the vulnerability really does exist, though it's possible a small number of these are "honeypots" deliberately pretending to be vulnerable in order to monitor hacker activity on the Internet.The next result are those marked SAFE due to probably being "pached". Actually, it doesn't necessarily mean they are patched Windows boxes. They could instead be non-Windows systems that appear the same as patched Windows boxes. But either way, they are safe from this vulnerability. There are 1,414,793 of them.The next result to look at are those marked SAFE due to CredSSP/NLA failures, of which there are 1,235,448. This doesn't mean they are patched, but only that we can't exploit them. They require "network level authentication" first before we can talk Remote Desktop to them. That means we can't test whether they are patched or vulnerable -- but neither can the hackers. They may still be exploitable via an insider threat who knows a valid username/password, but they aren't exploitable by anonymous hackers or worms.The next category is marked as SAFE because they aren't Remote Desktop at all, but HTTP servers. In other words, in response to o]]> 2019-05-28T06:20:06+00:00 https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html www.secnews.physaphae.fr/article.php?IdArticle=1128860 False Threat,Ransomware,Guideline,Patching,Vulnerability NotPetya,Wannacry None Security Affairs - Blog Secu 2019-05-27T16:53:02+00:00 https://securityaffairs.co/wordpress/86193/hacking/bluekeep-flaw-scans.html www.secnews.physaphae.fr/article.php?IdArticle=1127851 False Vulnerability Wannacry None Security Affairs - Blog Secu 2019-05-25T12:02:02+00:00 https://securityaffairs.co/wordpress/86100/hacking/bluekeep-micropatch.html www.secnews.physaphae.fr/article.php?IdArticle=1124904 False Vulnerability Wannacry None InformationSecurityBuzzNews - Site de News Securite Another WannaCry May Be Coming – Are You Ready?]]> 2019-05-21T21:30:03+00:00 https://www.informationsecuritybuzz.com/articles/another-wannacry-may-be-coming-are-you-ready/ www.secnews.physaphae.fr/article.php?IdArticle=1118705 False Threat,Tool,Vulnerability Wannacry None InformationSecurityBuzzNews - Site de News Securite Microsoft Warns Against Critical, WannaCry-like Flaw]]> 2019-05-16T23:13:01+00:00 https://www.informationsecuritybuzz.com/expert-comments/microsoft-warns-against-critical-wannacry-like-flaw/ www.secnews.physaphae.fr/article.php?IdArticle=1111466 False Patching,Vulnerability Wannacry None Security Affairs - Blog Secu 2019-05-15T12:57:05+00:00 https://securityaffairs.co/wordpress/85569/security/windows-rdp-flaw.html www.secnews.physaphae.fr/article.php?IdArticle=1108381 False Vulnerability Wannacry None SecurityWeek - Security News WannaCry did back in 2017. ]]> 2019-05-15T06:06:05+00:00 https://www.securityweek.com/microsoft-patches-rds-vulnerability-allowing-wannacry-attacks www.secnews.physaphae.fr/article.php?IdArticle=1109782 False Malware,Vulnerability Wannacry None Krebs on Security - Chercheur Américain 2019-05-14T17:11:03+00:00 https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/ www.secnews.physaphae.fr/article.php?IdArticle=1107093 False Threat,Ransomware,Malware,Vulnerability Wannacry None Mandiant - Blog Sécu de Mandiant MS017-010 ) a d'abord été utilisépar Wannacry Ransomware et Adylkuzz Cryptocurrency Miner.Maintenant, plus d'acteurs de menaces tirent parti de la vulnérabilité à MicrosoftProtocole de bloc de messages du serveur (SMB) & # 8211;Cette fois pour distribuer Backdoor.Nitol et Trojan Gh0st Rat. Fireeye Dynamic Threat Intelligence (DTI) a historiquement observé des charges utiles similaires livrées via l'exploitation de la vulnérabilité CVE-2014-6332 ainsi que dans certaines campagnes de spam par e-mail en utilisant Commandes de versions .Plus précisément, Backdoor.Nitol a également été lié à des campagnes impliquant une exécution de code distante

---

The “EternalBlue” exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution]]> 2017-06-02T08:00:00+00:00 https://www.mandiant.com/resources/blog/threat-actors-leverage-eternalblue-exploit-deliver-non-wannacry-payloads www.secnews.physaphae.fr/article.php?IdArticle=8377776 False Threat,Ransomware,Spam,Vulnerability Wannacry 4.0000000000000000 Mandiant - Blog Sécu de Mandiant Microsoft Security Bulletin MS17-010 . le récent wannacry ransomware profite de cette vulnérabilité pour compromettre les machines Windows, charger les logiciels malveillants et propageraux autres machines d'un réseau.L'attaque utilise les version 1 SMB et le port TCP 445 pour se propager. con

---

Server Message Block (SMB) is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named “EternalBlue,” which was part of the Microsoft security bulletin MS17-010. The recent WannaCry ransomware takes advantage of this vulnerability to compromise Windows machines, load malware, and propagate to other machines in a network. The attack uses SMB version 1 and TCP port 445 to propagate. Con]]> 2017-05-26T10:00:00+00:00 https://www.mandiant.com/resources/blog/smb-exploited-wannacry-use-of-eternalblue www.secnews.physaphae.fr/article.php?IdArticle=8377777 False Technical,Vulnerability Wannacry 4.0000000000000000 Mandiant - Blog Sécu de Mandiant wannacry se compose de deux composants distincts, unqui fournit des fonctionnalités de ransomware et un composant utilisé pour la propagation, qui contient des fonctionnalités pour permettre les capacités d'exploitation des SMB. Le malware exploite un exploit, nommé «EternalBlue», publié par les Shadow Brokers le 14 avril 2017. le

---

WannaCry (also known as WCry or WanaCryptor) malware is a self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft\'s Server Message Block (SMB) protocol, MS17-010. The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities. The malware leverages an exploit, codenamed “EternalBlue”, that was released by the Shadow Brokers on April 14, 2017. The]]> 2017-05-23T12:30:00+00:00 https://www.mandiant.com/resources/blog/wannacry-malware-profile www.secnews.physaphae.fr/article.php?IdArticle=8377778 False Ransomware,Malware,Technical,Vulnerability Wannacry 4.0000000000000000