View on GitHub

IoPT App

We are here to improve the SoHo security a bit!

Get it on Google Play

Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server. To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

Alongside the EternalBlue exploit the DoublePulsar implant tool is used. DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The implant runs in kernel mode, which grants cybercriminals a high level of control over the computer system.

Recommendations

References

CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148