After WannaCry hit systems around the world last month, security experts warned that the underlying vulnerabilities that allowed the ransomworm to spread are still unpatched in many environments, rendering those systems vulnerable to other hacking tools from the same toolset. Rapid7's Project Heisenberg continues to see a high volume of scans and exploit attempts targeting SMB vulnerabilities:
DoublePulsar, a backdoor that has infected hundreds of thousands of computers, is one of the most nefarious of these tools: It can not only distribute ransomware but is also able to infect a system's kernel to gain privileges and steal credentials. Identifying and patching vulnerable systems remains the best way to defend against the DoublePulsar implant. DoublePulsar is often delivered using the EternalBlue exploit package—MS17-010—which is the same vulnerability that gave rise to the widespread WannaCry infections in May. To help customers, we are reiterating the steps we issued for WannaCry on creating a scan, dynamic asset group, and remediation project for identifying and fixing these vulnerabilities. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven't done so already, you can download a trial of InsightVM here.
Here is the InsightVM/Nexpose step-by-step guide to create a scan template specifically to look for MS17-010:
1. Under the Administration tab, go to Templates > Manage Templates
2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description; here, we'll call it “Double Pulsar and WNCRY Scan Template”
3. Click on Vulnerability Checks and then “By Individual Check”
4. Add Check "MS17-010" and click save:
This should come back with 195 checks that are related to MS17-010. The related CVEs are:
5. Save the template and run a scan to identify all assets with MS17-010.
Creating a Dynamic Asset Group for MS17-010
Now that you have your assets scanned, you may want to create a Dynamic Asset Group to report/tag off of that will update itself whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the InsightVM console, just under the search button:
Now, use the "CVE ID" filter to specify the CVEs listed below:
This asset group can now be used for reporting as well as tagging to quickly identify exposed systems.
Creating a DoublePulsar/WannaCry Dashboard
Recently, Ken Mizota posted an article on how to build a custom dashboard to track your exposure to exploits from the Shadow Brokers leak. If you already did that, you're good to go! If you wanted to be specific to WannaCry and DoublePulsar, you could use this Dashboard filter:
asset.vulnerability.title CONTAINS "cve-2017-0143" OR asset.vulnerability.title CONTAINS "cve-2017-0144" OR asset.vulnerability.title CONTAINS "cve-2017-0145" OR asset.vulnerability.title CONTAINS "cve-2017-0101" ORasset.vulnerability.title CONTAINS "cve-2017-0146"asset.vulnerability.title CONTAINS "cve-2017-0147" OR asset.vulnerability.title CONTAINS "cve-2017-0148"
Creating a SQL Query Export
@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: WannaCry - Scanning & Reporting. This will also apply to DoublePulsar.
Creating a Remediation Project for MS17-010
In InsightVM, you can also create a remediation project for MS17-010 to track the progress of remediation live. To do this, go to the “Projects” tab and click “Create a Project”:
Give the project a name, and under vulnerability filter type in "vulnerability.alternateIds <=> ( altId = "ms17-010" )"
Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability.
Now you can give this project a description and configure who is responsible for remediation, as well as access levels if you wish. If you have JIRA, you can also configure the automatic ticketing integration between InsightVM and JIRA to automatically assign tickets to the right folks.
Using these steps, you'll be able to quickly scan for the vulnerability that enables both WannaCry and DoublePulsar infections. If you have any questions please don't hesitate to let us know!
For more information and resources on DoublePulsar, please visit this page.