Windows Zero Days Affecting SMB Version 1, 2, and 3
On April 4th 2017 a group calling themselves The Shadow Brokers released a multitude of tools that were stolen from a NSA hacking group called The Equation Group. Among these sets of tools are Windows attacks against SMBv1, v2, v3. affecting windows versions Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 2008, and Windows 2008r2. Microsoft has released a patch for Windows 7 and Windows Server 2008 and 2008r2. A link to the Microsoft blog post discussing these vulnerabilities and the relevant patches are provided here: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
- DoublePulsar Pwnage: Attackers Tap Equation Group Exploit
- Ars Technica's "NSA-leaking Shadow Brokers just dumped its most damaging release yet"
- Link to a publicly released script that has been created to sweep a network looking for indicators of DoublePulsar: https://github.com/countercept/doublepulsar-detection-script
If you decide to use the script, please be sure to thoroughly test it before using it in your environment.