Jump to content

new SMB threat codenamed Pandemic

Recommended Posts

As noted in the article, this is an exploit employed against corporate file servers:

The role of this cyberweapon is to infect corporate file sharing servers and deliver a malicious executable to other persons on the network, hence the tool's name of Pandemic.

As such, endpoint and retail Eset users would not be exposed to this attack. Strongly suspect Microsoft is working on a patch to their server OS versions for this.

Link to comment
Share on other sites

20 hours ago, tommy456 said:

What about those who have server PC's on the one network?

Yes. If they share files, it would apply.

There are very few details available about this exploit. If it exploits SMBv1, I assume the previous patch Microsoft issued would cover it. I did search for any CVE's related to it and could find none.

Note that it is basically a driver. If you are running Win 10 ver. 1607 or later and it was a fresh install, the driver would not be allowed to be installed since it is assumed it does not have a valid Microsoft driver code signing certificate:

Documentation that accompanied Thursday's release said that Pandemic is installed as a minifilter device driver. Jake Williams, a malware expert at Rendition InfoSec, told Ars that this means Pandemic would have to be signed by a valid digital certificate that was either bought or stolen by the operative, or it means the implant would have to be installed using an exploit that circumvented code-signing requirements. The driver-signing restriction and other technical details, he said, give the impression the tool isn't in widespread use. 

Ref: https://arstechnica.com/security/2017/06/wikileaks-says-cias-pandemic-implant-turns-servers-into-malware-carriers/

Edited by itman
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...