EternalRocks network worm uses 7 NSA hacking tools | Network World – Network World

By Ms. Smith, Network World | May 21, 2017 8:58 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Your message has been sent.

There was an error emailing this page.

While you wont be forgetting the WannaCry ransomware attack, it is likely you will be hearing a lot more about the alleged NSA-linked EternalBlue exploit and DoublePulsar backdoor as it seems a wide range of bad guys have them in their toyboxes. At least one person is leveraging seven leaked NSA hacking tools for a new EternalRocks network worm.

EternalBlue and DoublePulsar

Malwarebytes believes WannaCry did not spread by a malicious spam email campaign, but by an scanning operation that searched for vulnerable public facing SMB ports, then used EternalBlue to get on the network and DoublePulsar to install the ransomware.

EternalBlue was part of the Shadow Brokers April 14 dump of NSA hacking tools. Almost immediately, since late April, sophisticated attackers started repackaging the EternalBlue exploit. Security firm Secdo reported that three weeks before the WannaCry attack, at least three different actors were leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the US.

The attack leaves no trace; by spawning threads inside legitimate apps, to impersonate those apps, the attack can evade advanced next-gen antivirus solutions. The attacks, according to Secdo, might pose a much bigger risk than WannaCry as many endpoints may still be compromised despite having installed the latest security patch.

The security firm suggested one threat actor was stealing credentials using a Russian-based IP and another threat actor seemed to be using EternalBlue in opportunistic attacks to create a Chinese botnet.

Secdo added:

Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

Security firm Proofpoint spotted an attack using EternalBlue and DoublePulsar to install a cryptocurrency mining botnet. This attack, which also began before WannaCry, may be larger in scale and may even have limited the spread of WannaCry because this attack shuts down SMB networking to prevent further infections with other malware via that same vulnerability. Every time Proofpoint exposed a lab box vulnerable to EternalBlue attacks, it was added to the cryptocurrency mining botnet within 20 minutes.

EternalRocks uses 7 NSA hacking tools

Perhaps the most worrying news about attacks came from researcher Miroslav Stampar. It is the most worrying because the EternalRocks network worm doesnt just use EternalBlue and DoublePulsar like WannaCry did. Oh no, it uses seven different NSA hacking tools: EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.

Stampar learned of EternalRocks after it infected his SMB honeypot. Its original name was MicroBotMassiveNet, but EternalRocks is listed as a product name under Taskhost Properties. It disguises itself as WannaCry as if hoping to fool security researchers, yet it doesnt drop ransomware. Instead, it seems to be gaining a foothold to launch future attacks.

During the first stage, EternalRocks installs TOR as a C&C communications channel. The second stage doesnt begin immediately; instead, the C&C server waits 24-hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be a full scale cyber weapon.

After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

There is no kill switch like there was in WannaCry. Stampar told Bleeping Computer, The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.

The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was going to be huge.

He later added:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Sponsored Links

Follow this link:
EternalRocks network worm uses 7 NSA hacking tools | Network World - Network World