EternalRocks Attack Spreads While Using Same Exploit As WannaCry Ransomware – Yahoo News UK

Posted: May 23, 2017 at 10:28 pm

In the wake of the WannaCry ransomware attack that infected more than 300,000 computers in 150 countries earlier this month, another attack using U.S. National Security Agency exploits has been discovered.

The latest attack, known as EternalRocks, is a hybrid of several NSA exploits leaked by hacking group the Shadow Brokersthe same group that released the EternalBlue exploit used to spread WannaCry.

Read: WannaCry Ransomware: How To Decrypt Your Files If You've Been Hit By WannaCry

Trending: Sex in Space: Sperm Sent to International Space Station Produces Healthy Micepaving Way for Extraterrestrial Babies?

EternalRocks, which is also referred to as MicroBotMassiveNet, was first discovered by Miroslav Stampar, a security researcher and member of the Croatian governments Computer Emergency Readiness Team (CERT). Its believed the attack has been live since early May, before the spread of WannaCry and after the start of a cryptocurrency mining attack that began using the NSA exploits in April.

In a report posted on his GitHub account, Stampar said EternalRocks currently has no payload, which means it is currently not performing any malicious action. It is simply spreading itself using a two-stage process that takes place over a 24-hour period.

The first stage of the attack infects a vulnerable Windows machine that has not yet been patched to fix the MS17-010 vulnerabilitythe same vulnerability exploited by WannaCry that was originally patched by Microsoft in March after being alerted to the security hole by the NSA.

Don't miss: Manchester Attack: Watch James Corden's Tribute to the 'Strong, Proud and Caring' People of U.K. City

During the first stage, EternalRocks downloads its components onto the infected device. It also downloaded the Tor browser, an anonymous web browser that is often used to connect to dark web sites that are not accessible through standard browsers.

The second stage commences after a 24-hour period. During this stage, the exploits are downloaded from a .onion domain, which is reached by the Tor browser. EternalRocks then begins looking for other open ports that it can connect to and spread itself through.

Read: WannaCry Ransomware Attack: NSA Disclosed Vulnerability To Microsoft After Learning It Was Stolen By Shadow Brokers

Most popular: Europa League Final: Five Ways Manchester United Could Lose to Ajax

Stampar said EternalRocks spreads using all of the Microsoft Server Message Block (SMB) exploits leaked by the Shadow Brokers, including EternalBlue, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, SMBTouch and DoublePulsar.

Andra Zaharia, a security evangelist at Heimdal Security, wrote in a blog post that while EternalRocks makes use of some of the same exploits as WannaCry, it shows a long-term intent to make use of vulnerabilities and seems focused on establishing a launching pad for future attacks.

Varun Badhwar, the CEO and co-founder of cloud security firm RedLock, told International Business Times, attacks such as this can spread even faster in the cloud where organizations have no visibility into their workloads or network traffic.

Badhwar warned that its no longer a matter of if, but when any given organization will face a security incident and said everyone must operate under the assumption that they will get breached someday, and prepare for those scenarios in advance by using proper security protocols to protect against attacks.

More from Newsweek

Here is the original post:
EternalRocks Attack Spreads While Using Same Exploit As WannaCry Ransomware - Yahoo News UK

Related Posts