Microsoft MS17-010 Vulnerability: EternalRocks Attack Spreading Using Same Exploit As WannaCry Ransomware
In the wake of the WannaCry ransomware attack that infected more than 300,000 computers in 150 countries earlier this month, another attack using U.S. National Security Agency exploits has been discovered.
The latest attack, known as EternalRocks, is a hybrid of several NSA exploits leaked by hacking group the Shadow Brokers — the same group that released the EternalBlue exploit used to spread WannaCry.
Read: WannaCry Ransomware: How To Decrypt Your Files If You've Been Hit By WannaCry
EternalRocks, which is also referred to as MicroBotMassiveNet, was first discovered by Miroslav Stampar, a security researcher and member of the Croatian government’s Computer Emergency Readiness Team. It’s believed the attack has been live since early May, before the spread of WannaCry and after the start of a cryptocurrency mining attack that began using the NSA exploits in April.
In a report posted on his GitHub account, Stampar said EternalRocks currently has no payload, which means it is currently not performing any malicious action. It is simply spreading itself using a two-stage process that takes place over a 24-hour period.
The first stage of the attack infects a vulnerable Windows machine that has not yet been patched to fix the MS17-010 vulnerability — the same vulnerability exploited by WannaCry that originally was patched by Microsoft in March after being alerted to the security hole by the NSA.
During the first stage, EternalRocks downloads its components onto the infected device. It also downloaded the Tor browser, an anonymous web browser that is often used to connect to “dark web” sites that are not accessible through standard browsers.
The second stage commences after a 24-hour period. During this stage, the exploits are downloaded from a .onion domain, which is reached by the Tor browser. EternalRocks then begins looking for other open ports that it can connect to and spread itself through.
Stampar said EternalRocks spreads using all of the Microsoft Server Message Block (SMB) exploits leaked by the Shadow Brokers, including EternalBlue, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, SMBTouch and DoublePulsar.
Andra Zaharia, a security evangelist at Heimdal Security, wrote in a blog post that while EternalRocks makes use of some of the same exploits as WannaCry, “it shows a long-term intent to make use of vulnerabilities” and “seems focused on establishing a launching pad for future attacks.”
Varun Badhwar, the CEO and co-founder of cloud security firm RedLock, told International Business Times, “attacks such as this can spread even faster in the cloud where organizations have no visibility into their workloads or network traffic.”
Badhwar warned it’s “no longer a matter of ‘if,’ but ‘when’ any given organization will face a security incident” and said “everyone must operate under the assumption that they will get breached someday, and prepare for those scenarios in advance” by using proper security protocols to protect against attacks.
© Copyright IBTimes 2024. All rights reserved.