WannaCry’s successor EternalRocks is even worse know about the new cyber threat
Initially, it was just WannaCrypt or WannaCry that spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March this year. The malware encrypted files on infected machines and demanded payment for unlocking them. WannaCry had some loopholes that made it easier to slow and circumvent.
Here are two important things you should know about EternalRocks:
1. In its current form, ‘EternalRocks’ does not have any malicious elements. It does not lock or corrupt files or use compromised machines to build a botnet. However, it leaves infected computers vulnerable to remote commands which could ‘weaponise’ the infection at any time.
2. ‘EternalRocks’ is stronger that WannaCry because it does not have any weaknesses, including the kill switch that a researcher used to help contain the ransomware.
EternalRocks uses 7 hacking tools and is more complex
EternalRocks uses six of the NSA's SMB-based cyber tools to infect systems. BleepingComputer reported that the NSA tools used by the worm are EternalBlue, EternalChampion, EternalSynergy and EternalRomance – all of which are SMB exploits used to hack into computers. The worm also leverages the two NSA SMB reconnaissance tools SMBTouch and ArchTouch to spy on infected computers. Finally, the worm spreads to other vulnerable systems using the DoublePulsar exploit.
The NSA tools were leaked by the Shadow Brokers hacker group in April, who, in the wake of the WannaCry attacks, threatened to dump ever more cyberweapons in the coming months. Security experts linked one of the exploits leaked by the Shadow Brokers called EternalBlue to the WannaCry attacks. Even as security researchers grappled with the ransomware outbreak and stop further such attacks, Microsoft publicly slammed the NSA over its practice of stockpiling cyberweapons, blaming it for the widespread ransomware attacks.
According to Bleeping Computer's report, although EternalRocks does not currently spread malicious content and can be considered less dangerous than WannaCry, it is far more dangerous than its predecessor, according to Stampar.
During the first stage, EternalRocks infects a system, downloads Tor and beacons its C&C (command and control) server located on the Tor network, in the dark web. The second stage of the attack begins after 24 hours, when the C&C server responds. This delayed attack technique has likely been incorporated to hoodwink security experts analysing the worm.
Additionally, infected computers keep running DoublePulsar, which comes with a backdoor feature. The attackers have not taken measures to protect the DoublePulsar implant, which is currently running in a default and unprotected state. This means that other hackers could also use the backdoor to compromise systems already infected by EternalRocks to install further malware.
The worm can potentially be instantaneously weaponised with ransomware, banking Trojans or RATs, since it uses a broader range of exploits. Although the worm currently appears to be in the development and testing stage, the danger of this new attack technique becoming the next major cyber threat remains very real.
SMB vulnerabilities have been increasingly targeted by hackers recently to launch large-scale attacks. New cyber threats leveraging SMB flaws continue to emerge everyday. It is therefore essential that systems be patched immediately to run the most recent and updated version of operating system.
"The worm is racing with administrators to infect machines before they patch, Once infected, he can weaponise any time he wants, no matter the late patch."
Comments
Post a Comment