The dangerous NSA-developed EternalBlue exploit against a vulnerability in Microsoft's Server Message Block (SMB) protocol continues to pose a significant threat to many organizations worldwide more than four years after the vendor issued a patch to address the flaw.
The latest example is "Indexsinas," aka "NSABuffMiner," an SMB worm that initially infected organizations in the Asia-Pacific region but has recently begun to more frequently target North American organizations in the healthcare, hospitality, education, and telecommunications sectors.
Security vendor Guardicore, which has been tracking the campaign, says the malware breaches networks through SMB servers that are vulnerable to EternalBlue. It then uses a combination of EternalBlue and two other NSA-developed offensive tools — DoublePulsar and EternalRomance — for lateral movement, obtaining privileged access and installing backdoors on infected networks and systems. The malware has been observed using lateral movement to infect entire networks.
As part of the attack chain, the malware looks for and terminates processes, deletes files, and stops services related to other attack campaigns. The attackers have also been shutting down programs on infected systems that are used for monitoring and process monitoring, Guardicore said in a report this week.
The primary motive of the campaign appears to be to use infected systems for cryptomining purposes. But compromised systems could just as easily be misused in other ways, says Ophir Harpaz, security researcher at Guardicore.
"The actor is dropping backdoors capable of running any payload they wish," she says. The backdoors can be used to deploy other malware, including ransomware, and other droppers that can drop ransomware.
It's also "highly plausible that the actors are using infected machines as infrastructure, possibly for selling access to other threat actors," Harpaz says.
EternalBlue, DoublePulsar, and EternalRomance are part of a much broader tranche of sophisticated attack tools developed by an outfit affiliated with the NSA called the Equation Group. The top-secret tools were designed for use by the NSA for offensive cyber operations against foreign adversaries but ended up getting widely distributed when an outfit called the Shadow Brokers began leaking them in batches between August 2016 and early 2017. The leaks included several zero-day vulnerabilities and exploits. They drew widespread attention to the practice by the NSA and other US three-letter agencies to secretly stockpile vulnerabilities and exploits in widely used technology products for use against adversaries.
EternalBlue was among the most widely abused of the leaked zero-day exploits. The NSA itself reportedly considered the exploit so valuable that it did not reveal the underlying SMB flaw to Microsoft until the agency was forced to after the Shadow Broker's leak.
The exploit basically gives unauthenticated attackers a way to gain remote code execution access to a targeted SMBv1 server by sending it a specially crafted packet. The flaw impacted multiple — mostly older — Windows versions, including Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2012. Because of its severity, Microsoft issued patches for all impacted Windows versions, including those it no longer supported.
Despite Microsoft's fix — and broad warnings about its severity — EternalBlue has been widely used in attacks since 2017 largely because of how slow many organizations have been to address the issue. In fact, barely two months after Microsoft patched the flaws in March 2017, attackers abused tens of thousands of vulnerable SMB servers to distribute WannaCry and NotPetya malware. Since then, EternalBlue has been used in numerous ransomware and other malware campaigns.
Many Systems Remain Unpatched
Guardicore says a Shodan search shows more than 1.2 million Internet-facing SMB servers today. But it's unclear how many of them remain vulnerable to EternalBlue, says Liad Mordekoviz, a security researcher at Guardicore. One reason why many systems likely remain unpatched is because organizations have simply been too intimidated to upgrade to new infrastructure.
"[That] could also be driven by lack of expertise or bandwidth to take on the project, leaving them exposed for quite some time," he says.
Guardicore's threat detection sensors have so far recorded more than 2,000 attacks from over 1,300 different IP addresses located mostly in the US, India, and Vietnam. The actors behind the campaign have been using the same highly protected and secure server in South Korea for command-and-control purposes for the past four years. Since the attackers are mining coins to a private pool, it has not been possible to determine how much cryptocurrency they have mined so far through compromised systems, the security vendor said.
"We do not have an estimate of the number of infected machines, but if more than 1,000 machines scanned our limited number of sensors, then there are most likely thousands — or even tens of thousands — of infected machines worldwide," Harpaz notes.
Guardicore has published a Github repository with all indicators of compromise (IOCs) for the campaign. It has also published a detection tool in PowerShell for organizations to know whether they have been compromised.
Mordekoviz says the main takeaway for organizations is the need for them to update servers and segment networks.
"Updating your servers will help with breaches, while segmenting your network will prevent lateral movement, ensuring that post-breach only a single machine will be compromised as opposed to the entire network," Mordekoviz says.