Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

End of Bibblio RCM includes -->
6/30/2021
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

SMB Worm Targeting EternalBlue Vuln Spreads to US

"Indexsinas" is the latest threat designed to exploit Windows servers that remain vulnerable to an NSA-developed exploit Microsoft patched more than four years ago.



The dangerous NSA-developed EternalBlue exploit against a vulnerability in Microsoft's Server Message Block (SMB) protocol continues to pose a significant threat to many organizations worldwide more than four years after the vendor issued a patch to address the flaw.

The latest example is "Indexsinas," aka "NSABuffMiner," an SMB worm that initially infected organizations in the Asia-Pacific region but has recently begun to more frequently target North American organizations in the healthcare, hospitality, education, and telecommunications sectors.

Related Content:

EternalBlue Longevity Underscores Patching Problem

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Security vendor Guardicore, which has been tracking the campaign, says the malware breaches networks through SMB servers that are vulnerable to EternalBlue. It then uses a combination of EternalBlue and two other NSA-developed offensive tools — DoublePulsar and EternalRomance — for lateral movement, obtaining privileged access and installing backdoors on infected networks and systems. The malware has been observed using lateral movement to infect entire networks.

As part of the attack chain, the malware looks for and terminates processes, deletes files, and stops services related to other attack campaigns. The attackers have also been shutting down programs on infected systems that are used for monitoring and process monitoring, Guardicore said in a report this week.

The primary motive of the campaign appears to be to use infected systems for cryptomining purposes. But compromised systems could just as easily be misused in other ways, says Ophir Harpaz, security researcher at Guardicore.

"The actor is dropping backdoors capable of running any payload they wish," she says. The backdoors can be used to deploy other malware, including ransomware, and other droppers that can drop ransomware.

It's also "highly plausible that the actors are using infected machines as infrastructure, possibly for selling access to other threat actors," Harpaz says.

EternalBlue, DoublePulsar, and EternalRomance are part of a much broader tranche of sophisticated attack tools developed by an outfit affiliated with the NSA called the Equation Group. The top-secret tools were designed for use by the NSA for offensive cyber operations against foreign adversaries but ended up getting widely distributed when an outfit called the Shadow Brokers began leaking them in batches between August 2016 and early 2017. The leaks included several zero-day vulnerabilities and exploits. They drew widespread attention to the practice by the NSA and other US three-letter agencies to secretly stockpile vulnerabilities and exploits in widely used technology products for use against adversaries.

EternalBlue was among the most widely abused of the leaked zero-day exploits. The NSA itself reportedly considered the exploit so valuable that it did not reveal the underlying SMB flaw to Microsoft until the agency was forced to after the Shadow Broker's leak.

The exploit basically gives unauthenticated attackers a way to gain remote code execution access to a targeted SMBv1 server by sending it a specially crafted packet. The flaw impacted multiple — mostly older — Windows versions, including Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2012. Because of its severity, Microsoft issued patches for all impacted Windows versions, including those it no longer supported.

Despite Microsoft's fix — and broad warnings about its severity — EternalBlue has been widely used in attacks since 2017 largely because of how slow many organizations have been to address the issue. In fact, barely two months after Microsoft patched the flaws in March 2017, attackers abused tens of thousands of vulnerable SMB servers to distribute WannaCry and NotPetya malware. Since then, EternalBlue has been used in numerous ransomware and other malware campaigns.

Many Systems Remain Unpatched
Guardicore says a Shodan search shows more than 1.2 million Internet-facing SMB servers today. But it's unclear how many of them remain vulnerable to EternalBlue, says Liad Mordekoviz, a security researcher at Guardicore. One reason why many systems likely remain unpatched is because organizations have simply been too intimidated to upgrade to new infrastructure.

"[That] could also be driven by lack of expertise or bandwidth to take on the project, leaving them exposed for quite some time," he says.

Guardicore's threat detection sensors have so far recorded more than 2,000 attacks from over 1,300 different IP addresses located mostly in the US, India, and Vietnam. The actors behind the campaign have been using the same highly protected and secure server in South Korea for command-and-control purposes for the past four years. Since the attackers are mining coins to a private pool, it has not been possible to determine how much cryptocurrency they have mined so far through compromised systems, the security vendor said.

"We do not have an estimate of the number of infected machines, but if more than 1,000 machines scanned our limited number of sensors, then there are most likely thousands — or even tens of thousands — of infected machines worldwide," Harpaz notes.

Guardicore has published a Github repository with all indicators of compromise (IOCs) for the campaign. It has also published a detection tool in PowerShell for organizations to know whether they have been compromised.

Mordekoviz says the main takeaway for organizations is the need for them to update servers and segment networks.

"Updating your servers will help with breaches, while segmenting your network will prevent lateral movement, ensuring that post-breach only a single machine will be compromised as opposed to the entire network," Mordekoviz says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
tdsan,
User Rank: Ninja
7/1/2021 | 2:29:09 PM
Disable SMBv1 Functions
# Disable obsolete SMB 1.0 protocol - Disabled by default since 1709
Function DisableSMB1 {
Write-Host "Disabling SMB 1.0 protocol..."
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force
}

This can be used to disable the SMB1 protocol from the system, this can be run from PowerShell or enabled using GroupPolicy, not sure why individuals don't utilize this capability because it is relatively simple to disable.

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows |  Microsoft Docs

Todd
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4252
PUBLISHED: 2022-06-30
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2013-4561
PUBLISHED: 2022-06-30
In a openshift node, there is a cron job to update mcollective facts that mishandles a temporary file. This may lead to loss of confidentiality and integrity.
CVE-2022-2197
PUBLISHED: 2022-06-30
By using a specific credential string, an attacker with network access to the device’s web interface could circumvent the authentication scheme and perform administrative operations.
CVE-2022-28127
PUBLISHED: 2022-06-30
A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.
CVE-2022-32585
PUBLISHED: 2022-06-30
A command execution vulnerability exists in the clish art2 functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability.