Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


End of Bibblio RCM includes -->
05:25 PM
Connect Directly

SMB Worm Targeting EternalBlue Vuln Spreads to US

"Indexsinas" is the latest threat designed to exploit Windows servers that remain vulnerable to an NSA-developed exploit Microsoft patched more than four years ago.

The dangerous NSA-developed EternalBlue exploit against a vulnerability in Microsoft's Server Message Block (SMB) protocol continues to pose a significant threat to many organizations worldwide more than four years after the vendor issued a patch to address the flaw.

The latest example is "Indexsinas," aka "NSABuffMiner," an SMB worm that initially infected organizations in the Asia-Pacific region but has recently begun to more frequently target North American organizations in the healthcare, hospitality, education, and telecommunications sectors.

Related Content:

EternalBlue Longevity Underscores Patching Problem

Special Report: Building the SOC of the Future

New From The Edge: 7 Skills the Transportation Sector Needs to Fuel Its Security Teams

Security vendor Guardicore, which has been tracking the campaign, says the malware breaches networks through SMB servers that are vulnerable to EternalBlue. It then uses a combination of EternalBlue and two other NSA-developed offensive tools — DoublePulsar and EternalRomance — for lateral movement, obtaining privileged access and installing backdoors on infected networks and systems. The malware has been observed using lateral movement to infect entire networks.

As part of the attack chain, the malware looks for and terminates processes, deletes files, and stops services related to other attack campaigns. The attackers have also been shutting down programs on infected systems that are used for monitoring and process monitoring, Guardicore said in a report this week.

The primary motive of the campaign appears to be to use infected systems for cryptomining purposes. But compromised systems could just as easily be misused in other ways, says Ophir Harpaz, security researcher at Guardicore.

"The actor is dropping backdoors capable of running any payload they wish," she says. The backdoors can be used to deploy other malware, including ransomware, and other droppers that can drop ransomware.

It's also "highly plausible that the actors are using infected machines as infrastructure, possibly for selling access to other threat actors," Harpaz says.

EternalBlue, DoublePulsar, and EternalRomance are part of a much broader tranche of sophisticated attack tools developed by an outfit affiliated with the NSA called the Equation Group. The top-secret tools were designed for use by the NSA for offensive cyber operations against foreign adversaries but ended up getting widely distributed when an outfit called the Shadow Brokers began leaking them in batches between August 2016 and early 2017. The leaks included several zero-day vulnerabilities and exploits. They drew widespread attention to the practice by the NSA and other US three-letter agencies to secretly stockpile vulnerabilities and exploits in widely used technology products for use against adversaries.

EternalBlue was among the most widely abused of the leaked zero-day exploits. The NSA itself reportedly considered the exploit so valuable that it did not reveal the underlying SMB flaw to Microsoft until the agency was forced to after the Shadow Broker's leak.

The exploit basically gives unauthenticated attackers a way to gain remote code execution access to a targeted SMBv1 server by sending it a specially crafted packet. The flaw impacted multiple — mostly older — Windows versions, including Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2012. Because of its severity, Microsoft issued patches for all impacted Windows versions, including those it no longer supported.

Despite Microsoft's fix — and broad warnings about its severity — EternalBlue has been widely used in attacks since 2017 largely because of how slow many organizations have been to address the issue. In fact, barely two months after Microsoft patched the flaws in March 2017, attackers abused tens of thousands of vulnerable SMB servers to distribute WannaCry and NotPetya malware. Since then, EternalBlue has been used in numerous ransomware and other malware campaigns.

Many Systems Remain Unpatched
Guardicore says a Shodan search shows more than 1.2 million Internet-facing SMB servers today. But it's unclear how many of them remain vulnerable to EternalBlue, says Liad Mordekoviz, a security researcher at Guardicore. One reason why many systems likely remain unpatched is because organizations have simply been too intimidated to upgrade to new infrastructure.

"[That] could also be driven by lack of expertise or bandwidth to take on the project, leaving them exposed for quite some time," he says.

Guardicore's threat detection sensors have so far recorded more than 2,000 attacks from over 1,300 different IP addresses located mostly in the US, India, and Vietnam. The actors behind the campaign have been using the same highly protected and secure server in South Korea for command-and-control purposes for the past four years. Since the attackers are mining coins to a private pool, it has not been possible to determine how much cryptocurrency they have mined so far through compromised systems, the security vendor said.

"We do not have an estimate of the number of infected machines, but if more than 1,000 machines scanned our limited number of sensors, then there are most likely thousands — or even tens of thousands — of infected machines worldwide," Harpaz notes.

Guardicore has published a Github repository with all indicators of compromise (IOCs) for the campaign. It has also published a detection tool in PowerShell for organizations to know whether they have been compromised.

Mordekoviz says the main takeaway for organizations is the need for them to update servers and segment networks.

"Updating your servers will help with breaches, while segmenting your network will prevent lateral movement, ensuring that post-breach only a single machine will be compromised as opposed to the entire network," Mordekoviz says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/1/2021 | 2:29:09 PM
Disable SMBv1 Functions
# Disable obsolete SMB 1.0 protocol - Disabled by default since 1709
Function DisableSMB1 {
Write-Host "Disabling SMB 1.0 protocol..."
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force

This can be used to disable the SMB1 protocol from the system, this can be run from PowerShell or enabled using GroupPolicy, not sure why individuals don't utilize this capability because it is relatively simple to disable.

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows |  Microsoft Docs

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file