Weissblick - Fotolia

EternalRocks worm combines seven leaked NSA attack tools

Hard on the heels of the WannaCry ransomware attacks, a researcher has found a worm that combines four NSA exploits and associated attack tools, including EternalBlue used by WannaCry

EternalRocks is a worm that uses four server message block (SMB) exploits and three other attack tools developed by the US National Security Agency (NSA) and leaked by the Shadow Brokers hacking group.

Although it is still to be weaponised, security experts are concerned that EternalRocks, also known as MicroBotMassiveNet, could have a much greater impact than WannaCry, once weaponised.

The biggest concern is that attacks such as EternalRocks can spread even more quickly in the cloud, where many organisations have no visibility into their workloads or network traffic.

EternalRocks was discovered and named by Miroslav Stampar, a security researcher and member of the Croatian government’s computer emergency response team (Cert), who captured a sample of the worm in a Windows 7 honeypot he runs.

The discovery of the worm confirms speculation that WannaCry was likely to be the first of many other attacks to emerge based on the leaked NSA exploits.

The attack is believed to have been live since 3 May 2017, which pre-dates the spread of the WannaCry ransomware that uses the EternalBlue NSA exploit.

According to Stampar’s GitHub post, EternalRocks spreads through the NSA SMB exploits EternalBlue, EternalChampion, EternalRomance and EternalSynergy, along with related attack tools DoublePulsar, ArchiTouch and SMBTouch.

Stampar said EternalRocks currently has no payload or malicious component, but is simply spreading itself using a two-stage process that takes place over a 24-hour period.

The first stage infects vulnerable computers running the Windows operating system that have not been patched to fix the MS17-010 vulnerability, which is also exploited by WannaCry.

This stage also downloads some .NET components and drops an executable file used to download and run the Tor anonymous web browser as well as command and control (C2) communications.

In the second stage, the Tor browser is used to download another executable file from a .onion domain after 24 hours, which, in turn, downloads the NSA exploits.

Read more about WannaCry

  • Computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts.
  • Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
  • A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
  • WannaCry reveals some important facts about our dependence on the internet and IT.

Security commentators say the 24-hour pause may be aimed at evading analysis and defeating sandboxing technology designed to isolate any activity that appears to be malicious or anomalous.

The worm then starts a random scan of opened 445 (SMB) ports on the internet, while running contained exploits and pushing the first-stage malware through payloads.

Security commentators say that although EternalRocks has not yet exhibited any malicious activity, it appears to be designed to establish a launchpad for future attacks using the NSA exploits.

Varun Badhwar, CEO and co-founder of security firm RedLock, said only organisations with strong network visibility and monitoring tools will be able to automatically detect and block network traffic on non-standard ports such as 445 and 8333, which have been used to launch attacks such as WannaCry, EternalRocks and others. 

“The EternalRocks attack is being launched from the internet, whereby the culprits are scanning for machines open on these ports, which are non-standard,” said Badhwar. 

“With more and more businesses moving their IT infrastructure to the cloud, securing that infrastructure is critical, and the reality is that traditional security solutions just don’t cut it.”

According to Badhwar, organisations need to look to cloud-native approaches that can keep up with the cloud’s rate of change, and enable them to rapidly investigate, contain and respond to security incidents within hours, not months or years, as is the case today.

“Everyone must operate under the assumption that they will get breached some day, and prepare for those scenarios in advance,” he said. “Emerging technologies today are enabling companies to gain this holistic visibility and security controls into their cloud environments.”

The best advice to guard against malware exploiting Microsoft vulnerabilities is to stay on top of all patch releases and apply them quickly, and, if at all possible, replace older Windows systems with the latest versions, according to a Sophos Naked Security blog post.

Read more on Hackers and cybercrime prevention

Data Center
Data Management