igor - Fotolia
NSA cyberweapons continue to be repackaged by malicious actors, but it is as yet unclear what the ultimate aim of EternalRocks might be aside from infecting as many systems as possible.
The WannaCry ransomware worm spread to more than 300,000 systems in less than one week by using the EternalBlue and DoublePulsar NSA cyberweapons to gain access and propagate, respectively. However, the EternalRocks malware incorporates a total of seven NSA cyberweapons.
EternalRocks was discovered by Miroslav Stampar, IT security advisor and expert for the Croatian Government CERT, who caught the infection in an SMB honeypot. After analyzing the malware, Stampar found it used four SMB exploits developed by the NSA -- EternalBlue, EternalChampion, EternalRomance and EternalSynergy -- to gain access; two NSA tools were used for SMB reconnaissance operations -- SMBTouch and ArchiTouch -- and DoublePulsar was used to propagate the infection.
According to Stampar, EternalRocks runs a multistage process starting with EternalBlue to infect a system, contact a command and control server (C&C) via Tor and install additional components.
"After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on [the] internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/)," Stampar wrote in a GitHub post. "Also, it expects running Tor process from first stage to get further instructions from C&C."
Stampar said the exploit pack includes the other NSA cyberweapons and DoublePulsar to spread the infection.
Somebody actually used complete Shadowbrokers dump (SMB part) and made a worm out of it. Uses WannaCry names (taskhost/svchost) to distract— Miroslav Stampar (@stamparm) May 18, 2017
However, EternalRocks appears to be setting up persistent access to systems and propagating with no ransomware or data exfiltration happening yet.
Brian Vecci, technical evangelist at Varonis, said all of this is "potentially indicative of a much more sophisticated attacker."
"Adylkuzz was around for a while using the same exploits as WannaCry, but nobody noticed because it wasn't making any noise. That's even more dangerous than ransomware since it doesn't call out the problems -- the glaring security holes -- that were being taken advantage of," Vecci told SearchSecurity. "By not delivering any actual malware, EternalRocks may be even more successful in spreading and setting up a more damaging attack later."
Jonathan Sander, CTO at STEALTHbits Technologies, said whatever the next step may be for EternalRocks, it could be very dangerous.
Jonathan SanderCTO, STEALTHbits Technologies
"Having a backdoor into one place with good data is useful," Sander told SearchSecurity. "Having backdoors into thousands of places where you can do many things is a botnet in waiting."
Michael Patterson, CEO of Plixer, said because of the stealthiness of EternalRocks, enterprises that are remediating SMB flaws need to remember that "once a device is infected, applying a subsequent patch does not remove the malware."
"The most effective way for security teams to monitor for any infected devices is to leverage network traffic analytics to look for any historical Tor connections leaving the organization," Patterson told SearchSecurity. "Organizations must constantly monitor their environments for anomalous behaviors, maintain a historical forensic database, and have a well-defined storage backup and recovery process for all critical data."
John Bambenek, threat research manager at Fidelis Cybersecurity, said remediating the SMB flaws exploited by the NSA cyberweapons is only step one.
"Enterprises should disable SMBv1, prohibit all SMB across network boundaries, and run fully patched and supported operating systems. That said, what concerns me now isn't a resurgence of WannaCry (or worse) using the last NSA exploits," Bambenek told SearchSecurity. "The window of opportunity for those exploits is closing. What concerns me is what exploits Shadow Brokers are sitting on and what comes next."
Concern for unknown NSA cyberweapons
Microsoft and others have criticized the NSA for not disclosing in a timely manner the vulnerabilities it was using to build its exploits and now experts are concerned with any other NSA cyberweapons might still be unreleased by the Shadow Brokers.
Owen Connolly, vice president of services at IOActive, said knowing how to mitigate the SMB threats is an advantage.
"It's much easier to defend against an enemy you know. We now know what's coming and we have the capabilities to defend against it, but we need to ensure that we put those defenses in place," Connolly told SearchSecurity. "I'm much more concerned about what's going to come out of the next set to be dropped."
Paul Calatayud, CTO at FireMon, said with or without the dump of NSA cyberweapons, IT pros need to be ready for attacks.
"Any great cybersecurity expert and leader is operating as normal when it comes to these new attacks. Zero-day exploits such as the ones developed by NSA are being developed on a daily basis," Calatayud told SearchSecurity. "The difference here is the mass consumption of this exploit causing far greater frequency of attacks, but the bigger point is these attacks have and will continue, and good network defenders have already been planning for these attacks long before they became commonplace."
Sander also said he wasn't too concerned whether the next threat arises from NSA tools or not.
"NSA cyberweapons are just one brand among many," Sander said. "When there's a gun to my head I'm not worried about if it's a Colt versus a Beretta, I'm just worried about getting shot."
Learn about the security features driving Windows 10 adoption.
Find out how to create an ideal Windows 10 security setup.
Get info on 10 control areas to mitigate malware attacks.