2017-05-30

Another cyber worm is loose on the Internet from the stock stolen from NSA

WannaCry was just one of the many exploit platforms that were stolen from NSA and now roaming on the Internet. EternalRocks worm is using same SMB vulnerabilities as WannaCry and three other attack vectors. It has not been weaponized yet, meaning that it does not have malevolent features added, but it has been infecting Internet-connected computers apparently since 3 of May.

The EternalRocks worm is an ideal platform that cyber attackers are using to prepare the target for more malicious effects. The behaviour of the work is as follows:

  • In the first stage, the worm uses SMB vulnerability to install itself on the computer. It also downloads .NET components and TOR browser together with C2 communications node.
  • Then it remains passive for 24 hours to avoid detection or analysis with sandboxing (sandboxing is used typically as virtual isolation between the Internet and closed networks to monitor downloaded the program for malevolent behaviour).
  • In the second stage, the worm uses TOR browser to download more executable files. Then it starts a random scan of opened SMB ports on the network it is connected. Once detecting a vulnerable target, it pushes the first stage exploitation to it.

The EternalRocks is such a clandestine worm that only with strong network visibility and monitoring tools, the traffic will be detected.

The military should be careful to ensure that their Internet-connected Microsoft operating systems are updated, and there is a strong monitoring and analysing function in place.

No comments:

Post a Comment