SecurityBrief Asia logo
Story image

Here's why WannaCry might be the tip of the iceberg

07 Jun 2017

The attack on 200,000 plus computers across more than 120 countries around the world by the WannaCry ransomware certainly got the attention of governments, media, consumers and law enforcement. But the actual impact could have been so much worse.

Much ink is still being expended trying to determine who was responsible and what their motives were and many believe this might have been the act of inexperienced hackers who lost control of their creation. Certainly, at the time of writing, none of the ransom has been collected from the bitcoin accounts victims were encouraged to send their money too.

But while WannaCry could have been so much worse in impact, what is clear is that the base exploit code it uses was part of a batch stolen by Shadow Brokers in April 2017 from the US National Security Agency’s (NSA) Equation Group and potentially last month’s attack could be just the tip of the iceberg.

Earlier in May 2017 CERT EU (The EU’s Computer Emergency Response Team) reported on a worm identified in the wild which has reportedly spread using exploit code leaked by Shadow Brokers in a similar fashion to WannaCry. CERT EU referred to this malware as "BlueDoom", but its internal name was reportedly "EternalRocks".

In addition to the EternalBlue Server Message Block (SMB) exploit used by WannaCry, EnternalRocks has reportedly also employed at least three additional exploits leaked by the Shadow Brokers: EternalChampion, EternalRomance and EternalSynergy as part of its propagation process.

All three of these exploits were developed to target SMB remote code execution vulnerabilities in Windows XP, all of which were patched in Microsoft's Apr 2017 MS17-010 release. However, unlike WannaCry, following a successful exploitation and subsequent deployment of the DOUBLEPULSAR backdoor on an infected machine the malware has reportedly not deployed any additional payload.

Why no payload is being deployed is unclear but we can speculate that EternalRocks was likely intended to be used to establish a presence on a large number of machines in order to facilitate the deployment of second-stage payloads sometime later. What that payload might be and what its function is are not clear and it remains to be seen how the actors responsible for developing this worm will exploit their access to infected machines.

What is clear is that this development highlights that the Eternal suite of Equation Group exploits and other technical assets leaked by the Shadow Brokers will almost certainly continue to pose a threat beyond WannaCry. Users and organisations which have not already implemented the relevant Microsoft patches and mitigations on the back of EternalBlue are advised to do so quickly.

Article by Rick Holland, vice president, Strategy, Digital Shadows.

Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More
Story image
Cohesity appoints its very first CISO
In the newly created role, new appointee Brian Spanswick will focus on advancing and optimising IT and security for Cohesity and its customers, the company says.More
Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
COVID-19-themed threats, Powershell malware continue surge
“The world—and enterprises—adjusted amidst pandemic restrictions and sustained remote work challenges, while security threats continued to evolve in complexity and increase in volume."More
Story image
97% of organisations experienced a mobile threat in 2020 — report
93% of these attacks originated in a device network, which includes attempts to trick users into installing a malicious payload via infected websites or URLs, or to steal users’ credentials.More