BoogyMan
05-23-2017, 07:49 PM
The NSA has some explaining to do. The latest SMB based threat uses 7 of the tools leaked from the NSA, unlike WannaCry which leveraged only 2. With The Shadow Broker group planning to release a new tool each month starting next month this is likely to be an ugly year for folks in my line of work. (https://www.infosecurity-magazine.com/news/eternalrocks-worm-uses-7-nsa-tools/)
A Croatian researcher has uncovered a new worm that employs seven leaked NSA hacking tools to do its thing. It presents a potential threat that could have far worse consequences than WannaCry, even though it shares characteristics with the now-infamous ransomware.
It is, so far, not weaponized—but it could be at any moment, according to Miroslav Stampar, who is a member of the Croatian Government CERT. For now, it’s just code that propagates itself, but the C&C servers can send infected machines whatever command they choose at any time, including commands to download additional malware.
"The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer. "Once infected, he can weaponize any time he wants, no matter the late patch."
EternalRocks targets computers that have exposed, unpatched SMB ports (of which there are many), and infects them using six unique NSA tools: EternalBlue, EternalChampion, EternalRomance and EternalSynergy for initial compromise; and SMBTouch and ArchiTouch for SMB reconnaissance. The seventh tool, DoublePulsar, is used to spread to new machines and remains on infected ones as an implant. It is open by default, meaning that other bad actors can use DoublePulsar as a backdoor for any of the machines it has infected....
A Croatian researcher has uncovered a new worm that employs seven leaked NSA hacking tools to do its thing. It presents a potential threat that could have far worse consequences than WannaCry, even though it shares characteristics with the now-infamous ransomware.
It is, so far, not weaponized—but it could be at any moment, according to Miroslav Stampar, who is a member of the Croatian Government CERT. For now, it’s just code that propagates itself, but the C&C servers can send infected machines whatever command they choose at any time, including commands to download additional malware.
"The worm is racing with administrators to infect machines before they patch," Stampar told Bleeping Computer. "Once infected, he can weaponize any time he wants, no matter the late patch."
EternalRocks targets computers that have exposed, unpatched SMB ports (of which there are many), and infects them using six unique NSA tools: EternalBlue, EternalChampion, EternalRomance and EternalSynergy for initial compromise; and SMBTouch and ArchiTouch for SMB reconnaissance. The seventh tool, DoublePulsar, is used to spread to new machines and remains on infected ones as an implant. It is open by default, meaning that other bad actors can use DoublePulsar as a backdoor for any of the machines it has infected....