Satisnet Ltd, Basepoint Innovation Centre, 110 Butterfield Great Marlings, Luton, Bedfordshire, LU2 8DL enquiry@satisnet.co.uk
+44 (0) 1582 434320

Eternal Rocks To Use Seven Exploits in Comparison to WannaCry's Two

Eternal Rocks To Use Seven Exploits in Comparison to WannaCry's Two

Eternal Rocks To Use Seven Exploits in Comparison to WannaCry's Two

Cybersecurity researchers have discovered a new exploit which uses seven of the NSA’s leaked exploits. “EternalRocks”, a new malware, uses the exploits first discovered by the National security agency, experts are describing this malware as “doomsday” which can strike anytime.

Forget Wannacry

A popular ransomware attack launched earlier this month “WannaCry” afflicted organisations, schools and hospitals across the world, spreading over to the 300, 000 computers. This ransomware used two of the NSA exploits leaked by Shadow Brokers- a hacker group which first appeared in 2016 publishing several leaks containing hacking tools from NSA. Wannacry used the exploit EternalBlue (exploits vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol) and DoublePulsar (a Trojan which opens the backdoor on the compromised computer).

The EternalRocks, uses EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch, these are all the exploits leaked by the ShadowBrokers group. Miroslva Stamper, a cybersecurity expert from Croatia Cert, said he found this hack after it infected its honeypot.

Documents

Figure 1 Content of ShadowBrokers.zip

These tools exploit vulnerabilities with standard file sharing technology called Microsoft Windows Server Message Block, used by PC’s. Microsoft patched these vulnerabilities in March however the machines not patched and outdated were at risk.

Researchers have identified that EternalRocks will stay hidden, once it is in a computer, it will download the Tor’s private browser and send a signal to its hidden servers. This is unlike wannacry which locked the computer and alerted victims they have been infected by ransomware.

For first 24 hours, this exploit does nothing, after a day the hidden server responds and starts downloading and self-replicating. This means the security researchers who want more information and analyse the malware will be delayed by a day, hence making this even stealthier.

Due to this exploits quiet nature, it is not yet clear how many computers have been infected and it is also unclear what this can be weaponised into. A security firm Plixer said that this worm could easily be turned into ransomware or Trojan for banking.