What we know so far
The WannaCry ransomware worm outbreak from last Friday week used just one of the leaked NSA exploit tools, ETERNALBLUE, which exploits vulnerabilities in the SMBv1 file sharing protocol.
On Wednesday security researcher Miroslav Stampar, member of the Croatian Government CERT, who created infamous sqlmap (SQL injection pentesting tool), detected a new self-replicating worm which also spreads via several SMB vulnerabilities. This worm, dubbed EternalRocks uses seven leaked NSA hacking tools to infect a computer via SMB ports exposed online.
Unlike WannaCry, EternalRocks has no kill switch to stop the code from executing. It uses some files with the same names as WannaCry to try to fool security researchers into thinking it is WannaCry.
Get a Free Data Risk Assessment
EternalRocks analysis
- Spreads via SMB ports exposed online
- SMB reconnaissance tools SMBTOUCH and/or ARCHITOUCH are used to scan for open SMB ports on the public internet
- If open ports are found then one of 4 SMB exploit tools, which target different vulnerabilities in the Microsoft SMB file sharing protocol, are used to get inside the network:
- ETERNALBLUE (SMBv1 exploit tool)
- ETERNALCHAMPION (SMBv2 exploit tool)
- ETERNALROMANCE (SMBv1 exploit tool)
- ETERNALSYNERGY (SMBv3 exploit tool)
- Once inside EternalRocks downloads the Tor web browser, which supposedly*allows you to browse the web anonymously and access sites hosted on the Dark Web which cannot be accessed from normal web browsers like Chrome, IE, or Firefox.
- Downloads .net components which will be used later
- Tor connects to a C&C server on the Dark Web
- After a delay, currently set to 24 hours, the C&C server responds and an archive containing the 7 SMB exploits are downloaded. This delay is likely to avoid sandboxing techniques
- Next the worm scans the internet for open SMB ports – to spread the infection to other organizations.
*It is questionable just how anonymous Tor really is considering that almost everyone involved in developing Tor was funded by the US Government.
The Good News
EternalRocks does not appear to have been weaponized (yet). No malicious payload – like ransomware – is unleashed after infecting a computer.
The Bad News
Even if SMB patches are retroactively applied machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR backdoor trojan. The DOUBLEPULSAR (backdoor trojan) installation left behind by EternalRocks is wide open. Whether on purpose or not the result is that other hackers could use DOUBLEPULSAR to access machines infected by EternalRocks.
What you should do
Block external access to SMB ports on the public internet\
- Patch all SMB vulnerabilities
- Block access to C&C servers (ubgdgno5eswkhmpy.onion) and block access to Torproject.org while you are at it
- Monitor for any newly added scheduled tasks
- A DOUBLEPULSAR detection script is available on Github
- Make sure DatAlert Analytics is up to date monitoring your organization for insider threats
For detailed information on EternalRocks check out the repository setup by Stampar a few days ago on GitHub.
What should I do now?
Below are three ways you can continue your journey to reduce data risk at your company:
Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.
See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.
Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.