The EternalBlue vulnerabilities, which were stolen from the NSA and used in the recent WannaCry ransomware campaign, are being leveraged to distribute a wide range of other malware, including cryptocurrency miners and Remote Access Trojans.
On May 12, the date of the WannaCry ransomware attack, Cyphort Labs researchers uncovered a separate attack leveraging EternalBlue, which dates back at least to May 3.
"We initially thought this is WannaCry, but upon further investigation, we discovered a stealthier Remote Access Trojan," Cyphort's Paul Kimayong wrote in a blog post. "Unlike WannaCry, this threat infects only once and does not spread. It is not a worm."
According to Cyphort, while the malware may not appear as destructive as WannaCry, it has the potentially to be even more dangerous. "The main payload is a RAT, and we all know what can happen once a malicious hacker gets inside your enterprise," Kimayong wrote.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
The researchers believe the group behind the RAT is the same one responsible for the Mirai botnet.
WannaCry may have been a gift in one sense, Kimayong suggested -- its high profile forced companies to become aware of the risks from the EternalBlue exploit, and to take action. "What will hurt you the most are those things that you did not see coming," he wrote.
"Like other cryptocurrencies, Monero increases market capitalization through the process of mining," the researchers wrote. "This process is computationally intensive but rewards miners with funds in the mined currency, currently 7.58 Moneros or roughly $205 at current exchange rates."
"Initial statistics suggest that this attack may be larger in scale than WannaCry: because this attack shuts down SMB networking to prevent further infections with other malware (including the WannaCry worm) via that same vulnerability, it may have in fact limited the spread of [the] WannaCry infection," the researchers wrote.
According to Proofpoint, the Adylkuzz campaign dates back at least to May 2 and possibly to April 24. "This attack is ongoing and, while less flashy than WannaCry, is nonetheless quite large and potentially quite disruptive," the researchers wrote.
China's National Computer Virus Emergency Response Center (CVERC) and software company AsiaInfo are separately warning of the UIWIX ransomware, which also exploits the EternalBlue vulnerabilities to infect systems and spread within networks, Xinhua reports.
Trend Micro researchers reported that UIWIX appears to be fileless. "Fileless infections don't entail writing actual files/components to the computer's disks, which greatly reduces its footprint and in turn makes detection trickier," the researchers wrote.
"UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox," the researchers added. "Based on UIWIX's code strings, it appears to have routines capable of gathering the infected system's browser login, File Transfer Protocol (FTP), email and messenger credentials."
To protect against WannaCry, UIWIX and other threats leveraging EternalBlue, Trend Micro advises users to take the following steps:
- Patch and update your systems, and consider using virtual patching
- Enable your firewalls as well as intrusion detection and prevention systems
- Proactively monitor and validate traffic going in and out of the network
- Implement security mechanisms for other points of entry attackers can use, such as email and websites
- Deploy application control to prevent suspicious files from executing on top behavior monitoring that can thwart unwanted modifications to the system
- Employ data categorization and network segmentation to mitigate further exposure and damage to data