Security researcher Miroslav Stampar has found a new malware variant capable of spreading by exploiting vulnerabilities in Windows SMB file sharing protocols that use all seven leaked US National Security Agency hacking tools.
The WannaCry strain that caused global disruption on 12 May only used two of the leaked NSA exploits and included a kill-switch that a researcher activated, bring to a stop a spread that had caused the shutdown of 20 per cent of the UK National Health Service.
But Stampar, who is part of the Croatian Government CERT, discovered the network worm EternalRocks that is much more impactful than WannaCry and has no kill-switch. And unlike WannaCry, the new variant hides its function to ensure it remains undetected after it’s deployed on a victim’s computer.
EternalBlue uses two SMBv1 exploit tools, an SMBv2 exploit tool, an SMBv3 exploit tool, two SMB reconnaissance tools and a backdoor Trojan. The reconnaissance tools are designed to scan for all open SMB ports on the public internet. The other exploits compromise the individual Windows computer.
The backdoor Trojan spreads the worm from the infected computer to other unpatched computers on the same network.
The new strain masks itself as WannaCry to fool security experts, but gains control of the affected computer instead of launching an initial ransomware attack. Stampar said that once the hacker gains control of the command-and-control server, it waits 24 hours to avoid sandboxing techniques.
Sandboxing is a technique used by security teams to separate running programs, which will kill untested programs, websites, code and the like without risking harm to the host computer or network. But Stampar said that EternalBlue sidesteps sandboxing, which makes the worm undetectable.
All healthcare providers running on outdated Windows systems need to deploy the patches released by Microsoft in March to prevent a successful EternalBlue attack. Microsoft has also warned users to consider blocking legacy protocols on their networks, in response to the WannaCry attack.
As EternalBlue leverages a greater number of exploits, these warnings apply to this newest strain.
“Some of the observed attacks use common phishing tactics, including malicious attachments,” officials said.
“Customers should use vigilance when opening documents from untrusted or unknown sources.”