Today: January 19, 2018, 8:57 am
  
Computer & Technology

WannaCry might be the tip of the iceberg

Rick Holland, Vice President, Strategy, Digital Shadows
Rick Holland, Vice President, Strategy, Digital Shadows
Comment Article by Rick Holland, Vice President, Strategy, Digital Shadows

 

PR-Inside.com: 2017-06-06 09:58:28
The attack on 200,000 plus computers across more than 120 countries around the world by the WannaCry ransomware certainly got the attention of governments, media, consumers and law enforcement. But the actual impact could have been so much worse.

Much ink is still being expended trying to determine who was responsible and what their motives were and many believe this might have been the act of inexperienced hackers who lost control of their creation. Certainly, at the time of writing, none of the ransom has been collected from the bitcoin accounts victims were encouraged to send their money too.


But while WannaCry could have been so much worse in impact, what is clear is that the base exploit code it uses was part of a batch stolen by Shadow Brokers in April 2017 from the US National Security Agency’s (NSA) Equation Group and potentially last month’s attack could be just the tip of the iceberg.

Earlier in May 2017 CERT EU (The EU’s Computer Emergency Response Team) reported on a worm identified in the wild which has reportedly spread using exploit code leaked by Shadow Brokers in a similar fashion to WannaCry. CERT EU referred to this malware as "BlueDoom", but its internal name was reportedly "EternalRocks".

In addition to the EternalBlue Server Message Block (SMB) exploit used by WannaCry, EnternalRocks has reportedly also employed at least three additional exploits leaked by the Shadow Brokers: EternalChampion, EternalRomance and EternalSynergy as part of its propagation process.

All three of these exploits were developed to target SMB remote code execution vulnerabilities in Windows XP, all of which were patched in Microsoft's Apr 2017 MS17-010 release. However, unlike WannaCry, following a successful exploitation and subsequent deployment of the DOUBLEPULSAR backdoor on an infected machine the malware has reportedly not deployed any additional payload.

Why no payload is being deployed is unclear but we can speculate that EternalRocks was likely intended to be used to establish a presence on a large number of machines in order to facilitate the deployment of second-stage payloads sometime later. What that payload might be and what its function is are not clear and it remains to be seen how the actors responsible for developing this worm will exploit their access to infected machines.

What is clear is that this development highlights that the Eternal suite of Equation Group exploits and other technical assets leaked by the Shadow Brokers will almost certainly continue to pose a threat beyond WannaCry. Users and organizations which have not already implemented the relevant Microsoft patches and mitigations on the back of EternalBlue are advised to do so quickly.

Press Information
Digital Shadows
Conrad Offices, 19th Floor

Sheikh Zayed Rod, Dubai

Sharon Divan
PR
+97143827880
email
www.digitalshadows.com


# 448 Words
Related Articles
More From The Author
Sophos Honours Top Performing Channel Partners at [..]
Sophos (LSE: SOPH), a global leader in network and endpoint security presented awards to six of its top performing channel [..]
Digital Shadows Research Reveals Password and Username [..]
Dubai, UAE, May 28, 2017 – Digital Shadows, the industry leader in digital risk management, today unveiled research into some [..]
ManageEngine Joins WatchGuard Technologies as a Gold [..]
ManageEngine, the real-time IT management company, today announced that it has joined WatchGuard Technologies as a Gold Technology [..]
Sophos to Place the Spotlight on Synchronized [..]
Sophos (LSE:SOPH),a global leader in network and endpoint security announced its participation at Gulf Information Security Expo [..]
ManageEngine Strengthens its SIEM Solution with Public [..]
ManageEngine, the real-time IT management company, today released enhancements to its SIEM solution, Log360, adding log management [..]
 
More From Computer & Technology
Self-Sovereign Identity Solution Blockpass announces Key [..]
HONG KONG, Jan 17, 2018 - (ACN Newswire) - Self-sovereign identity solution Blockpass has announced two new key memberships cementing [..]
Trillium Launches European Operations & Development Center
CES 2018, Las Vegas, Jan 10, 2018 - (ACN Newswire) - Trillium Secure, Inc., the global leader in automotive cybersecurity [..]
Trillium Selected by Volkswagen Data:Lab Munich to [..]
CES 2018, Las Vegas, Jan 9, 2018 - (ACN Newswire) - Trillium Secure, Inc. announced that it has been selected [..]
Automatic language interpretation technology to be piloted [..]
The hands-free technology automatically translates between participants speaking different languages, allowing natural, uninterrupted [..]

Disclaimer: If you have any questions regarding information in this press release please contact the company added in the press release. Please do not contact pr-inside. We will not be able to assist you. PR-inside disclaims the content included in this release.