The infamous outbreak may no longer be
causing mayhem worldwide but the threat that enabled it is still very much
alive and posing a major threat to unpatched and unprotected systems
It’s been a year since the WannaCryptor.D ransomware (aka WannaCry and WCrypt) caused
one of the largest cyber-disruptions the world has ever seen. And while the
threat itself is no longer wreaking havoc around the world, the exploit that
enabled the outbreak, known as EternalBlue, is still threatening unpatched and
unprotected systems. And as ESET’s telemetry data shows, its popularity has
been growing over the past few months and a recent spike even surpassed the
greatest peaks from 2017.
The EternalBlue exploit targets a
vulnerability (addressed in Microsoft Security Bulletin MS17-010) in an
obsolete version of Microsoft’s implementation of the Server Message Block (SMB)
protocol, via port 445. In an attack, black hats scan the internet for exposed
SMB ports, and if found, launch the exploit code. If it is vulnerable, the
attacker will then run a payload of the attacker’s choice on the target. This
was the mechanism behind the effective distribution of WannaCryptor.D
ransomware across networks.
Interestingly, according to ESET’s telemetry,
EternalBlue had a calmer period immediately after the 2017 WannaCryptor
campaign: over the following months, attempts to use the EternalBlue exploit
dropped to “only” hundreds of detections daily. Since September last year,
however, the use of the exploit has slowly started to gain pace again,
continually growing and reaching new heights in mid-April 2018.
One possible explanation for the latest peak
is the Satan ransomware campaign seen around those dates, but it
could be connected to other malicious activities as well.
We must stress that the infiltration method
used by EternalBlue is not successful on devices protected by ESET. One of the
multiple protection layers – ESET’s Network Attack Protection module – blocks
this threat at the point of entry. This can be compared to a silent knocking on
the door at 2 a.m. testing if someone is still up. As such activity is most
likely driven by malicious intentions, the entrance is securely sealed off to
keep the intruder out.
This was true during the WannaCryptor
outbreak on May 12, 2017 as well as all previous and subsequent attacks by malicious actors and
groups.
EternalBlue has enabled many high-profile
cyberattacks. Apart from WannaCryptor, it also powered the destructive
Diskcoder.C (aka Petya, NotPetya and ExPetya) attack in June 2017 as well as
the BadRabbit ransomware campaign in Q4 2017. It was also used by the Sednit (aka APT28, Fancy Bear and Sofacy) cyberespionage
group to attack Wi-Fi networks in European hotels.
The exploit has also been identified as one
of the spreading mechanisms for malicious cryptominers. More recently, it was deployed to
distribute the Satan ransomware campaign, described only a few days after
ESET’s telemetry detected the mid-April 2018 EternalBlue peak.
The EternalBlue exploit was allegedly stolen
from the National Security
Agency (NSA) probably in 2016 and leaked online on April 14, 2017 by a
group dubbed Shadow Brokers. Microsoft issued updates that fixed the SMB
vulnerability on March 14, 2017, but to this day, there are many unpatched
machines in the wild.
This exploit and all the attacks it has
enabled so far highlight the importance of timely patching as well as the need for a
reliable and multi-layered security solution that can block the underlying
malicious tool.
