While WannaCry exploited two of the NSA’s leaked hacking tools, EternalBlue uses all seven and has no kill-switch.

Ransomware worse than WannaCry discovered, also leverages NSA tools

By Jessica Davis
01:15 PM
leaked NSA tools WannaCry ransomware

Security researcher Miroslav Stampar has found a new malware variant capable of spreading by exploiting vulnerabilities in Windows SMB file sharing protocols that use all seven leaked U.S. National Security Agency hacking tools.

For comparison: the WannaCry strain that hit Europe, China and Russia on May 12 only used two of the leaked NSA exploits.

While multiple hacking groups created copycat versions of WannaCry and continue to exploit two of the leaked NSA tools, a researcher found a kill-switch that stopped the spread soon after the virus shutdown 20 percent of the U.K. National Health Service and pummeled other industries.

[Also: Wannacry timeline: How it happened and the industry response to ransomware attack]

But Stampar, who is part of the Croatian Government CERT, discovered the network worm EternalRocks that is much more impactful than WannaCry and has no kill-switch. And unlike WannaCry, the new variant hides its function to ensure it remains undetected after it’s deployed on the victim’s computer.

[Also: Here's what it was like to host a security forum when WannaCry hit the globe]

EternalBlue uses two SMBv1 exploit tools, an SMBv2 exploit tool, an SMBv3 exploit tool, two SMB reconnaissance tools and a backdoor Trojan. The reconnaissance tools are designed to scan for all open SMB ports on the public internet. The other exploits compromise the individual Windows computer.

The backdoor Trojan spreads the worm from the infected computer to other unpatched computers on the same network.

[Also: WannaCry highlights worst nightmare in medical device security]

The new strain masks itself as WannaCry to fool security experts, but gains control of the affected computer instead of launching an initial ransomware attack. Stampar said that once the hacker gains control of the command-and-control server, it waits 24 hours to avoid sandboxing techniques.

Sandboxing is a technique used by security teams to separate running programs, which will kill untested programs, websites, code and the like without risking harm to the host computer or network. But Stampar said that EternalBlue sidesteps sandboxing, which makes the worm undetectable.

All healthcare providers running on outdated Windows systems need to deploy the patches released by Microsoft in March to prevent a successful EternalBlue attack. Microsoft has also warned users to consider blocking legacy protocols on their networks, in response to the WannaCry attack.

As EternalBlue leverages a greater number of exploits, these warnings apply to this newest strain.

“Some of the observed attacks use common phishing tactics, including malicious attachments,” officials said. “Customers should use vigilance when opening documents from untrusted or unknown sources.”

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn