Secdo recently discovered evidence that sophisticated actors leveraged the National Security Agency’s (NSA) ETERNALBLUE several weeks before the outbreak of WannaCry to attack organizations, installing backdoors, and exfiltrating user credentials in networks around the world. The WannaCry ransomware was just one variant.
Secdo made the discovery in the wake of reports during April by multiple customers, including publicly traded companies, that reported being attacked by an undetectable ransomware on their endpoints. Having recorded every action on those endpoints and servers at the thread level allowed Secdo to playback, analyze, and identify these attacks. The company believes many organizations may continue to be vulnerable to thread-level attacks that install backdoors, exfiltrate data, and steal credentials.
Jake Williams, the founder of Rendition Infosec and a SANS Institute instructor, scanned the internet for weeks looking for active infections of DoublePulsar, the backdoor implant tool used alongside ETERNALBLUE in the WannaCry ransomware attack. “Finding a machine with DoublePulsar running indicates that the same vulnerability used in the WannaCry malware was used to compromise Windows machines much earlier,” said Williams. “Although the numbers have varied widely, ranging from 25,000-150,000 active infections, it is clear that attackers have been exploiting this vulnerability almost since the day it was released by Shadow Brokers.”
Upon gaining entry to Windows-based machines, the attack utilized the NSA’s DoublePulsar to spawn a thread within a legitimate system process, allowing it to remain undetected by most detection systems that are unable to collect activities at the thread level.
“WannaCry is merely a visible symptom and not the underlying cause,” said Secdo’s CTO, Gil Barak. “Multiple threat actors were exploiting ETERNALBLUE to infect endpoints weeks prior to the WannaCry outbreak. Even if your organization successfully blocked or was not attacked by WannaCry, you may still be compromised.”
Barak continued, “The attackers had more than a month to breach organizations, install backdoors, steal information and cause other damage, which most organizations may still not be able to discover – until it’s too late. Installing the Microsoft patch is critical for protection from future attacks exploiting Windows SMB, but it does not remediate machines that have already been compromised.”
To discover if the breach is still present, organizations should look for thread-based behavioral IOCs that indicate compromise from at least early April. In addition, organizations need to attain continuous visibility at the thread level into every endpoint in the network to hunt and respond effectively to thread-based attacks in the future.