Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Hackers Exploited NSA's ETERNALBLUE Weeks Before WannaCry Outbreak to Steal Login Credentials

DZone's Guide to

Hackers Exploited NSA's ETERNALBLUE Weeks Before WannaCry Outbreak to Steal Login Credentials

Organizations potentially exposed to future thread-level attacks that install backdoors, exfiltrate data, and steal credentials.

· Security Zone
Free Resource

Address your unique security needs at every stage of the software development life cycle. Brought to you in partnership with Synopsys.

Secdo recently discovered evidence that sophisticated actors leveraged the National Security Agency’s (NSA) ETERNALBLUE several weeks before the outbreak of WannaCry to attack organizations, installing backdoors, and exfiltrating user credentials in networks around the world. The WannaCry ransomware was just one variant. 

Secdo made the discovery in the wake of reports during April by multiple customers, including publicly traded companies, that reported being attacked by an undetectable ransomware on their endpoints. Having recorded every action on those endpoints and servers at the thread level allowed Secdo to playback, analyze, and identify these attacks. The company believes many organizations may continue to be vulnerable to thread-level attacks that install backdoors, exfiltrate data, and steal credentials.

Jake Williams, the founder of Rendition Infosec and a SANS Institute instructor, scanned the internet for weeks looking for active infections of DoublePulsar, the backdoor implant tool used alongside ETERNALBLUE in the WannaCry ransomware attack. “Finding a machine with DoublePulsar running indicates that the same vulnerability used in the WannaCry malware was used to compromise Windows machines much earlier,” said Williams. “Although the numbers have varied widely, ranging from 25,000-150,000 active infections, it is clear that attackers have been exploiting this vulnerability almost since the day it was released by Shadow Brokers.”

Upon gaining entry to Windows-based machines, the attack utilized the NSA’s DoublePulsar to spawn a thread within a legitimate system process, allowing it to remain undetected by most detection systems that are unable to collect activities at the thread level.

“WannaCry is merely a visible symptom and not the underlying cause,” said Secdo’s CTO, Gil Barak. “Multiple threat actors were exploiting ETERNALBLUE to infect endpoints weeks prior to the WannaCry outbreak. Even if your organization successfully blocked or was not attacked by WannaCry, you may still be compromised.”

Barak continued, “The attackers had more than a month to breach organizations, install backdoors, steal information and cause other damage, which most organizations may still not be able to discover – until it’s too late. Installing the Microsoft patch is critical for protection from future attacks exploiting Windows SMB, but it does not remediate machines that have already been compromised.”

To discover if the breach is still present, organizations should look for thread-based behavioral IOCs that indicate compromise from at least early April. In addition, organizations need to attain continuous visibility at the thread level into every endpoint in the network to hunt and respond effectively to thread-based attacks in the future.

Find out how Synopsys can help you build security and quality into your SDLC and supply chain. We offer application testing and remediation expertise, guidance for structuring a software security initiative, training, and professional services for a proactive approach to application security.

Topics:
security ,wannacry ,vulnerabilities ,cyberattacks

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}