A new cyber attack worm uses seven leaked tools from the National Security Agency (NSA), according to a report.
The last major worm “WannaCry” used just two leaked NSA tools and became a global problem, affecting both private and government agencies and organizations, including the British National Health Service (NHS).
“The worm’s existence first came to light on Wednesday, after it infected the SMB honeypot of Miroslav Stampar, a member of the Croatian Government CERT, and creator of the sqlmap tool used for detecting and exploiting SQL injection flaws,” reported Bleeping Computer on Friday. “The worm, which Stampar named EternalRocks based on worm executable properties found in one sample, works by using six SMB-centric NSA tools to infect a computer with SMB ports exposed online. These are ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE, and ETERNALSYNERGY, which are SMB exploits used to compromise vulnerable computers, while SMBTOUCH and ARCHITOUCH are two NSA tools used for SMB reconnaissance operations. Once the worm has obtained this initial foothold, it then uses another NSA tool, DOUBLEPULSAR, to propagate to new vulnerable machines.”
WannaCry also used ETERNALBLUE and DOUBLEPULSAR in its attack, which affected over 240,000 victims this month.
Despite its complexity, Bleeping Computer claims that the new EternalRocks worm is less dangerous than WannaCry.
“For starters, EternalRocks is far more sneaky than WannaCry’s SMB worm component. Once it infects a victim, the worm uses a two-stage installation process, with a delayed second stage,” explained Bleeping Computer in their report. “During the first stage, EternalRocks gains a foothold on an infected host, downloads the Tor client, and beacons its C&C server, located on a .onion domain, the Dark Web.”
“Only after a predefined period of time — currently 24 hours — does the C&C server respond,” they continued, adding that “The role of this long delay is most probably to bypass sandbox security testing environments and security researchers analyzing the worm, as very few will wait a full day for a response from the C&C server.”
Unlike WannaCry, EternalRocks doesn’t have a kill switch, and though it is currently relatively harmless, Bleeping Computers claim that it could “be weaponized in an instant.”
“EternalRocks could pose a serious threat to computers with vulnerable SMB ports exposed to the Internet, if its author would ever decide to weaponize the worm with ransomware, a banking trojan, RATs, or anything else,” they explained. “At first glance, the worm seems to be an experiment, or a malware author performing tests and fine-tuning a future threat.”
“This, however, does not mean EternalRocks is harmless. Computers infected with this worm are controllable via C&C server commands and the worm’s owner could leverage this hidden communications channel to send new malware to the computers previously infected by EternalRocks,” the report concluded. “Furthermore, DOUBLEPULSAR, an NSA implant with backdoor features, remains running on PCs infected with EternalRocks. Unfortunately, the worm’s author has not taken any measures to protect the DOUBLEPULSAR implant, which runs in a default unprotected state, meaning other threat actors could use it as a backdoor to machines infected by EternalRocks, by sending their own malware to those PCs.”
Following the WannaCry attack, Microsoft criticized the U.S. government for poorly storing cyberweapons, which had been leaked from numerous government agencies, including the NSA and Central Intelligence Agency (CIA).
“The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States,” Microsoft explained in a statement. “That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers.”
“While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected,” they claimed.
Citing the recent WikiLeaks releases that included leaked code for CIA programs, Microsoft added that “this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” calling it “an emerging pattern in 2017.”
“The governments of the world should treat this attack as a wake-up call,” they expressed, claiming that government agencies “need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”
Several journalists, however, claimed in articles that Microsoft was just as responsible for the attack as the U.S. government.
“By failing to support older versions of its operating system, the IT company provided the hackers that stole the NSA’s IT Tomahawk Missile the opportunity they needed,” expressed one writer for the Independent, while the Inquirer voiced similar concerns in an article titled “Microsoft, it’s not just the NSA. If you want to kill WannaCry, fix broken Windows.”
The company was also heavily criticized for withholding a free security patch from customers still using older operating systems, instead opting to charge the users for a fix.