EternalRocks network worm uses 7 NSA hacking tools

At least one person is leveraging seven ShadowBrokers-leaked NSA hacking tools for a new EternalRocks network worm.

While you won’t be forgetting the WannaCry ransomware attack, it is likely you will be hearing a lot more about the alleged NSA-linked EternalBlue exploit and DoublePulsar backdoor as it seems a wide range of bad guys have them in their toyboxes. At least one person is leveraging seven leaked NSA hacking tools for a new EternalRocks network worm.

EternalBlue and DoublePulsar

Malwarebytes believes WannaCry did not spread by a malicious spam email campaign, but by an scanning operation that searched for vulnerable public facing SMB ports, then used EternalBlue to get on the network and DoublePulsar to install the ransomware.

 EternalBlue was part of the Shadow Brokers’ April 14 dump of NSA hacking tools. Almost immediately, since late April, sophisticated attackers started repackaging the EternalBlue exploit. Security firm Secdo reported that three weeks before the WannaCry attack, at least three different actors were “leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the US.”

The attack leaves no trace; by spawning threads inside legitimate apps, to impersonate those apps, the attack can evade advanced next-gen antivirus solutions. The attacks, according to Secdo, “might pose a much bigger risk than WannaCry” as “many endpoints may still be compromised despite having installed the latest security patch.”

The security firm suggested one threat actor was stealing credentials using a Russian-based IP and another threat actor seemed to be using EternalBlue in  opportunistic attacks to create a Chinese botnet.

Read full news article on Network World