The cybersecurity landscape has been shaken following the April leak of zero-day vulnerabilities and hacking tools by the Shadow Brokers, reportedly associated with the NSA’s Equation Group. This disclosure has led to numerous hacking groups and individual cybercriminals taking initiative to exploit these vulnerabilities for various malicious purposes.
The release is considered one of the most damaging thus far, exposing a significant trove of Windows hacking tools, including a critical exploit for Windows SMB, known as EternalBlue. This vulnerability has played a pivotal role in a series of attacks that have already affected hundreds of thousands of computers globally.
Following the recent WannaCry ransomware outbreak, security researchers have linked several active cyber campaigns to the exploitation of the Windows SMB vulnerability (CVE-2017-0143). Known as EternalBlue, this exploit has allowed attackers to significantly compromise systems across various industries.
Multiple credible sources within the cyber intelligence community have confirmed that a wide array of groups, as well as individual hackers, are actively using EternalBlue to further their aims. The exploit, which forms part of the broader Microsoft Security Bulletin MS17-010, is now integrated into Metasploit, a popular testing framework that enables both security experts and malicious actors to easily exploit this vulnerability.
Recent findings by cybersecurity startup Secdo highlight two notable hacking campaigns utilizing EternalBlue weeks before the WannaCry attacks launched globally. The campaigns exhibited advanced techniques, indicating that many cyber actors continue to evolve their strategies and methodologies.
One of the campaigns, traced back to Russia, focused on credential theft. Attackers utilized EternalBlue to create a malicious thread within the lsass.exe process, enabling them to retrieve saved login credentials from the Firefox browser. The stolen information was subsequently sent to a command-and-control server via the encrypted Tor network, obscuring the attackers’ true location.
In a parallel campaign originating from China, hackers employed EternalBlue to establish a rootkit and DDoS botnet. They, too, leveraged similar methods to gain persistent access to infected systems, subsequently deploying additional malware designed to facilitate DDoS attacks.
These campaigns underscore a much greater risk than WannaCry, as they focus on maintaining access over extended periods. Even if companies implement strategies to block WannaCry and patch the identified vulnerabilities, attackers could still reestablish access through backdoors or compromised credentials.
The ramifications of these attacks reveal a concerning trend: a significant number of systems may remain compromised, regardless of the security measures in place. This points to a critical need for businesses to employ solutions capable of monitoring activities at a thread level, thus enabling quicker detection and mitigation.
The ongoing cyber threats exemplified by campaigns leveraging SMB vulnerabilities suggest that the landscape is increasingly complex. As cybercriminals remain vigilant for opportunities to exploit emerging vulnerabilities, business owners must adopt proactive measures to safeguard their operations against potential breaches by staying informed and implementing robust cybersecurity practices.
Understanding the tactics and techniques involved in these attacks aligns with the MITRE ATT&CK framework, highlighting areas of initial access, persistence, and credential access. With adversaries increasingly advanced, the onus is on organizations to bolster their defenses to counteract the evolving cyber threat landscape.