News broke yesterday that a new worm has been discovered, following on from the WannaCry malware that caused such global devastation over last weekend, which uses seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a worm that has been spreading through networks since at least the first week of May. IT security experts from Alert Logic, Imperva and Lastline commented below.
Paul Fletcher, Cybersecurity Evangelist at Alert Logic:
“It isn’t surprising that the NSA leaked exploits are being leveraged to introduce new malicious software and causing headaches for cyber security teams. The hacking community will continue to sift through the NSA tools and create more sophisticated malware based on what fits their skill set and desired impact. The fact that EternalRocks doesn’t have “any malicious elements” and EternalBlue leaves computer vulnerable to remote command execution demonstrates a higher level of sophistication and it’s possible that this new threat is more of a “template” – providing a simple “plug and play” attack vector for more sophisticated cyber attacks in the near future. Administrators need to be extra vigilant to patch systems, beef up “host-based” security tools and update their blacklists to protect their systems.”
Itsik Mantin, Director of Security Research at Imperva:
“One thing about ransomware like WannaCry is that you know when it is on your system. The scary thing about the leak of NSA tools like EternalBlue is that they can be used to create a variety of malware some of which may lurk on systems undetected for months or years as we discovered in 2016 with the uncovering of mega breaches such as the one at Yahoo. It’s more important than ever that businesses maintain and evolve their security practices to make sure their data is protected. An enterprise with a good security strategy will make cyber criminals life harder and make them look somewhere else to achieve their agenda.”
Marco Cova, Senior Security Researcher at Lastline:
“What we find particularly interesting about the EternalRocks worm is how quickly criminals were able to replicate the effective elements of WannaCry, such as using the same vulnerability that is just as exposed today as it was when WannaCry hit on May 12, while addressing the shortcomings, such as avoiding a kill switch and increasing the sophistication with the addition of 5 more of the NSA tools. Also, the overall speed with which such a sophisticated attack was developed demonstrates crime rings’ skill and resources. As we’ve commented before, vulnerabilities will continue to be exploited, so simply applying the available patch will still leave enterprises vulnerable. Effective, layered security strategies include advanced malware protection that can detect the suspicious network traffic that is generated by an EternalRocks attack as it spreads, communicates with the C&C server, and executes other aspects of however the attack may be designed, all without a malware file to analyze.”