News broke yesterday that security researchers have found a new hacking campaign that used NSA exploits to install cryptocurrency miners on victim’s systems and networks. They said that the campaign was a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits. IT security experts commented below.
Nadav Avital, Security Research Team Leader at Imperva:
“In order to defend against this attack, organisations should make sure their applications and any third party code they use are not vulnerable to remote code execution attacks. In addition they should separate their corporate network from any external/ public facing applications in order to minimize the damage if the application server is compromised. Lastly, it is recommended to disable the old vulnerable SMBv1 in any machine in the organization.
Although it is not clear who is behind the attack it is common to see attackers join efforts and use different techniques in order to increase attacks sophistication and optimize their income. In this case we witness a combination of two separate vulnerabilities in order to create a much stronger attack.
If the appropriate security controls are in place this attack is fairly simple to identify. First, any decent web application firewall should pick up the initial attack vector that tries to exploit vulnerable applications to run remote code. Then, network monitoring tools should easily detect massive internal scans. And finally if a server is starting to mine cryptocurrencies, system performance monitoring tools will quickly alert on high CPU/ memory consumption.”
Bob Rudis, Chief Data Scientist at Rapid7:
“Rapid7 is seeing increased scanning activity for port 443 (web, including Struts) and a spike in 139 (Windows). The counts reflect unique sources so this means more unique botnet nodes or other appropriated compute nodes were used to recently probe for the Struts weakness (and other web weaknesses).
To protect themselves, organisations should have a solid knowledge of the technologies they’ve deployed internally and externally and monitor for patches for their software and appliances. They should apply patches as quickly as possible or use network and system access controls to isolate systems that cannot be patched. In this case, organisations should scan for systems that are vulnerable to CVE-2017-5638 and CVE-2017-9822 and patch them immediately.
Rapid7 has no additional information on the originator of these attacks.
There is a 100% guarantee that attackers will be crafting similar exploits and performing these types of campaigns in the future. Attackers know that organisations are not able to patch systems quickly and have a large cache of exploits like these at their disposal. It is imperative that organisations use network- and system-level mitigations for vulnerable systems that cannot be patched quickly in order to avoid succumbing to similar-style attacks in the future.”
Josh Mayfield, Director at FireMon:
Zealot begins its exploit with an HTTP request. There’s the first point…Organisations can prevent the initial request with tighter network security policies that prohibit the HTTP protocol between vulnerable servers. To discover which servers are vulnerable to attack, the organisation can use attack path simulation to see just which policies are leaving a vulnerable server accessible to the attacker.
This kind of simulation is usually performed during a penetration test, however, many organisations are beginning to have ongoing pen-tests with software that determines the probable weak spots and their susceptibility for exploit. Organisations with this kind of ambition and discipline can take faster, stronger action to improve security policies that could allow a vulnerability to be exploited by Zealot.
So, I see two steps organisations can take to defend against this:
- Regular attack simulation based on security policies that allow access to vulnerable servers
- Change security policies once attacks are simulated and understood
Be honest with yourself. What would an attacker do? Where could they go? Attack path simulation will show you this.
Who is behind these attacks?
With the widespread use of EternalBlue, it can be difficult to determine who is behind Zealot. But the larger concern is the ongoing security dilemma of cryptocurrency mining. Ransomware would not have the extraordinary frequency if it wasn’t for the demand and valuation of cryptocurrencies. Zealot is another emanation of this trend.
Now that attackers have a currency that is untraceable and outside the jurisdiction of any government, the stage is set for these kinds of attacks. Never before has there been such an alluring economic incentive. Attackers no longer consist of intelligent computer kids with too much time on their hands. These are well-organised, well-funded strategic groups looking to make a score financially.
This motive cannot be overlooked or dismissed. With financial incentives in place, we find ourselves in a world that will draw the worst of the worst into collusion with one another. There’s much more to gain than notoriety or fame. You can now get rich doing harmful things.
Will we see more of this style of attack in the future?
Yes. We may not see this precise Apache exploit, but the goal is one that will become increasingly common: mining cryptocurrency. Willie Sutton, infamous US bank robber, was asked, “Why do you rob banks?” His response: “Because that’s where the money is”.
These are not sadistic attackers motivated to see the world suffer in chaos, nor mischievous college students looking for ways to fill their downtime. These are human beings, directed by goals and using their skills to achieve those goals. The goal is money. The source is your computers. Organisms seeking a goal will take the environment as they find it and will use it to their own ends.
Pieces of the environment will be seen as a rock, a water stream or a piece of food. Something that can be used or get in the way. Your network is their potential slave. The very definition of exploit, using something or someone against their will to achieve some other end.
Why do attackers break into networks and launch malicious payloads to enslave computers? Because that’s where the money is.
Organizations can halt the spread with a close eye on these processes, even without an alert from their intrusion detection systems. Then, shut down east-west traffic.
Who is behind these attacks? With the widespread use of EternalBlue, it can be difficult to determine who is behind Zealot. But the larger concern is the ongoing security dilemma of cryptocurrency mining. Ransomware would not have the extraordinary frequency if it wasn’t for the demand and valuation of cryptocurrencies. Zealot is another emanation of this trend.
Will we see more of this style of attack in the future? Yes. We may not see this precise Apache exploit, but the goal is one that will become increasingly common: mining cryptocurrency. Willie Sutton, infamous US bank robber, was asked, “Why do you rob banks?” His response: “Because that’s where the money is”. These are not sadistic attackers motivated to see the world suffer in chaos, nor mischievous college students looking for ways to fill their downtime. These are human beings, directed by goals and using their skills to achieve those goals. The goal is money. The source is your computers. Organisms seeking a goal will take the environment as they find it and will use it to their own ends.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.