WannaCry: Multiple malware families using the EternalBlue exploit
A week on from the WannaCry outbreak, a huge number of articles have been written on the topic. These have covered everything from in-depth analyses of WannaCry itself to discussion pieces about the EternalBlue and DoublePulsar exploits and, latterly, warnings about other pieces of malware using the same propagation techniques as WannaCry.
A week on from the WannaCry outbreak, a huge number of articles have been written on the topic. These have covered everything from in-depth analyses of WannaCry itself to discussion pieces about the EternalBlue and DoublePulsar exploits and, latterly, warnings about other pieces of malware using the same propagation techniques as WannaCry.
Forcepoint™ customers are protected against the underlying EternalBlue exploit via NGFW at the following stages of attack:
Stage Four (Exploit Kit) - The EternalBlue exploit attempts are blocked.
For threats where communication or distribution is performed via malicious email or URLs in combination with the EternalBlue exploit, customers with Forcepoint Web and Email Security products are additionally protected via TRITON Advanced Classification Engine.
What else is out there?
UIWIX - The UIWIX ransomware was first identified this week. Unlike WannaCry, UIWIX is not currently believed to be a worm (i.e. self-propagating): while it uses the EternalBlue exploit to gain access to systems, the scanning and exploitation appears to be conducted using a more traditional command and control (C2) infrastructure.
Adylkuzz - Adylkuzz was one of the first pieces of malware to be identified as a direct result of the attention generated by WannaCry. It is distributed in a similar fashion to UIWIX, using centralised C2 infrastructure to sweep the Internet for machines vulnerable to the EternalBlue exploit. When installed, Adylkuzz enrols the machine in a botnet used to mine the Monero cryptocurrency. Forcepoint Security Labs have identified campaigns with similar intent but different distribution methods in the past.
RATs - A number of Remote Access Tools have been identified using the EternalBlue exploit to spread. While the use of EternalBlue is common to all of the samples identified, the way the exploit is used varies with some samples (e.g. EternalRocks) taking the form of aggressively self-propagating worms, and others using a centralised scanning and distribution infrastructure similar to UIWIX and Adylkuzz.
Conclusion & recommendations
As noted at the start of this article, Forcepoint customers are protected against the EternalBlue exploit which underlies all of these campaigns by NGFW. Where applicable, customers with Forcepoint Web and Email Security products have additional protection against malicious email and/or URLs is in place to protect against other distribution methods and C2 communications.
Ultimately, as the exploitation technique at the root of these attacks is unchanged, the recommendations for all organisations remain the same as initially communicated during the WannaCry outbreak:
- Ensure that the MS17-010 security update is installed on all Windows machines within the organisation.
- Ensure that you have email and web security solutions that can block malicious emails, block intermediate payload download stages in real-time, and can provide URL Sandboxing features for additional protection at point-of-click.
- In line with Microsoft's guidance from 2016 [1], customers should consider disabling SMBv1 and other legacy protocols on all Windows systems [2] where this will not negatively impact the function of legacy systems within the environment. If you are a Forcepoint customer please consult the following Knowledge Base Article to identify what course of action may be suitable for your product: https://support.forcepoint.com/KBArticle?id=000012832
References
[1] https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/
