Secdo Blog

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry

 

Secdo has uncovered a new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April.



 

 

Overview

We have found evidence of much more sophisticated actors leveraging the NSA ETERNALBLUE exploit to infect install backdoors and exfiltrate user credentials in networks around the world, including the US, three weeks prior to the WannaCry attack.

These attacks might pose a much bigger risk than WannaCry. Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

In late April some of our customers reported being attacked by an undetectable ransomware, much more advanced than WannaCry. In fact, one of the customers had deployed several different AV, NG-AV and Anti-Exploit agents, all of which had no trouble blocking WannaCry. However none of them were able to prevent these attacks or even detect them.

This is because the ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have otherwise gone unnoticed. Having Secdo present on the targeted endpoints allowed our customers to record the attacks in real-time and unveil the full scope of the damage.

These actors are leveraging the NSA framework to spawn threads inside legitimate applications, essentially impersonating them, to evade even the most advanced Next Generation AVs. While this is not a completely new idea, this technique has been mostly used by state-grade actors in the past to bypass security vendors.

 

Technical Overview

We were able to record almost everything the attackers did because customers had deployed Secdo beforehand. Secdo is a preemptive incident response solution that records every action on endpoints and servers at the thread level, which allowed us to play-back and analyze this attack even though it remained purely in-memory.

 

Attack Flow:

The attack consists of 3 phases:

1. Initial compromise: A single endpoint is infected either through a classic phishing attack or, if the endpoint exposes SMB to the internet, it may be infected with ETERNALBLUE.

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_1.png

2.  Once inside the network, ETERNALBLUE is used to infect other devices and spawn a malicious thread inside legitimate applications.

2.png

3. The malicious thread inside of the legitimate process is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials.

3.png

 

 

Threat Actor #1 - Stealing credentials

 

The attack originated from a Russia based IP (77.72.84.11), which has not yet been tagged by VirusTotal and has been traced back to late April, three weeks prior to the WannaCry outbreak.

blog1.png


Using ETERNALBLUE, a thread was spawned inside of lsass.exe and within a minute it began downloading multiple modules, including sqlite dll from Sourceforge which was then used to open and retrieve login credentials from FireFox.

blog2.png

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_6.png


The credentials were then exfiltrated through the TOR network, so we cannot say for certain where the C2 server is located.

After the credentials are exfiltrated, a ransomware variant of CRY128 that ran purely in-memory encrypted all the documents on the system. As mentioned before, at least 5 of the most popular Next Gen AV vendors and Anti-Malware vendors were running on the endpoints and were unable to detect and stop this attack. This is most likely due to the thread only nature of the attack.

 

Threat Actor #2 - Chinese botnet

In what seems to be an opportunistic attack, a Chinese backdoor was installed using ETERNALBLUE. This was also seen in late April, 3 weeks before the WannaCry outbreak.

It started out by spawning a thread inside of lsass.exe, similar to the credential theft attack. However, instead of remaining purely in-memory, the initial payload connected back to a Chinese C2 server on port 998 (117.21.191.69) and downloads a known root-kit backdoor (based on Agony).

The file was dropped in %programdata% under the name 666.exe. Existing NG-AV vendors that were present were able to block 666.exe from running, but remained oblivious to the malicious thread running inside of lsass.exe.

The sample is described in detail here: https://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_7.png

  

blog3.png

The ETERNALBLUE attack exploiting SMB and spawning a thread inside of lsass.exe [Secdo].

 Conclusion

Based on these findings, we suspect that the scope of the damage is much greater than previously thought, and that there are at least 3 different groups that have been leveraging the NSA exploit to infect enterprise networks since late April.

These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch. We highly recommend using a solution that has the ability to record events at the thread level in order to hunt, mitigate and assess potential damage as soon as possible.

Secdo enables automated thread level visibility, hunting, analysis and response for organizations of all sizes.

Download Our WhitePaper

 

DISCLAIMER: This post includes preliminary results and is subject to further updates.

Connect with us

Stay connected

whitepaper banner-280X233.png