Additional threat actors are expanding the use of the EternalBlue exploit, the NSA hacking tool that was initially used by the WannaCry ransomware and Adylkuzz cryptocurrency miner.
This week, the vulnerability (which exists in Microsoft Server Message Block (SMB) protocol) has been observed distributing Backdoor.Nitol and Trojan Gh0st RAT.
“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” wrote FireEye researchers, in a report.
Gh0st RAT is generally used in state-sponsored APT attacks against government agencies and other political targets, and activists. Backdoor.Nitol meanwhile has been linked to campaigns involving remote code execution.
It is likely that we will see additional payloads for the tool. “The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” FireEye researchers said.
The discovery comes after other news of follow-on RAT distribution in May, and the discovery of a seven-tool worm making use of it. EternalBlue, along with other NSA tools, is part of the cache released by Shadow Brokers.
“EternalBlue is a particularly reliable exploit that gives access to execute code at the very highest privilege level so I would expect that hackers and penetration testers will get a lot of use out of it for years to come,” said Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposures Research Team (VERT). “Systems which cannot be upgraded should be discarded as safety hazards. Operating unsupported software is very much like driving a car without airbags. Patching alone however is insufficient since there is always going to be some window of opportunity for attackers before appropriate patches are installed.”
“The broad success of the WannaCry incident demonstrates that this vulnerability is prevalent, and that’s an advantage for attackers,” said Tim Erlin, vice president of product management and strategy for Tripwire. “They will continue exploiting this vulnerability for as long as it’s productive.”
To combat the issue, patching is the ideal way to protect systems. However, there are cases where a patch isn’t possible or may be delayed. In these cases, organizations should take other mitigation steps, such as blocking network ports, disabling unnecessary services and monitoring for exploit activity.
“Users should start by identifying all their vulnerable systems and prioritizing them for remediation,” Erlin said. “Systems that can be patched, should be patched. Those systems that can’t be patched should be evaluated for other mitigation options.”