Larger than WannaCry: EternalRocks Worm Spreads Using 7 Leaked NSA Exploits
EternalRocks uses EternalBlue, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch, SMBTouch, and DoublePulsar tools leaked by the Shadow Brokers.
EternalRocks does not alert the users they have been infected, it remains silent on their computers. Once it is on a computer, it downloads Tor’s web browser and sends a signal to a C&C (command & control) server on the Dark Web. EternalRocks uses a 24-hour activation delay upon which the C&C server responds and starts downloading 7 SMB exploits and self-replicating. EternalRocks then scans the internet for open SMB ports and spreads to other organizations. Due to its stealthy nature, it is unknown how many computers are infected with EternalRocks, and it has not been weaponized yet.
EternalRocks leaves infected computers vulnerable to remote commands that could weaponize the infection at any time including banking Trojans or Remote Access Trojans. Even if the SMB patches are retroactively applied to machines already affected by EternalRocks worm, they are remotely accessible via DOUBLEPULSAR backdoor Trojan.
Microsoft has patched the SMB vulnerabilities in March 2017, as part of the MS17-010, but many computers still remain unpatched allowing EternalRocks to exploit them.
What can you do
- Scan your network to detect unpatched systems
- Apply all patches for SMB vulnerabilities immediately
- Block access to C&C server and block access to Torproject.org
- Monitor for any new scheduled tasks
- Ensure your critical systems are backed up on a separate drive or a machine
- Update your incident response plan
To continuously protect your organization, ensure your Operating Systems (OS) are up to date by regularly applying the most recent patches recommended by the OS vendor, have an up to date antivirus software installed on your systems, and finally, have a program in place that can scan email attachments and files downloaded from the Internet. Your web filter should also analyzed to ensure additional malicious websites are blocked.[/vc_column_text][/vc_column][/vc_row][/vc_section]