Welcome
About
News
Anonymous Reporting
Tools
MCA Chatter
Library
V-ID Terminal
Support
My Account

News

Icon representing US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels
US Coast Guard Bulletin: Cyber Adversaries Targeting Commercial Vessels

June 21st 2019
Icon representing Would you pay $1m for a laptop full of malware?
Would you pay $1m for a laptop full of malware?

May 23rd 2019
Icon representing Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)
Singapore Opens Maritime Cybersecurity Operations Centre (MSOC)

May 22nd 2019
 
 
 

EternalBlue is Back, with New Tricks

 
November 6th 2017
An email-server message block (SMB) blended threat has been uncovered, which uses the compromised machine as a stepping stone to propagate laterally via the EternalBlue exploit.

Netskope Threat Research Labs said that the inclusion of the EternalBlue exploit is insidious because it will be launched internally from the newly infected machine, permitting direct access to shared SMB machines such as file shares and backup systems. This puts core data stores at risk in a fashion that may be impossible to anticipate. Also, SMB, a file sharing protocol that provides shared access to files in a network, is a widely adapted program, meaning the vulnerability has a considerable impact.

“We have observed that the presence of embedded document files in a cloud storage and collaboration services possesses a more significant threat to an enterprise environment since it arrives from a trusted source,” said Netskope researcher Ashwin Vamshi. “Once an endpoint is compromised with the second-stage payload like EternalBlue, it creates a wormed infection, leading all neighboring internal computers to be attacked via SMB from the newly compromised internal stepping-stone system.”

Earlier this year, The Shadow Brokers group disclosed a series of exploits, backdoors and several attack tools affiliated with nation-state activity. One of the exploits, EternalBlue, targets open SMB ports to leverage remote code execution, and has been widely used in attacks such as WannaCry, NotPetya and more recently Bad Rabbit.

In this case, the initial attack begins with a Swiss regional email which contains a Word Document with an embedded .lnk object, which is actually a backdoor that downloads the EternalBlue payload. From there, the threat moves from a cross-perimeter attack to an internal attack, with EternalBlue spreading itself across an organization’s network, without any user intervention, leading to internal attacks that organizations may not be prepared for.

“The use of cloud services by enterprises, along with the implicit trust, has led to an increase in malware attacks and thus posing a new challenge for organizations,” said Vamshi, adding that organizations should enforce policy on usage of unsanctioned services as well as unsanctioned instances of sanctioned cloud services.

Source

Keywords