Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry

Share this…

We have found evidence of much more sophisticated actors leveraging the NSA ETERNALBLUE exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the US, three weeks prior to the WannaCry attack.

These attacks might pose a much bigger risk than WannaCry. Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

In late April some of our customers reported being attacked by an undetectable ransomware, much more advanced than WannaCry. In fact, one of the customers had deployed several different AV, NG-AV and Anti-Exploit agents, all of which had no trouble blocking WannaCry, yet none of them were able to prevent these attacks or even detect them.

The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed. Having Secdo present on the targeted endpoints allowed our customers to record the attacks in real-time and unveil the full scope of the damage.

These actors are leveraging the NSA framework to spawn threads inside legitimate applications, essentially impersonating them, to evade even the most advanced Next Generation AVs. While this is not a completely new idea, this technique has been mostly used by state-grade actors in the past to bypass security vendors.

Technical Overview

We were able to record almost everything the attackers did because customers had deployed Secdo beforehand. Secdo is a preemptive incident response solution that records every action on endpoints and servers at the thread level, which allowed us to play-back and analyze this attack even though it remained purely in-memory.

Attack Flow:

The attack consists of 3 phases:

1. Initial compromise: A single endpoint is infected either through a classic phishing attack or, if the endpoint exposes SMB to the internet, it may be infected with ETERNALBLUE.

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_1.png

2. Once inside the network, ETERNALBLUE is used to infect other devices and spawn a stealthy thread inside legitimate applications.

2.png

3. The malicious thread inside of the legitimate process is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials.

3.png

Threat Actor #1 – Stealing credentials

The attack originated from a Russia based IP (77.72.84.11), which has not yet been tagged by VirusTotal and has been traced back to late April, three weeks prior to the WannaCry outbreak.

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_4.png

Using ETERNALBLUE, a thread was spawned inside of lsass.exe and within a minute it began downloading multiple modules, including sqlite dll from sourceforge which was then used to open and retrieve login credentials from FireFox.

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_5.png

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_6.png

The credentials were then exfiltrated through the TOR network, so we cannot say for certain where the C2 server is located.

After the credentials are exfiltrated, a ransomware variant of CRY128 that runs purely in-memory encrypts all the documents on the system. As mentioned before, at least 5 of the most popular Next Gen AV vendors and Anti-Malware vendors were running on the endpoints and were unable to detect and stop this attack. This is most likely due to the thread only nature of the attack.

Threat Actor #2 – Chinese botnet

In what seems to be an opportunistic attack, a Chinese backdoor is installed using ETERNALBLUE. This was also seen in late April, 3 weeks before the WannaCry outbreak.

It begins by spawning a thread inside of lsass.exe, similar to the credential theft attack, only instead of remaining purely in-memory, the initial payload connects back to a Chinese C2 server on port 998 (117.21.191.69) and downloads a known root-kit backdoor (based on Agony).

The file is dropped in %programdata% under the name 666.exe. Existing NG-AV vendors that were present were able to block 666.exe from running, but remained oblivious to the malicious thread running inside of lsass.exe.

The sample is described in detail here: https://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_7.png

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_8.png

The ETERNALBLUE attack exploiting SMB and spawning a thread inside of lsass.exe [Secdo].

Multiple Groups Have Been Exploiting ETERNALBLUE Weeks Before WannaCry_9.png

The malicious thread (TID 828) inside of lsass.exe downloading 666.exe [Secdo].


Conclusion

Based on these findings, we suspect that the scope of the damage is much greater than previously thought, and that there are at least 3 different groups that have been leveraging the NSA exploit to infect enterprise networks since late April.

These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch. We highly recommend using a solution that has the ability to record events at the thread level in order to hunt, mitigate and assess potential damage as soon as possible.

Source:https://blog.secdo.com/multiple-groups-exploiting-eternalblue-weeks-before-wannacry