WannaCry Lingers, Cyber Analyst Warns
One week after a ransomware attack cut a swathe across Europe and China, a range of after-action analyses have emerged as to how the exploit unfolded and how the perpetrators leveraged recently hacked National Security Agency tools.
The latest assessment of the so-called WannaCry ransomware outbreak comes from digital forensic specialist Secdo, which posits that hackers leveraged NSA's "EternalBlue" exploit several weeks before the actual cyber attack. The New York-based incident response vendor asserted Friday (May 19) that hackers installed backdoors and stole user credentials weeks before the actual attack, which unfolded beginning on May 12 and quickly spread from the U.K. to China and beyond.
The upshot, the cyber-security analyst found, is that WannaCry is just one variant of the lingering attack, and organizations ranging from hospitals to manufacturers remain vulnerable to "thread-level attacks" in which backdoors continue to be installed while network credentials are stolen and user data encrypted.
The NSA framework was used to spawn threads inside legitimate Windows applications, essentially impersonating them, the company said. "While this is not a completely new idea, this technique has been mostly used by state-grade actors in the past to bypass security vendors."
"WannaCry is merely a visible symptom and not the underlying cause," explained Secdo CTO Gil Barak. "Multiple threat actors were exploiting EternalBlue to infect endpoints weeks prior to the WannaCry outbreak. Even if your organization successfully blocked or was not attacked by WannaCry, you may still be compromised."
Once inside Windows-based machines, the ransomware attack launched another NSA tool called DoublePulsar, the backdoor implant tool used alongside EternalBlue in the WannaCry ransomware attack. That step spawned a thread within a program, "allowing it to remain undetected by most detection systems that are unable to collect activities at the thread level," the company said.
Finding a machine with DoublePulsar running indicates that the same vulnerability used in the WannaCry malware was used to compromise Windows machines much earlier,” said Jake Williams, who scanned the Internet looking for active infections of DoublePulsar.
While the number of active infections varies from 25,000 to as many as 150,000, "it is clear that attackers have been exploiting this vulnerability almost since the day it was released by Shadow Brokers," added Williams, referring to the hacker group that leaked several NSA hacking tools beginning in April.
Along with installing a Microsoft patch issued May 12, the Sedco recommends that organizations should scan for thread-based intrusions going back to at least early April when Shadow Brokers began leaking the NSA exploits.
Details on Secdo's analysis are available here.