More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry

Since the Shadow Brokers released the zero-day software vulnerabilities and hacking tools – allegedly belonged to the NSA’s elite hacking team Equation Group – several hacking groups and individual hackers have started using them in their own way.

The April’s data dump was believed to be the most damaging release by the Shadow Brokers till the date, as it publicly leaked lots of Windows hacking tools, including dangerous Windows SMB exploit.

After the outbreak of WannaCry last week, security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability (CVE-2017-0143), called Eternalblue, which has already compromised hundreds of thousands of computers worldwide.

I have been even confirmed by multiple sources in hacking and intelligence community that there are lots of groups and individuals who are actively exploiting Eternalblue for different motives.

Moreover, the Eternalblue SMB exploit (MS17-010) has now been ported to Metasploit, a penetration testing framework that enables researchers as well as hackers to exploit this vulnerability easily.

Cybersecurity startup Secdo, an incident response platform, has recently discovered two separate hacking campaigns using the same Eternalblue SMB exploit at least three weeks before the outbreak of WannaCry global ransomware attacks.

So, it would not be surprised to find more hacking groups, state-sponsored attackers, financially motivated organized criminal gangs and gray hat hackers exploiting Eternalblue to target large organizations and individuals.

The two newly discovered hacking campaigns, one traced back to Russia and another to China, are much more advanced than WannaCry, as sophisticated hackers are leveraging Eternalblue to install backdoors, Botnet malware and exfiltrate user credentials.

According to Secdo, these attacks might pose a much bigger risk than WannaCry, because even if companies block WannaCry and patch the SMB Windows flaw, “a backdoor may persist and compromised credentials may be used to regain access” to the affected systems.

Both campaigns are using a similar attack flow, wherein attackers initially infect the target machine with malware via different attack vectors, then uses Eternalblue to infect other devices in the same network and finally inject a stealthy thread inside legitimate applications, which is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials.

Read more…