Incident Response Case Study: New worms exploiting the NSA toolkit
by Noah Dunker
Last week, RA Labs noticed MS17-010 exploit attempts against production networks we’re monitoring, seemingly unrelated to the massive WannaCry outbreak two weeks ago. On Monday, May 22, we observed an active worm at one customer site. We immediately alerted their staff of the incident, then filtered SMBv1 traffic through the ThreatSweep™ to limit the spread of the worm. Within minutes, the customer’s IT staff had identified and isolated the system in question, and working with RA Labs, tied together several host-based Indicators of Compromise (IOCs) consistent with the EternalRocks worm. The culprit was a Windows 2003 server that hadn’t been manually patched yet. Within a few hours, the system was patched, cleaned and restored to service.
ThreatSweep acts on security threats around the clock, but this is just one example of how RiskAnalytics provides meaningful, actionable visibility to our customers’ IT staff every day. EternalRocks is one of several worms recently observed in the wild, exploiting 0-day vulnerabilities that had been stockpiled by the US Government’s spy agencies and leaked by ShadowBrokers. Some samples of this worm feature a 24-hour delay from initial infection to any malicious activity such as scanning for vulnerable hosts. It appears to be mostly-dormant, but the command-and-control infrastructure could be used to deploy any number of malicious payloads at a moment’s notice.
ThreatSweep detects the techniques used by these worms. It can block attack attempts, and will issue a HOTAlert™ to your staff instantly when this activity is observed inside your network.
Our advice for dealing with these new worms is similar to our advice for WannaCry:
- • Ensure all software patches are applied to all systems in your organization.
- • Identify unsupported operating systems, and come up with a migration plan to decommission unsupported software that can’t be patched.
- • Reduce the exposure of unnecessary network services to the Internet.