New Microsoft MS17-010 Vulnerability Ransomware 'EternalRocks' Discovered
The Microsoft MS17-010 vulnerability recently resulted in a ransomware attack called WannaCry, but it looks like another one is making waves online.
Dubbed EternalRocks and first uncovered by security researcher Miroslav Stampar from Croatia's Computer Emergency Readiness Team, the ransomware is apparently a combination of many National Security Agency breaches. EternalRocks, which has the original name MicroBotMassiveNet, is the doing of Shadow Brokers, the hacking group that was also responsible for EternalBlue. It can be recalled that EternalBlue was utilized to proliferate WannaCry.
In his Twitter post, Stampar linked to his GitHub account, which described the spread of EternalRocks. Stampar also accompanied the explanation with images.
There are apparently two stages to the process. The first stage involves certain .NET components being downloaded onto the host computer. Only Windows computers that do not have the MS17-010 patch are affected. Svchost.exe and taskhost.exe are launched, while the Tor browser is also downloaded.
The next stage then downloads a different taskhost.exe onto the computer. This will take place after 24 hours. The first run will unleash shadowbrokers.zip, which is an exploit pack that releases "contained directories payloads/, configs/ and bins/."
A random scan then follows, which looks through 445 open ports on the internet. This happens while the previously outlined contained exploits run. The Tor browser will also be up at this point in order to pull in instructions from C&C.
Stampar posted many samples on his GitHub account, including file paths and mutexes. And while EternalRocks currently does not make any malicious actions, it is clear that this attack is also spreading like WannaCry. EternalRocks has been live since earlier this month, even though it was only discovered rather recently.
Users are advised to update their systems with the patch from Microsoft, as EternalRocks is a more serious threat than WannaCry. According to CNET, WannaCry made use of two NSA exploits, but EternalRocks is utilizing seven.
Stay tuned for the latest news and updates.