Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

Publish in



Please download to get full document.

View again

of 4
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Computer Security
  Newly Found Malware Uses 7 NSA Hacking Tools Where WannaCry Uses 2 A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools, it exploits all the seven. Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar. Now, Miroslav Stampar, a security researcher who created famous 'sqlmap' tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks, which is more dangerous than WannaCry and has no kill-switch in it. Unlike WannaCry, EternalRocks seems to be designed to function secretly in order to ensure that it remains undetectable on the affected system. However, Stampar learned of EternalRocks after it infected his SMB honeypot. The NSA exploits used by EternalRocks, which Stampar called DoomsDayWorm on Twitter, includes: EternalBlue —  SMBv1 exploit tool EternalRomance —  SMBv1 exploit tool EternalChampion —  SMBv2 exploit tool EternalSynergy —  SMBv3 exploit tool SMBTouch —  SMB reconnaissance tool ArchTouch —  SMB reconnaissance tool DoublePulsar —  Backdoor Trojan As we have mentioned in our previous articles, SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for open SMB ports on the public internet. Whereas EternalBlue, EternalChampion, EternalSynergy and EternalRomance are SMB exploits, designed to compromise vulnerable Windows computers. And, DoublePulsar is then used to spread the worm from one affected computers to the other vulnerable machines across the same network. Stampar found that EternalRocks disguises itself as WannaCry to fool security researchers, but instead of dropping ransomware, it gains unauthorized control on the affected computer to launch future cyber attacks.  Newly Found Malware Uses 7 NSA Hacking Tools Where WannaCry Uses 2 Here's How EternalRocks Attack Works: EternalRocks installation takes place in a two-stage process. During the first stage, EternalRocks downloads the Tor web browser on the affected computers, which is then used to connect to its command-and-control (C&C) server located on the Tor network on the Dark Web. First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from the Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample), Stampar says. According to Stampar, the second stage comes with a delay of 24 hours in an attempt to avoid sandboxing techniques, making the worm infection undetectable. After 24 hours, EternalRocks responds to the C&C server with an archive containing the seven Windows SMB exploits mentioned above. Component svchost.exe is used for downloading, unpacking and running Tor from along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components), Stampar adds. All the seven SMB exploits are then downloaded to the infected computer. EternalRocks then scans the internet for open SMB ports to spread itself to other vulnerable systems as well. If you are following The Hacker News coverage on WannaCry Ransomware and the Shadow Brokers leaks, you must be aware of the hacking collective's new announcement of releasing new zero-days and exploits for web browsers, smartphones, routers, and Windows operating system, including Windows 10, from next month. The exclusive access to the upcoming leaks of zero-days and exploits would be given to those buying subscription for its 'Wine of Month Club.' However, the Shadow Brokers has not yet announced the price for the subscription. Since the hackers and state-sponsored attackers are currently waiting for new zero-days to exploit, there is very little you can do to protect yourself from the upcoming cyber attacks.  Newly Found Malware Uses 7 NSA Hacking Tools Where WannaCry Uses 2 References: - SMB HOneypot *********************************************************************************    During the past few years, SSDs have slowly replaced classic disk-based HDDs as the prime storage medium for the world's data, taking over not only in data centers, but our phones, tablets, laptops, and desktop PCs. At their heart, SSDs are a collection of smaller components named NAND flash memory chips, all clustered together on rows, similar to classic RAM memory chips. Unlike classic RAM memory chips, NAND memory chips are non-volatile, meaning they don't lose their electrical charge (aka the user's data) after the computer is shut off. The first generation of SSD storage drives used a technology called single-level cell (SLC), which used one NAND flash memory chip to store one bit of information, with electrically charged standing for a binary one, and not electrically charged standing for a binary zero.  Newly Found Malware Uses 7 NSA Hacking Tools Where WannaCry Uses 2 As with all technology, things evolved over the years, and scientists and SSD vendors realized they could integrate a floating gate transistor into NAND flash memory chip, which gave them the ability to store two bits of information in the form of a range of charge voltage values representing the binary numbers of 00, 01, 10, and 11. This new technology is called multi-level cell (MLC), and has become prevalent in all SSDs since around 2015. According to research published earlier this year, the programming logic powering MLCs is vulnerable to at least two types of attacks. First Attack: Program Interference The first of these attacks, which they named a program interference, takes place when an attacker manages to write data with a certain pattern to a target's SSD. The exploit's data pattern causes the MLC's programming logic to cause 4.9 more errors than usual, which comes with the side-effect of triggering interference in neighboring NAND flash memory cells. The side-effects are that an attacker can corrupt local data, or even shorten an SSD's lifetime, if he can cause repeated interference. This is because an SSD's lifetime is defined by the number of finite read-write operations it can perform on its flash memory chips before they lose their ability to remain charged between reboots. This type of interference attack is similar to the Rowhammer attack on classic RAM memory chips, where an attacker bombards a row of RAM memory cells in repeated read-write operations, causing electrical interference that flips the bits of nearby cells. While the attack is somewhat similar, it is not the same thing, and researchers have not gone on records calling this a Rowhammer attack. Second Attack: Read Disturb The second vulnerability researchers discovered in the programming logic of NAND flash memory chips is what they called a read disturb. In this attack scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of read disturb errors. Researchers say these read disturb errors will corrupt both pages already written to partially-programmed wordlines and pages that have yet to be written, ruining the SSD's ability to store data in a reliable manner in the future.
Related Search

Previous Document

The Bully

We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks