Leaked NSA Exploit ‘EternalBlue’ Being Used in New Trojan Attacks

A recently leaked NSA exploit that was discovered in the biggest ransomware attack (WannaCry) ever is now powering Trojan malware. The EternalBlue exploit was leaked by the hacking group known as The Shadow Brokers and it was known for using the Server Message Block Protocol SMB vulnerability in Windows to hijack computers.

Before it was discovered and got patched, this flaw was supposedly known and used by the US intelligence. There are allegations that the NSA used this flaw for the surveillance purposes, before the leak that made it public. That’s why Microsoft slammed NSA and the CIA for hiding critical security flaws from vendors and manufacturers.

When it comes to EternalBlue, the exploit itself possesses worm-like capabilities and it is able to move across the network it infects by using Windows’ Server Message Block Protocol.

Since the exploit went public, its first spread was via WannaCry ransomware that happened several weeks ago in May. For the most part, the spread has been stopped and it was believed that the threat has ended. Now, however, there’s evidence that hackers have been using the same exploit to carry out other forms of attack, this time much more discreetly.

According tresearchers at FireEye, this attack includes the distribution of Backdoor Nitol, a Trojan which allows access to an infected device via the backdoor that it opens upon getting on it. Another form of attack that uses the same exploit is a Ghost RAT, which is a malware, and it has the ability to take complete control over the infected device. It can also be used for stealing data and conducting espionage in general.

Leaked NSA Exploit 'EternalBlue' Used Again in a Trojan Attack
Network traffic displaying EternalBlue attack attempt (Credit: FireEye).

This malware has proved to be dangerous and a threat to industries, companies and even to the governments itself. And that was even before it got powered up by using EternalBlue exploit stolen from the NSA. Now, this malware is attacking Singapore, while the Trojan Nitol terrorizes the bigger area of South Asia.

Researchers have warned that there are still devices vulnerable to SMB exploit, despite the ransomware which proves how important it is to patch the machines. Now, the hackers are using EternalBlue to get access to these devices.

The first exploit that was used at the SMB level reminded the researchers of what WannaCry used to act like, but this time, the attack wasn’t used for spreading ransomware. This time, the malware would get on the device and execute code that would help install a backdoor on the device. Both Ghost RAT and Nitol are being used in order to achieve this.

Both of these attacks have been known to researchers for years. Despite the fact that they’re being used in combination with such a serious exploit, there’s no indication that they’ll get as big as WannaCry managed to get. Also, this exploit is now public, and for a while too, which can only mean that we’ll see more and more of it as the time passes.

That’s why it’s extremely important for as many Windows users as possible to download the patch for the exploit as soon as they possibly can. The situation is serious, and the seriousness is outlined in a recent report. Such a report states that WannaCry was extremely damaging, and yet, it wasn’t nearly as damaging as it could have been. Apparently, quick and sloppy coding has crippled it, and despite that, it still managed to bring half the world down.

If Ghost RAT and Nitol decided to try and pull off a similar attack, they would probably be much stealthier about it. Meaning, the attack would have been much more damaging than what even WannaCry has put us through.

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts