Facebook Google Plus Twitter LinkedIn YouTube RSS 功能表 搜尋 資源 - 部落格資源資源 - 網路研討會資源資源 - 報告資源資源 - 活動icons_066 icons_067icons_068icons_069icons_070

WannaCry 2.0: Detect and Patch EternalRocks Vulnerabilities Now

A new network worm dubbed EternalRocks is making the news this week as the successor to the WannaCry ransomware. EternalRocks leverages some of the same vulnerabilities and exploit tools as WannaCry but is potentially more dangerous because it exploits seven NSA tools that were released as part of the ShadowBrokers dump for infection instead of two used by WannaCry. So EternalRocks has the potential to spread faster and infect more systems. EternalRocks is currently dormant and isn’t doing anything nefarious such as encrypting hard drives. But EternalRocks could be easily weaponized in an instant, making the need for preventive action urgent.

Why EternalRocks may be bigger than WannaCry

WannaCry used only two of the SMB exploit tools: ETERNALBLUE and DOUBLEPULSAR. EternalRocks leverages seven NSA SMB exploit tools to locate vulnerable systems:

  • ETERNALBLUE
  • DOUBLEPULSAR
  • ETERNALCHAMPION
  • ETERNALROMANCE
  • ETERNALSYNERGY
  • SMBTOUCH
  • ARCHITOUCH

EternalRocks does not have a kill-switch which helped curtail WannaCry and mitigate the ransomware damage.

The clock is ticking with EternalRocks; take advantage of the Tenable detection tools now before any damage is inflicted on your systems.

Tenable solutions

Nessus plugins for SMBv1 and MS17-010

All of the vulnerabilities exploited by the EternalRocks worm were patched by Microsoft earlier this year as part of MS17-010. Tenable released several Nessus plugins to look for unpatched systems or systems that could be vulnerable by having SMBv1 running.

Plugin ID Nessus Plugin Description

96982

Server Message Block (SMB) Protocol Version 1 Enabled (uncredentialed check)

The system has been found to be vulnerable to SMBv1 attacks using uncredentialed checks. The Shadow Brokers group reportedly has an exploit that affects SMB, and the current WannaCry ransomware is using this exploit.

97086

Server Message Block (SMB) Protocol Version 1 Enabled

This plugin is similar to 96982, but the vulnerability is detected using credentials. The system has been confirmed vulnerable to SMBv1 attacks used by WannaCry and vulnerabilities described by Shadow Brokers. Credentialed checks are more accurate and provide mode details.

97737

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY)

Credentialed plugin to detect MS017-010 (detects the patch is missing)

97833

MS17-010: Security Update for Microsoft Windows SMB Server (4013389) (ETERNALBLUE) (ETERNALCHAMPION) (ETERNALROMANCE) (ETERNALSYNERGY) (uncredentialed check)

Remote plugin to detect the MS017-010 vulnerability

99439

SMB Server DOUBLEPULSAR Backdoor / Implant Detection

This uncredentialed plugin detects if the DOUBLEPULSAR implant exists on the remote Windows

Host

Malware detection plugin

Tenable can also detect if the remote host is infected by EternalRocks worm through its malware detection plugin.

Here’s an example of an EternalRocks hash detected with the Malicious Process Detection plugin ID 59275:

EternalRocks hash detected with plugin #59275

Yara Detection

Tenable customers can also use YARA rules to identify infected systems through the Malicious File Detection Using Yara Nessus plugin.

Here’s a sample rule which can be used with Nessus to detect the EternalRocks worm:

Sample YARA rule for EternalRocks

SecurityCenter dashboard

The WannaCry Vulnerability Detection dashboard has been updated to include information about EternalRocks. The filters did not require updating, so if you have the WannaCry Vulnerability Detection dashboard, you are all set. If you have not installed the previous dashboard, you can now download the Detecting WannaCry and EternalRocks dashboard.

Detecting WannaCry and EternalRocks dashboard

Patch, don’t panic

We are fortunate to have some time to detect and patch EternalRocks vulnerabilities before they are exploited. There’s no need for a panic attack, but take time today to protect your systems.

If you don’t patch soon, there might be reason to panic later. One of the things EternalRocks does is that it leaves the DOUBLEPULSAR implant unprotected, which means other threat actors could leverage EternalRocks infected machines for their own intents and purposes.

Make it a habit to patch regularly and often. The single best thing you can do to protect your networks against malware attacks, worms and ransomware is to patch the known vulnerabilities; this is low-hanging fruit with a big return.

For more information

Many thanks to Tyler Coumbes, Cody Dumont and the Tenable research team for their contributions to this blog.

訂閱 Tenable 部落格

訂閱
免費試用 立即購買

試用 Tenable.io Vulnerability Management

免費試用 60 天

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即註冊並在 60 秒內進行第一次掃描。

購買 Tenable.io Vulnerability Management

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 資產
免費試用 立即購買

免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描器。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊互動。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描器。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊互動。

購買多年期授權,節省更多