Netskope Threat Research Labs has observed an email-server message block (SMB) blended threat which uses the compromised machine as a stepping stone to propagate laterally via the EternalBlue exploit. The attack is a refinement of the attack highlighted in our earlier ongoing data theft attacks blog. This inclusion of the EternalBlue exploit is insidious because it will be launched internally from the newly infected machine, likely permitting direct access to shared SMB machines such as file shares and backup systems. This puts core data stores at risk in a fashion that may be impossible to anticipate.
Earlier this year, “The Shadow Brokers” group disclosed a series of exploits, backdoors, and several attack tools affiliated with an Advanced Persistent Threat (APT) actor dubbed “The Equation Group.” In the archive dump, one of the exploits, EternalBlue, targeted open SMB ports to leverage remote code execution by specifying malformed values during the Microsoft SMB NT Trans2 Request.
Exploits from the Shadow Brokers archive have been widely used in attacks such as WannaCry, NotPetya, and more recently BadRabbit.
Perimeter breach and internal wormed propagation
The initial attack begins with a Swiss regional email which contains a Word Document with an embedded .lnk object, detected as Backdoor.Agent.CNKZ. In the case below, the attachment looks like a preview image which would entice the user to click on it executing the payload.
Figure 1: Embedded .lnk file in a Swiss regional attack email
On execution, the .lnk file downloads the EternalBlue payload as well as Retefe using PowerShell as shown in Figure 2. At the time of this writing, the payload at this URL has been taken down.
Figure 2: The .lnk file containing the EternalBlue payload URL
At this point, the threat moves from a cross-perimeter attack to an internal attack. The EternalBlue SMB exploit will be launched from the newly compromised stepping stone spreading itself across an organization’s network. The visual depiction of the SMB wormed attack against neighboring internal computers is shown in Figure 3.
Figure 3: Depiction of the EternalBlue attack spreading internally
An additional aspect of the attack in collaborative environments is that the attachment itself can become the start of a CloudPhishing fanout whereby the initial recipient shares the attack attachment. Their peers then see the attachment and open it, assuming the initial recipient has created it.
See Figure 4 for the visual depiction of the protection using Netskope threat protection from the EternalBlue wormed infection.
Figure 4: Early Killchain Protection using Netskope Threat Protection
Overview of the EternalBlue SMB Exploit
The EternalBlue SMB exploit was used by Wannacry, and is part of a toolkit dump release said to originate from “The Equation Group”. The exploit released by “The Shadow Brokers” earlier this year targets open SMB ports to leverage remote code execution by specifying malformed values during the Microsoft SMB NT Trans2 Request.
SMB is a file sharing protocol that provides shared access to files in a network. Since this is a widely adapted program, the vulnerability has a considerable impact. The vulnerability uses port 445 for exploit connection.
An excerpt of the configuration file of the EternalBlue SMB exploit from the dump is shown in Figure 5
Figure 5: Configuration file of the EternalBlue SMB exploit
DoublePulsar is a Backdoor payload used by the EternalBlue exploit to download and install malware on the infected hosts.
The configuration file of the DoublePulsar payload is shown in Figure 6.
Figure 6: Configurati