Just as organizations and institutions are recovering from the rush to update software after the WannaCry panic, “doomsday” worm EternalRocks has been spotted out in the wild. While the WannaCry malware uses 2 of the NSA hacking tools, EternalRocks exploits seven of them, and doesn’t have a “kill switch”, which means that it cannot be shut down with an activated kill-switch URL.
Although there lies a (sort of) good news for now that EternalRocks is still dormant, it is time for security to get updated again to detect this new menace before it explodes.
Check Point Software, an Israeli multinational provider of software and IT security, believes that preventing the infection is the best way to fight back. It advocates multi-layer defence to prevent damage at every stage of the attack. For instance, if you block the initial infection, you’re safe. If the initial infection makes it in, then you block the outbound communication using anti-bot.
A silent lamb or a deadly snake?
Unlike WannaCry, which alerts victims after infecting their systems, EternalRocks remains hidden and quiet on computers. Once in the system, it downloads Tor’s private browser and sends a signal to the worm’s hidden servers. And then, it does nothing for the next 24 hours.
But after a day, the server responds and starts downloading and self-replicating. This is done to frustrate the efforts to study it, and to delay security experts by a day. It also uses some of the same file names as WannaCry in an effort to confuse security efforts.
“Delaying execution is an evasive tactic making it harder to link the attack to the source of the infection. Many detection technologies won’t be able to correlate the infection and the callback due to the delay,” said Evan Dumas, Head of Emerging Technologies, Check Point Software Technologies, APAC, Middle East and Africa.
Hence, by delaying the activation, the bad actors are seeking more stealth. Because of this discreet nature of the ransomware, it is difficult to determine how many computers have been affected yet. So the explosion can be big!
Is public money in danger?
Now a big question that has surfaced is that whether EternalRocks poses a serious threat to financial institutions. As mentioned above, EternalRocks uses 7 NSA tools, including EternalBlue, that is used to spread itself from one computer to the next through Windows. As of now, the malware does not have any malicious elements, that is, it does not lock or corrupt files, or use compromised machines to build a botnet.
But given that it has already paved way into your personal device (with personal data), that’s not particularly reassuring. You can be still vulnerable to remote commands that could ‘weaponize’ the infection at any time.
“There is speculation that it can be used to deliver a banking trojan although that isn’t confirmed. Financial institutions and governments face the same threats as any organization although they can be targeted more frequently due to the sensitive nature of the information they hold,” notes Dumas.
Even though institutions are relieved now that this new malware has not hijacked their systems yet, one can’t ignore that it is a ticking time bomb. Talking about the dormancy of the malware now, Dumas explains that a malware becomes dormant for many reasons. The authors may be building it up for a larger campaign, or they may have found vulnerabilities and as perfecting it, or the authors may have simply discovered a new vulnerability and have moved on to the new exploit.
Bottom line is organizations and individuals need to stay cautious of cyber threats in general. Especially for enterprises, adopting a prevention-instead-of-detection mentality and a multi-layer security strategy would be ideal. Losing valuable data and information may be significant but the ripple effect on how this will impact productivity and even the viability of a company may be catastrophic.