EternalRocks

Security researchers have identified a new strain of malware that targets the same vulnerability that helped WannaCry to spread. Researchers have named it EternalRocks.

Threat ID:: CC-1430
Category:: Worm
Threat Severity:: Medium
Threat Vector:: Insecure network, Exploit
Published:: 24 May 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Security researchers have identified a new strain of malware that targets the same vulnerability that helped WannaCry to spread. Researchers have named it EternalRocks.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

Like the WannaCry ransomware, EternalRocks uses an NSA tool known as EternalBlue to spread itself from one computer to the next through Windows. But it also uses 7 other NSA tools, such as EternalChampion, EternalRomance, and DoublePulsar.

EternalRocks doesn’t have any malicious elements—it doesn’t lock or corrupt files, or use compromised machines to build a botnet. But because EternalBlue leaves infected computers vulnerable to remote commands that could weaponize the infection at any time.

Unlike WannaCry, it does not include the kill switch that was used to contain the ransomware. EternalRocks also uses a 24-hour activation delay to try to frustrate efforts to study it, and uses some of the same file names as WannaCry in an apparent effort to confuse security efforts.

Remediation steps

Type	Step
	Consider blocking SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. For further information see Microsoft Customer guidance for WannaCry attacks Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems.

Type

Step

Consider blocking SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment
Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. For further information see Microsoft Customer guidance for WannaCry attacks
Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems.

Last edited: 17 February 2020 11:30 am