Welcome!

News Feed Item

Secdo discovers WannaCry attackers exploited NSA's ETERNALBLUE weeks earlier to steal login credentials

Organizations potentially exposed to future thread-level attacks that install backdoors, exfiltrate data and steal credentials

NEW YORK, NY--(Marketwired - May 19, 2017) - Secdo, provider of automated incident response solutions, this week discovered evidence that sophisticated actors leveraged the National Security Agency's (NSA) ETERNALBLUE several weeks before the outbreak of WannaCry to attack organizations, installing backdoors and exfiltrating user credentials in networks around the world. The WannaCry ransomware was just one variant.

Secdo made the discovery in the wake of reports during April by multiple customers, including publicly traded companies, that reported being attacked by an undetectable ransomware on their endpoints. Having recorded every action on those endpoints and servers at the thread level allowed Secdo to play-back, analyze and identify these attacks. The company believes many organizations may continue to be vulnerable to thread-level attacks that install backdoors, exfiltrate data and steal credentials.

  • Read the full Secdo blog explaining the discovery and evidence here

Jake Williams, founder of Rendition Infosec and a SANS Institute instructor, scanned the internet for weeks looking for active infections of DoublePulsar, the backdoor implant tool used alongside ETERNALBLUE in the WannaCry ransomware attack. "Finding a machine with DoublePulsar running indicates that the same vulnerability used in the WannaCry malware was used to compromise Windows machines much earlier," said Williams. "Although the numbers have varied widely, ranging from 25,000-150,000 active infections, it is clear that attackers have been exploiting this vulnerability almost since the day it was released by Shadow Brokers."

Upon gaining entry to Windows-based machines, the attack utilized the NSA's DoublePulsar to spawn a thread within a legitimate system process, allowing it to remain undetected by most detection systems that are unable to collect activities at the thread level.

"WannaCry is merely a visible symptom and not the underlying cause," said Secdo's CTO, Gil Barak. "Multiple threat actors were exploiting ETERNALBLUE to infect endpoints weeks prior to the WannaCry outbreak. Even if your organization successfully blocked or was not attacked by WannaCry, you may still be compromised."

Barak continued, "The attackers had more than a month to breach organizations, install backdoors, steal information and cause other damage, which most organizations may still not be able to discover -- until it's too late. Installing the Microsoft patch is critical for protection from future attacks exploiting Windows SMB, but it does not remediate machines that have already been compromised."

To discover if the breach is still present, organizations should look for thread-based behavioral IOCs that indicate compromise from at least early April. In addition, organizations need to attain continuous visibility at the thread level into every endpoint in the network to hunt and respond effectively to thread-based attacks in the future.

ABOUT SECDO

Secdo is the first and only preemptive incident response solution, automating the IR process and slashing incident response time to seconds. Gain unmatched historical thread-level endpoint visibility, automatically investigate any alert and visualize the forensic timeline and attack chain back to the root cause. Then, rapidly and surgically respond and remediate on any endpoint or server without impacting business productivity. Follow us on Twitter at @secdocyber, and on LinkedIn.

Image Available: http://www.marketwire.com/library/MwGo/2017/5/19/11G139294/Images/1_Initial_ETERNALBLUE_compromise-9a25547c44d1afdcbb72a556624dba6a.jpg
Image Available: http://www.marketwire.com/library/MwGo/2017/5/19/11G139294/Images/2_ETERNALBLUE_infects_other_devices_spawns_stealth-ccb0946813999afbb340b387fb496f7d.jpg
Image Available: http://www.marketwire.com/library/MwGo/2017/5/19/11G139294/Images/3_Malicious_thread_inside_legitimate_process-59ee6dd7f0c592b39456517cee7fec11.jpg

Media Contacts
Michelle Allard McMahon
Rainier Communications
[email protected]
+1 781.718.3248

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

Latest Stories
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, will discuss how data centers of the future will be managed, how th...
There is huge complexity in implementing a successful digital business that requires efficient on-premise and cloud back-end infrastructure, IT and Internet of Things (IoT) data, analytics, Machine Learning, Artificial Intelligence (AI) and Digital Applications. In the data center alone, there are physical and virtual infrastructures, multiple operating systems, multiple applications and new and emerging business and technological paradigms such as cloud computing and XaaS. And then there are pe...
Why Federal cloud? What is in Federal Clouds and integrations? This session will identify the process and the FedRAMP initiative. But is it sufficient? What is the remedy for keeping abreast of cutting-edge technology? In his session at 21st Cloud Expo, Rasananda Behera will examine the proposed solutions: Private or public or hybrid cloud Responsible governing bodies How can we accomplish?
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
SYS-CON Events announced today that Keisoku Research Consultant Co. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Keisoku Research Consultant, Co. offers research and consulting in a wide range of civil engineering-related fields from information construction to preservation of cultural properties. For more information, vi...
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
Most of the time there is a lot of work involved to move to the cloud, and most of that isn't really related to AWS or Azure or Google Cloud. Before we talk about public cloud vendors and DevOps tools, there are usually several technical and non-technical challenges that are connected to it and that every company needs to solve to move to the cloud. In his session at 21st Cloud Expo, Stefano Bellasio, CEO and founder of Cloud Academy Inc., will discuss what the tools, disciplines, and cultural...
SYS-CON Events announced today that Enroute Lab will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enroute Lab is an industrial design, research and development company of unmanned robotic vehicle system. For more information, please visit http://elab.co.jp/.
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness.
SYS-CON Events announced today that Ryobi Systems will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ryobi Systems Co., Ltd., as an information service company, specialized in business support for local governments and medical industry. We are challenging to achive the precision farming with AI. For more information, visit http:...
Today traditional IT approaches leverage well-architected compute/networking domains to control what applications can access what data, and how. DevOps includes rapid application development/deployment leveraging concepts like containerization, third-party sourced applications and databases. Such applications need access to production data for its test and iteration cycles. Data Security? That sounds like a roadblock to DevOps vs. protecting the crown jewels to those in IT.
What is the best strategy for selecting the right offshore company for your business? In his session at 21st Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, will discuss the things to look for - positive and negative - in evaluating your options. He will also discuss how to maximize productivity with your offshore developers. Before you start your search, clearly understand your business needs and how that impacts software choices.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Real IoT production deployments running at scale are collecting sensor data from hundreds / thousands / millions of devices. The goal is to take business-critical actions on the real-time data and find insights from stored datasets. In his session at @ThingsExpo, John Walicki, Watson IoT Developer Advocate at IBM Cloud, will provide a fast-paced developer journey that follows the IoT sensor data from generation, to edge gateway, to edge analytics, to encryption, to the IBM Bluemix cloud, to Wa...