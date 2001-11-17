Stories
Bad Rabbit Used NSA “EternalRomance” Exploit to Spread, Researchers Say

posted by Fnord666 on Wednesday November 01, @09:19PM   Printer-friendly
from the the-gift-that-keeps-on-giving dept.
Security

MrPlow writes:

Submitted via IRC for SoyCow1

Despite early reports that there was no use of National Security Agency-developed exploits in this week's crypto-ransomware outbreak, research released by Cisco Talos suggests that the ransomware worm known as "Bad Rabbit" did in fact use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims' networks. The attackers used EternalRomance, an exploit that bypasses security over Server Message Block (SMB) file-sharing connections, enabling remote execution of instructions on Windows clients and servers. The code closely follows an open source Python implementation of a Windows exploit that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. NotPetya also leveraged this exploit.

Source: https://arstechnica.com/information-technology/2017/10/bad-rabbit-used-nsa-eternalromance-exploit-to-spread-researchers-say/

Original Submission


Bad Rabbit Used NSA "EternalRomance" Exploit to Spread, Researchers Say
  • (Score: 2) by Zinho on Wednesday November 01, @09:47PM

    I've been seeing a related attack at work for the last three days; I came into the office on Monday, and was greeted by an unending stream of alerts from my antivirus:
    * OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
    * Audit: Unimplemented Trans2 Subcommand
    * Attack: SMB Double Pulsar Ping

    This repeated every 10 minutes or so all day Monday and Tuesday. Only 2 sets today, though, so I guess corporate IT has found the troublemakers and fixed them (traceroute tells me most of the attacks were coming from inside the firewall).

    Moral of the story, I guess, is keep your OS patched and antivirus up to date. According to TFA, Microsoft patched this in March, so it is only a threat to unpatched systems.

