Stories
Slash Boxes
Comments

SoylentNews is people

Bad Rabbit Used NSA “EternalRomance” Exploit to Spread, Researchers Say

posted by Fnord666 on Wednesday November 01 2017, @09:19PM   Printer-friendly
from the the-gift-that-keeps-on-giving dept.

MrPlow writes:

Submitted via IRC for SoyCow1

Despite early reports that there was no use of National Security Agency-developed exploits in this week's crypto-ransomware outbreak, research released by Cisco Talos suggests that the ransomware worm known as "Bad Rabbit" did in fact use a stolen Equation Group exploit revealed by Shadowbrokers to spread across victims' networks. The attackers used EternalRomance, an exploit that bypasses security over Server Message Block (SMB) file-sharing connections, enabling remote execution of instructions on Windows clients and servers. The code closely follows an open source Python implementation of a Windows exploit that used EternalRomance (and another Equation Group tool, EternalSynergy), leveraging the same methods revealed in the Shadowbrokers code release. NotPetya also leveraged this exploit.

Source: https://arstechnica.com/information-technology/2017/10/bad-rabbit-used-nsa-eternalromance-exploit-to-spread-researchers-say/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Bad Rabbit Used NSA “EternalRomance” Exploit to Spread, Researchers Say | Log In/Create an Account | Top | 8 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 4, Interesting) by Zinho on Wednesday November 01 2017, @09:47PM

    by Zinho (759) on Wednesday November 01 2017, @09:47PM (#590780)

    I've been seeing a related attack at work for the last three days; I came into the office on Monday, and was greeted by an unending stream of alerts from my antivirus:
    * OS Attack: Microsoft SMB MS17-010 Disclosure Attempt
    * Audit: Unimplemented Trans2 Subcommand
    * Attack: SMB Double Pulsar Ping

    This repeated every 10 minutes or so all day Monday and Tuesday. Only 2 sets today, though, so I guess corporate IT has found the troublemakers and fixed them (traceroute tells me most of the attacks were coming from inside the firewall).

    Moral of the story, I guess, is keep your OS patched and antivirus up to date. According to TFA, Microsoft patched this in March, so it is only a threat to unpatched systems.

    --
    "Space Exploration is not endless circles in low earth orbit." -Buzz Aldrin

  • (Score: 2) by Snotnose on Wednesday November 01 2017, @11:29PM (1 child)

    by Snotnose (1623) Subscriber Badge on Wednesday November 01 2017, @11:29PM (#590805)

    But while I love Python, it isn't exactly a low level programming language like C/C++. If Python can break your security, your security is seriously broken.

    --
    Trump has decided to rename California's San Andreas fault. He's calling it Biden's fault.

    • (Score: 5, Interesting) by Virindi on Wednesday November 01 2017, @11:55PM

      by Virindi (3484) on Wednesday November 01 2017, @11:55PM (#590807)

      Huh? Even high level languages tend to be capable of assembling buffers of arbitrary bytes (aka packets). We're not talking about complex manipulation of memory and opcodes here, this is a REMOTE exploit. As in, if you send the right packet (or packet sequence) to the target, it has an unintended effect.

      If the effect generated on the target is a stack overflow, the ROP/shellcode payload will not start by executing in Python. But you could still send it from a Python script on the attacking PC.

  • (Score: 1, Interesting) by Anonymous Coward on Thursday November 02 2017, @02:15AM

    by Anonymous Coward on Thursday November 02 2017, @02:15AM (#590839)

    Glad I always disable SMB and block the ports on my windows boxes!

  • (Score: 3, Funny) by aristarchus on Thursday November 02 2017, @03:04AM

    by aristarchus (2645) on Thursday November 02 2017, @03:04AM (#590855) Journal

    I have a bad feeling about this. Malware, that breeds like rabbits? At least it is not Tribbles, yet.

  • (Score: 0) by Anonymous Coward on Thursday November 02 2017, @01:50PM (2 children)

    by Anonymous Coward on Thursday November 02 2017, @01:50PM (#591010)

    soooo .. excuse me, WHAT is the secret to sending files over the network then?

    FTP is not encrypted, has "troubles" without extra firewall modules (babysitting).
    SMB is flawed because it was born and raised in m$ house.
    NFS works perfect, if you got an computer engineering degree from some uni that guarantees a house, car and wife.
    what the F...k. can normal people use to innocently send files from one computer to the other then?

    this is crazy. the most basic problem is ... made difficult, for what?
    it looks like a conspiracy :}

    • (Score: 2) by Freeman on Thursday November 02 2017, @04:23PM

      by Freeman (732) on Thursday November 02 2017, @04:23PM (#591122) Journal

      I use Dropbox. Though, good old fashioned Sneaker Net is very reliable and not likely to be intercepted between the two computers.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"

    • (Score: 0) by Anonymous Coward on Thursday November 02 2017, @07:34PM

      by Anonymous Coward on Thursday November 02 2017, @07:34PM (#591276)

      What? NFS is pretty damn easy to set up, the only drawback is it only works with nixes. I've got no degree, no car, no house, no wife, a couple F's, and I can figure it out...

(1)