Doomsday predictions intrigue us, but we should be wary of taking them at face value. After all, the world hasn’t ended yet, Y2K did not kill our computers, and the internet survived Kim Kardashian’s nudes.
Still, a single tweet by Miroslav Stampar, a cybersecurity expert working for the Croatian government, piqued my interest. It’s a “matter of time” before bad guys start tying together several hacking techniques following the WannaCry ransomware attack, he wrote.
And when they do, “we die.” What did he mean by that?
Stampar was featured in several news articles in the past few days; he was the first to explain, in detail, a new threat called EternalRocks, which takes advantage of seven different exploits that have recently been stolen from the NSA’s trove of security vulnerabilities (for comparison, WannaCry only uses two of the exploits).
But this malware is very different from WannaCry — when it infects a computer, it does nothing for 24 hours. Then, it downloads more malware from the Tor-protected dark web. And then, it waits for further instructions.
This technique makes the malware harder to detect, and unlike WannaCry, EternalRocks does not contain a “kill switch” that makes it easily disabled. And though this malware is currently barely worthy of its mal- prefix, as it does no real harm to the infected computer, it could easily be turned into something much more dangerous.
FFS. Somebody is spreading THIS with delayed download/start. People, this is going to be huge. Prepare yourself in a day or two! pic.twitter.com/WqJE9QKRSV
— Miroslav Stampar (@stamparm) May 18, 2017
At first, Stampar’s claims seem hyperbolic. Though EternalRocks uses a lot of different exploits, all of them have been patched on newer versions of Windows. And the technique of waiting for a predetermined period before acting isn’t unheard of. But Stampar claims things are not as simple as they seem.
“EternalRocks is, by my assessment, still in development. It does nothing, except propagate. However, I don’t think its author has actually fully released it,” Stampar told Mashable via a message. “EternalRocks is not even near WannaCry, but it has potential (to become dangerous),” he said.
Matter of time when common malware through phishing bad guys will incorporate SMB exploits for synergistic attack. Then, we die
— Miroslav Stampar (@stamparm) May 20, 2017
Stampar believes that NSA’s cache of exploits, released in April by a group of hackers called the Shadow Brokers, has triggered several new dangerous hacking tactics. “Someone took the Shadow Brokers exploit kit and used it in a worm,” he said. “This hasn’t been done before.”
And even though these exploits only affect older, unpatched machines, that doesn’t mean they’re not dangerous. According to Stampar, once hackers start using them together with a simple mass phishing attack, the real trouble begins.
“Once hackers start breaking in from the inside, countermeasures that corporations have taken mean nothing.”
“A lot of corporations simply closed the 445 port from the outside and patched the machines on the internet. The problem is that a lot of machines in corporations, for various reasons, simply cannot be patched. Once hackers start breaking in from the inside — for example, through phishing e-mails, if only one employee opens such an e-mail, then those countermeasures that corporations have taken mean nothing.”
“The Pony botnet can send 10 million phishing emails per day.”
The phishing part isn’t very hard to do. “The Pony botnet can send 10 million phishing emails per day,” Stampar said. Connect that with the Shadow Brokers exploits, and it’s WannaCry all over again — only on a larger scale.
The problem is made worse by the fact that the Shadow Brokers have promised to keep releasing new exploits, and have even set up a sort of a subscription service for exploits. We don’t know what this new trove of exploits might contain, but if they’re anything close to the first batch, they might result in new, more sophisticated attacks.
Microsoft President and Chief Legal Officer Brad Smith recently warned against governments piling up software exploits, likening the Shadow Brokers’ release to the U.S. military having some of its Tomahawk missiles stolen. Meanwhile, besides the WannaCry ransomware, new attacks based on these exploits are popping up in the wild, with one example being Adylkuzz, a malware that mines digital money using infected machines’ resources.