An email-server message block (SMB) blended threat has been uncovered, which uses the compromised machine as a stepping stone to propagate laterally via the EternalBlue exploit.
Netskope Threat Research Labs said that the inclusion of the EternalBlue exploit is insidious because it will be launched internally from the newly infected machine, permitting direct access to shared SMB machines such as file shares and backup systems. This puts core data stores at risk in a fashion that may be impossible to anticipate. Also, SMB, a file sharing protocol that provides shared access to files in a network, is a widely adapted program, meaning the vulnerability has a considerable impact.
“We have observed that the presence of embedded document files in a cloud storage and collaboration services possesses a more significant threat to an enterprise environment since it arrives from a trusted source,” said Netskope researcher Ashwin Vamshi. “Once an endpoint is compromised with the second-stage payload like EternalBlue, it creates a wormed infection, leading all neighboring internal computers to be attacked via SMB from the newly compromised internal stepping-stone system.”
Earlier this year, The Shadow Brokers group disclosed a series of exploits, backdoors and several attack tools affiliated with nation-state activity. One of the exploits, EternalBlue, targets open SMB ports to leverage remote code execution, and has been widely used in attacks such as WannaCry, NotPetya and more recently Bad Rabbit.
In this case, the initial attack begins with a Swiss regional email which contains a Word Document with an embedded .lnk object, which is actually a backdoor that downloads the EternalBlue payload. From there, the threat moves from a cross-perimeter attack to an internal attack, with EternalBlue spreading itself across an organization’s network, without any user intervention, leading to internal attacks that organizations may not be prepared for.
“The use of cloud services by enterprises, along with the implicit trust, has led to an increase in malware attacks and thus posing a new challenge for organizations,” said Vamshi, adding that organizations should enforce policy on usage of unsanctioned services as well as unsanctioned instances of sanctioned cloud services.