{"id":7515,"date":"2022-09-03T19:58:34","date_gmt":"2022-09-04T02:58:34","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7515"},"modified":"2023-04-11T10:11:19","modified_gmt":"2023-04-11T17:11:19","slug":"indexsinas-smb-worm-exploits-eternalblue-vulnerabilities","status":"publish","type":"post","link":"https:\/\/10.42.32.162\/articles\/indexsinas-smb-worm-exploits-eternalblue-vulnerabilities\/","title":{"rendered":"Indexsinas SMB Worm Exploits EternalBlue Vulnerabilities"},"content":{"rendered":"

Indexsinas or NSABuffMiner has been actively exploiting the SMB vulnerabilities, also known as the EternalBlue exploit (MS17-010<\/a>), since 2019. Indexsinas is an SMB worm malware that affects the Server Message Block protocol in Microsoft Windows operating systems. The Indexsinas worm is self-propagating, targeting healthcare, education, telecommunications and hospitality industries with an ultimate goal<\/a> of using the machines for mining cryptocurrency.\u00a0<\/strong>
\nThe Indexsinas campaign targeted Guardicore Global Sensors Network (GGSN) in 2019 and have continued carrying out persistent attacks<\/a> ever since. In March 2020, the Indexsinas campaign hit a cafe in Hunan, China where they introduced the new NSABuffMiner worm.
\nA total of 2000 different breaches have been recorded so far,\u00a0 emanating from 1300 different sources from around the world. All the attacks have been traced back to the same command-and-control server in South Korea<\/a>.<\/p>\n

 <\/p>\n

Did CSW warn of these vulnerabilities?\u00a0<\/strong><\/h2>\n

Yes, the vulnerabilities were called out by CyberSecurityWorks in the Ransomware Spotlight 2021<\/a> report, enumerating the seven CVEs as being used by WannaCry ransomware, of which five are related to the EternalBlue exploit kit.<\/p>\n

\"Ransomware<\/b><\/p>\n

Microsoft released patches<\/a> for all the vulnerabilities in 2017, covering existing versions of Windows as well as those not supported anymore. In spite of the existing patches, several thousands of devices still remain unpatched, making them prime targets for attackers.<\/p>\n

 <\/p>\n

\n

A total of six vulnerabilities, CVE-2017-0143 through to CVE-2017-0148, were involved in the NSABuffMiner worm attack. All the CVEs belong to the EternalBlue exploit, which ranks among the top 5 exploits used by ransomware groups, as reported in the Ransomware Spotlight Report<\/a>.<\/strong><\/p>\n<\/blockquote>\n

\"Ransomware<\/p>\n

Some mentionable ransomware groups that have made use of the EternalBlue exploit include Conti, REvil, WannaCry, Satan and Katyusha, amongst several others.<\/p>\n

Here is an in-depth analysis of the vulnerabilities:<\/strong><\/p>\n

\"Eternalblue<\/p>\n

All CVEs, barring CVE-2017-0147, are Windows SMB Remote Code Execution vulnerabilities and allow remote attackers to execute arbitrary code via crafted packets, to take control of the SMB servers.<\/strong><\/p>\n

Indexsinas Attack Methodology<\/strong><\/h2>\n

An interesting characteristic of the Indexsinas campaign is how residual files, processes and stop services created by other attack campaigns are terminated as the attack progresses. The campaign also evades detection successfully by killing process monitoring and analysis programs; once all files are executed, its own files are also removed.<\/p>\n

The Indexsinas SMB worm attack methodology generally consists of four different stages.<\/strong><\/p>\n

    \n
  1. \n

    Initial Access and Execution<\/strong><\/p>\n<\/li>\n<\/ol>\n

    After the NSA EternalBlue exploit tools are used to breach the SMB server, code is run in the victim\u2019s kernel to inject one of two offensive tools–EternalBlue.dll for 32-bit or DoublePulsar.dll for 64-bit–to download three executable files to gain a foothold on Windows systems.<\/p>\n

      \n
    1. \n

      Persistence and Remote Access<\/strong><\/p>\n<\/li>\n<\/ol>\n

      A version of the Gh0stCringe<\/a> remote access trojan (RAT) is dropped and loaded into the memory of the victim\u2019s machine. The RAT creates a registry key under svchost and deploys executables that have the capability to download, upload and install new modules.<\/p>\n

        \n
      1. \n

        Injecting Cryptominer Modules<\/strong><\/p>\n<\/li>\n<\/ol>\n

        The tool svchost <\/em>installs services that install a cryptominer in the victim\u2019s computer and run it constantly to mine Monero cryptocurrency.<\/p>\n

          \n
        1. \n

          Propagation<\/strong><\/p>\n<\/li>\n<\/ol>\n

          A payload uploaded in the first stage scans the SMB server in order to move laterally within and across the organization\u2019s network. Once lateral movement is possible, batch scripts are installed to scan IP addresses associated with the victim\u2019s machine. Upon successful exploitation, the attack flow starts all over again on a newly-infected machine.<\/p>\n

           <\/p>\n

          \"Indexsinas<\/p>\n

           <\/p>\n\n\n\n\n
          IoCs<\/strong><\/td>\n<\/tr>\n
          \n

          MD5 hashes:<\/strong><\/p>\n

            \n
          • |86.exe|0cd9d734ab88225b4af96c9edf15bbdf<\/span><\/li>\n
          • |86.exe|3b37396d0c15670d0b02856b6f3c1cec<\/span><\/li>\n
          • |86.exe|92b81afb69efbe857c74d07e464b4097<\/span><\/li>\n
          • |86.exe|f63038f93396c1c9fe023e777bdd1b99<\/span><\/li>\n
          • |Doublepulsar.dll|f84a4c44b9ebcd34a443ed2cb663743f<\/span><\/li>\n
          • |Doublepulsar2.dll|f84a4c44b9ebcd34a443ed2cb663743f<\/span><\/li>\n
          • |Eter.exe|8c80dd97c37525927c1e549cb59bcbf3<\/span><\/li>\n
          • |Eternalblue.dll|07e9f5f392d379981b7937e8da73512d<\/span><\/li>\n
          • |Eternalblue2.dll|07e9f5f392d379981b7937e8da73512d<\/span><\/li>\n
          • |bat.bat|10b1afc216476e4600cbaa07a265159c<\/span><\/li>\n
          • |c64.exe|d071887d9e9af01d3ee009dffe1be16d<\/span><\/li>\n
          • |cmd.bat|66b66dc0eb2437b233a8256b9a02902f<\/span><\/li>\n
          • |ctfmon.exe|762ed51daa67d2a6a4ea641ec5a5b6f3<\/span><\/li>\n
          • |iexplore.exe|07eb2ff68044f7d3795f3eea7f25b6af<\/span><\/li>\n
          • |iexplore.exe|2e3e26582f8daea2df6600ee7ab653d7<\/span><\/li>\n
          • |loab.bat|01b103a1531d23c0f0a431b07fa2bb8b<\/span><\/li>\n
          • |load.bat|338f6ff5e687d1eec9b539057d6ab5a7<\/span><\/li>\n
          • |mance.exe|4420f8917dc320a78d2ef14136032f69<\/span><\/li>\n
          • |nei.bat|4c42cb692e83bb6fac57054686ba2b88<\/span><\/li>\n
          • |poab.bat|ab234159a8bc206d06203086944b72c4<\/span><\/li>\n
          • |poad.bat|36a90b771d5eb1fc06d29377816f643e<\/span><\/li>\n
          • |puls.exe|c24315b0585b852110977dacafe6c8c1<\/span><\/li>\n
          • |same.bat|07986ecd5f759e85db37302bd0493ea4<\/span><\/li>\n
          • |svchost.exe|7afcf45907f225e3e3cfeece3bbcd410<\/span><\/li>\n
          • |taskhost.exe|c097fd043d3cbabcada0878505c7afa5<\/span><\/li>\n
          • |wai.bat|cd6fd2959b8ec762511f6c36adfb35bb<\/span><\/li>\n
          • |wget.exe|bd126a7b59d5d1f97ba89a3e71425731<\/span><\/li>\n
          • |xsfxdel~.exe|a48b642733b4ed0b2f63c726bea5710f<\/span><\/li>\n<\/ul>\n<\/td>\n
          		\n

          Domains<\/strong><\/p>\n