Indexsinas or NSABuffMiner has been actively exploiting the SMB vulnerabilities, also known as the EternalBlue exploit (MS17-010), since 2019. Indexsinas is an SMB worm malware that affects the Server Message Block protocol in Microsoft Windows operating systems. The Indexsinas worm is self-propagating, targeting healthcare, education, telecommunications and hospitality industries with an ultimate goal of using the machines for mining cryptocurrency.
The Indexsinas campaign targeted Guardicore Global Sensors Network (GGSN) in 2019 and have continued carrying out persistent attacks ever since. In March 2020, the Indexsinas campaign hit a cafe in Hunan, China where they introduced the new NSABuffMiner worm.
A total of 2000 different breaches have been recorded so far, emanating from 1300 different sources from around the world. All the attacks have been traced back to the same command-and-control server in South Korea.
Did CSW warn of these vulnerabilities?
Yes, the vulnerabilities were called out by CyberSecurityWorks in the Ransomware Spotlight 2021 report, enumerating the seven CVEs as being used by WannaCry ransomware, of which five are related to the EternalBlue exploit kit.
Microsoft released patches for all the vulnerabilities in 2017, covering existing versions of Windows as well as those not supported anymore. In spite of the existing patches, several thousands of devices still remain unpatched, making them prime targets for attackers.
A total of six vulnerabilities, CVE-2017-0143 through to CVE-2017-0148, were involved in the NSABuffMiner worm attack. All the CVEs belong to the EternalBlue exploit, which ranks among the top 5 exploits used by ransomware groups, as reported in the Ransomware Spotlight Report.
Some mentionable ransomware groups that have made use of the EternalBlue exploit include Conti, REvil, WannaCry, Satan and Katyusha, amongst several others.
Here is an in-depth analysis of the vulnerabilities:
All CVEs, barring CVE-2017-0147, are Windows SMB Remote Code Execution vulnerabilities and allow remote attackers to execute arbitrary code via crafted packets, to take control of the SMB servers.
Indexsinas Attack Methodology
An interesting characteristic of the Indexsinas campaign is how residual files, processes and stop services created by other attack campaigns are terminated as the attack progresses. The campaign also evades detection successfully by killing process monitoring and analysis programs; once all files are executed, its own files are also removed.
The Indexsinas SMB worm attack methodology generally consists of four different stages.
-
Initial Access and Execution
After the NSA EternalBlue exploit tools are used to breach the SMB server, code is run in the victim’s kernel to inject one of two offensive tools–EternalBlue.dll for 32-bit or DoublePulsar.dll for 64-bit–to download three executable files to gain a foothold on Windows systems.
-
Persistence and Remote Access
A version of the Gh0stCringe remote access trojan (RAT) is dropped and loaded into the memory of the victim’s machine. The RAT creates a registry key under svchost and deploys executables that have the capability to download, upload and install new modules.
-
Injecting Cryptominer Modules
The tool svchost installs services that install a cryptominer in the victim’s computer and run it constantly to mine Monero cryptocurrency.
-
Propagation
A payload uploaded in the first stage scans the SMB server in order to move laterally within and across the organization’s network. Once lateral movement is possible, batch scripts are installed to scan IP addresses associated with the victim’s machine. Upon successful exploitation, the attack flow starts all over again on a newly-infected machine.
IoCs | |
MD5 hashes:
|
Domains
Mutexes
Service Names
|
Indexsinas Exposure Analysis
Our exposure analysis using Shodan indicates 8601 devices that are extremely vulnerable to EternalBlue exploits and the Indexsinas SMB worm, if they are not patched immediately. The exposure analyses for open port 445, the SMB v1 servers and Windows operating systems enumerate approximately 830,000 Internet-facing assets at risk.
Devices Vulnerable to Eternalblue (MS17-010) |
Exposures for Open Port 445, SMB v.1 and Windows Operating Systems |
How do we mitigate the SMB vulnerabilities?
Despite repeated warnings and workarounds to patch the EternalBlue exploit vulnerabilities existing since 2017, Internet-facing assets of several million organizations remain vulnerable to attacks.
We urge all organizations to immediately update their servers and carry out network segmentation so as to strengthen their network in the event of an attack and compromise. Segmenting the network will ensure no lateral movement will be possible.
Attackers scour attack surfaces looking for one vulnerability that they can exploit in order to take down an organization. Organizations, therefore, need to update their servers more regularly and adopt a risk-based approach to boost their security posture.
To know more about CSW’s Vulnerability Management as a Service (VMaaS), please visit https://cybersecurityworks.com/services/vulnerability-management-as-a-service.