As the world sifts through the ashes left from the cybersecurity firestorm brought down on it over the weekend by a ransomware strain known as WannaCry, a new menace is growing from its shadows. This new ransomware comes from similar origins, an NSA exploit dump by Shadow Brokers. While WannaCry used a weaponized exploit called EternalBlue, cybercriminals are currently developing weapons based upon an NSA exploit called “EsteemAudit.” Similar to WannaCry, EsteemAudit targets yet another vulnerability found in Microsoft operation systems (MS17-010). This is the first of many weaponized zero-day exploits we predicted to come after WannaCry that were included in those dumps.
EsteemAudit has been adapted and is now available for criminal use, but the threat doesn’t end with encrypted computers. According to recent Pentagon equipment watchdog reports, many critical infrastructure systems are vulnerable due to significant cybersecurity deficiencies, including – terrifyingly – US-originating Apache helicopters purchased by the British Army, amongst millions of other devices.
EsteemAudit exploits a vulnerability in Microsoft’s Windows Remote Desktop Protocol and allows the hacker to install and implement the malicious code. “This can cause extreme devastation on a multitude of levels. Not just the potential exposure of intellectual property but complete loss of data for companies, obstructions to many nations’ critical infrastructure, and even loss of lives,” Paul Caiazzo, Co-Founder, CEO and Chief Security Architect at TruShield Security Solutions.
US intelligence services, including the National Security Agency (NSA), typically try to balance disclosing discovered software flaws, preserving them from cyber warfare and espionage purposes. The broad and devastating impact of these tools in the wrong hands is raising significant questions as to whether such cyber weapons should be controlled like conventional weapons. Microsoft itself suggests the adoption of a Digital Geneva Convention.
Take Steps for Prevention
If you haven’t read our last post on WannaCry, make sure you take those steps first. Like WannaCry, the best thing you can do here is to keep your systems patched, and block inbound traffic to the vulnerable service EsteemAudit exploits (Microsoft Remote Desktop Protocol). Here are some additional steps you should be taking:
- Patch ALL Windows machines in your environment immediately. The EternalBlue vulnerability was patched by Microsoft back in March as part of MS17-010 (KB4012215). CRITICAL – all Windows systems MUST be patched to address this issue. Microsoft has also released patches for out-of-support operating systems XP and 2003.
- Immediately disable inbound Remote Desktop Protocol (RDP) from the Internet (Port 3389).
- Maintain up-to-date backups of files and regularly verify that the backups can be restored.
- Using the domain list below, update your firewalls, proxies, and IPS to block traffic to/from the listed domains.
- Ensure your AV signatures are up to date as major vendors are all working to deliver updated signatures to detect/prevent this.
- If you discover any machine on your network compromised by this attack, remove that machine from the network immediately and report the incident to your CISO or CTO.
- Inform your users to be EXTREMELY cautious with email over the next several days and inform clients to forward suspicious emails to their CTO or CISO for analysis (but please don’t click any of the links, folks).
IT Systems Administrators can also use this free scanning tool to determine if your systems are vulnerable to the EsteemAudit attack.
Find out how TruShield can give you the leverage you need with threat intelligence for early detection of threats like EsteemAudit.