It is believed EternalBlue was originally the work of the Equation Group of the US National Security Agency (NSA). More than a year after the world first saw the Eternal Blue exploit in action in 2017, unpatched machines in Asia are still being infected with NRSMiner through the exploit. The malware is designed to steal computing resources in order to mine for cryptocurrency.
An F-Secure report says that in Asia, Iran is the second hardest hit country by the cyber attack after Vietnam. After the report was published Iran Computer Emergency Response Team Coordination Center (Iran CERTCC) issued an alert on its website certcc.ir, calling on local computer users to take security measures more seriously.
Finnish cybersecurity and privacy company F-Secure Corporation based in Helsinki, reports that Iran is the second hardest hit country in Asia and 16.6% of infections have been reported in the country, Financial Tribune reported.
Vietnam with 54.6% of cases being detected there has been the most affected country in the continent, while Malaysia with 12.1% is the third most hit. The latest wave of the attack is also actively spreading across countries including China, Japan, and Ecuador.
How It Works
The new version of the malware relies on the EternalBlue exploit to spread through local networks.
EternalBlue is an SMBv1 (Server Message Block 1.0) exploit which is able to trigger remote code execution (RCE) attacks via vulnerable Windows Server Message Block (SMB) file-sharing services. The security flaw responsible for the attack, CVE-2017-0144, was patched by Microsoft in March 2017 and yet many systems have still not been updated and remain vulnerable to attack.
It was over a year ago that EternalBlue first hit the headlines as the world was gripped by the spread of WannaCry, a form of ransomware which struck organizations worldwide including the UK's National Health Service (NHS), FedEx, Renault, and global banks. WannaCry, linked to North Korean hackers and the Lazarus group, used EternalBlue as an infection vector in order to spread.
NRSMiner makes use of the XMRig Monero miner to hijack an infected system's CPU to mine for the Monero (XMR) cryptocurrency. NRSMiner is also able to download update modules, refresh older versions of the malware present on a machine, and delete files and services installed by previous installs.
Precautions
To mitigate the exploitation of the vulnerability targeted by EternalBlue and prevent infection from spreading further, there are a number of measures to be implemented.
F-Secure has advised computer users to employ Software Updater or any other available tool to identify endpoints without the Microsoft-issued security fix and patch them immediately.
Users are also recommended to apply relevant security patches for any Windows systems. The center has also cautioned users to install an antivirus software tool on their devices.
Previous Cases
This is not the first time Iran is hit by cryptojacking attacks. In May 2018, Iran CERTCC issued an alert saying that a piece of cryptojacking malicious software had gone viral in the country. CoinHive, crypto jacking malware used for mining Monero, was the malicious software used by hackers at the time.
In February 2018, the center reported that some local popular websites were “borrowing” visitors’ central computer processors to mine virtual coins without the visitors’ consent. Again CoinHive was used by the culprits.
Later in October 2018 and following a global cyber attack, over 11,000 routers were infected with CoinHive in Iran. According to CERTCC, Iran was the fourth hardest hit country by the cyber attack after Brazil with 81,848 cases reported, India 29,265, and Indonesia 23,143.
The vulnerability of Iranian computer users against such cyber attacks is mostly rooted in outdated and unprotected servers and operating systems.