Barely a week since the Wannacry outbreak, security researchers have identified a new strain of malware, that exploits flaws in Windows SMB File sharing protocol, Wannacry targeted the same protocol exploiting two flaws, the new strain targets seven.
EternalBlue and DoublePulsar exploits and other pieces of malware are using the same propagation techniques as WannaCry. EternalBlue, tries to stay hidden unlike Wannacry, making detections harder.
UIWIX - The UIWIX ransomware was first identified this week. Unlike WannaCry, UIWIX is not currently believed to be a worm (i.e. self-propagating): while it uses the EternalBlue exploit to gain access to systems, the scanning and exploitation appears to be conducted using a more traditional command and control (C2) infrastructure.
Adylkuzz - Adylkuzz was one of the first pieces of malware to be identified as a direct result of the attention generated by WannaCry. It is distributed in a similar fashion to UIWIX, using centralised C2 infrastructure to sweep the Internet for machines vulnerable to the EternalBlue exploit. When installed, Adylkuzz enrols the machine in a botnet used to mine the Monero cryptocurrency. Forcepoint Security Labs have identified campaigns with similar intent but different distribution methods in the past (https://blogs.forcepoint.com/security-labs/21st-century-49ers-small-time-cryptocurrency-mining).
RATs - A number of Remote Access Tools have been identified using the EternalBlue exploit to spread. While the use of EternalBlue is common to all of the samples identified, the way the exploit is used varies with some samples (e.g. EternalRocks) taking the form of aggressively self-propagating worms, and others using a centralised scanning and distribution infrastructure similar to UIWIX and Adylkuzz.
Ultimately, as the exploitation technique at the root of these attacks is unchanged, the recommendations for all organisations remain the same as initially communicated during the WannaCry outbreak:
- Ensure that the MS17-010 security update is installed on all Windows machines within the organisation.
- Ensure that you have email and web security solutions that can block malicious emails, block intermediate payload download stages in real-time, and can provide URL Sandboxing features for additional protection at point-of-click.
- In line with Microsoft's guidance from 2016 , customers should consider disabling SMBv1 and other legacy protocols on all Windows systems  where this will not negatively impact the function of legacy systems within the environment. If you are a Forcepoint customer please consult the following Knowledge Base Article to identify what course of action may be suitable for your product: https://support.forcepoint.com/KBArticle?id=000012832