Indexsinas SMB worm is targeting Windows servers vulnerable to EternalBlue

The self-propagating vulnerability remains a threat despite being patched years ago

Security researchers have warned of a new campaign dubbed Indexsinas that breaches networks through SMB servers and makes aggressive use of lateral movement to propagate. 

The worm, also known as NSABuffMiner, has been around since 2019 and targets Windows servers vulnerable to EternalBlue (MS17-010).

“Propagation is achieved through the combination of an open source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar and EternalRomance,” said Guardicore researchers in a blog post.

“These exploits are used to breach new victim machines, obtain privileged access and install backdoors.”

To date, there have been over 2,000 separate attacks detected by researchers. However, it has been difficult for investigators to pinpoint cyber criminals behind the campaign.

“The Indexsinas attackers are careful and calculated,” said researchers. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched and exposes no redundant ports to the internet.

"The attackers use a private mining pool for their cryptomining operations, which prevents anyone from accessing their wallets’ statistics.”

The attacks start with the NSA tools being used to breach a system.

“These exploits run code in the victim’s kernel and are capable of injecting payloads to user-mode processes using asynchronous procedure calls (APCs),” researchers said. “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe.”

The worm propagates using another payload called c64.exe. This drops two other files, one of which is called ctfmon.exe – the propagation tool.

ctfmon.exe is responsible for finding potential victims and exploiting them using Equation Group’s tools – and it does that extremely thoroughly,” said researchers.

Natalie Page, a threat intelligence analyst at Talion, told IT Pro that Indexsina's use of lateral movement is troublesome and highlights the importance of segmenting a network to prevent an attacker from reaching the ‘crown jewels’ of a network.

Lateral movement can be utilized to drop any type of payload the attacker desires, whether that be ransomware, remote access tools, backdoors, or crypto miners.

“In the current final stage of the Indexsinas attack chain, there are several standard best practices that can help organizations avoid an infection of this type. The patching of vulnerable SMB servers, identifying vulnerable entry points, achieving environmental visibility, and using network segmentation are all crucial mitigation tactics proven to prevent lateral movement on your network,” she said.

Page added that it should be easy for administrators to identify internet-facing servers, including SMB, limiting the access from and to different assets as well as the network services they expose. 

“Corporate business functions and manufacturing/production operations should be separated. Policy rules such as disallowing access from the internet over SMB or allowing only certain IP addresses to access internet-facing file servers are also effective contributors towards the protection of your organization's SMB servers."

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021