Seqrite: ‘EternalBlue’ continues to be a popular threat actor among cybercriminals in 2018

In its research report titled, ‘EternalBlue – A Popular Threat Actor of 2017-2018’, Seqrite revealed that it has detected more than 18 million hits of the exploit in advanced cyberattacks like ransomware and distributed cryptomining campaigns.

Almost a year after the infamous WannaCry ransomware attack, leaked NSA Exploit ‘EternalBlue’ continues to be a popular threat actor for cybercriminals to infiltrate into systems and make financial gains. The report highlights data sourced from Quick Heal Security Labs and gives insights into the exploit’s timeline, analysis and recent observations made around its existence till date

‘EternalBlue’ is the deadliest exploit leaked by hacking group known as Shadow Brokers in April last year. Seqrite observed the first impression of EternalBlue in May 2017 with the outbreak of WannaCry ransomware. The detection count gradually started increasing as WannaCry started spreading to other systems making it the biggest ransomware attack in history that affected more than 150 countries.

After the success of WannaCry, several new Proof of Concept or POC exploit were discovered on the internet for ‘EternalBlue. With this easy availability of ‘EternalBlue’, hackers were observed using the exploit in the ensuing attacks like EternalRocks worm, Petya a.k.a NotPetya ransomware and BadRabbit Ransomware.

Following a detailed investigation, Seqrite further discovered that ‘EternalBlue’ which was mostly utilized in ransomware attacks is now also being increasingly deployed by hackers to distribute cryptomining campaigns like Adylkuzz, Zealot and WannaMine.

According to the report, there has been a healthy increase in detection statistics from December with March recording the highest detection count of over 70 lakh hits. This is largely due to the rapid rise in the valuation of cryptocurrencies and the fact that cryptomining allows attackers to illegally and discreetly mine cryptocurrencies on infected endpoints.

Sanjay Katkar, Joint Managing Director and Chief Technology Officer, Quick Heal Technologies Limited, “Exploits leaked by Shadowbrokers especially EternalBlue have helped hackers to launch some of the biggest cyberattacks in the form of WannaCry, Petya a.k.a. NotPetya and BadRabbit. While hackers using EternalBlue to launch ransomware attacks is widely known, it is interesting to note that cybercriminals are now leveraging this tool to distribute cryptomining campaigns. What is worrisome is that a large number of endpoints continue to be unprotected and vulnerabilities remain unpatched. It’s about time we realize that prevention is an important remedy that can help businesses to stay a step ahead of the attackers.”