Remember WannaCry? The huge ransomware attack, which caused chaos last month, mainly affected Windows 7 PCs, with the latest Windows release being immune thanks to its beefier security – but that has now changed, as security researchers have ported the malware over to Windows 10.
Well, to be precise, the folks at RiskSense have adapted the central exploit which WannaCry was based on, called EternalBlue, so it can successfully compromise Windows 10 systems.
The ethical hackers (white hats, as they’re known) further honed the exploit, streamlining the code and reducing its footprint, and also doing away with the DoublePulsar backdoor, instead creating what they described as a “stealthier payload mechanism” to deliver a custom payload to the target machine.
As Bleeping Computer reports, the researchers said that this was all in an effort to “[substantiate] the premise that the original exploit’s DoublePulsar payload is a red herring for defenders to focus on”.
In other words, security firms should not be searching for this backdoor in their detection efforts, but rather the core exploit itself. And porting the malware across to Windows 10 in this manner is RiskSense’s way of highlighting what security software should be focusing on, and of reminding users of Microsoft’s latest OS that they aren’t immune to the ravages of WannaCry-style attacks.
However, there are a couple of things to note here. Firstly, in their report on this matter, the white hats left out key details of their revamped exploit so as not to give malicious types out there a new weapon.
And secondly, the exploit they crafted only works against older versions of Windows 10 (pre-Anniversary Update), but that isn’t really the point. It’s about showing the lines along which these sort of exploits can evolve, and reminding folks not to sit back smugly even when the OS they’re running appears to be bulletproof to a new threat.
As ever, ensuring your software and operating system are always kept fully up-to-date with the latest patches is a critical concern.
Particularly when you consider that the follow-up exploit, EternalRocks, which has already been spotted in the wild (albeit not weaponized), is considerably more dangerous than EternalBlue, which itself is highly sophisticated to begin with.
Plus, there’s the fact that Shadow Brokers, the group which leaked NSA exploits such as EternalBlue, has promised more chaos with the release of similar tools this month.