Researchers have warned that the Indexsinas SMB worm is looking for vulnerable environments in which to spread itself, with a particular focus on the healthcare, hospitality, education and telecommunications sectors. Their ultimate goal is to dump crypto miners on the compromised machines. Indexsinas, also known as NSABuffMiner, makes use of the old Equation Group arsenal, including the EternalBlue and EternalRomance exploits to invade Windows SMB shares, as well as the DoublePulsar backdoor.
Propagation is achieved by combining an open source port scanner and three Equation Group Exploits: EternalBlue, DoublePulsar, and EternalRomance. These exploits are used to exploit new victim machines, gain privileged access and install back doors. These exploits appear to continue to have great success even though they were made public four years ago after their first appearance in the WannaCry and NotPetya cyberattacks. Indexsinas shows that networks today are vulnerable even to undirected opportunistic attack campaigns.
The attacks originated from more than 1,300 different sources, with each machine responsible for only a few attack incidents. The source IPs, which are likely to be the victims of the attacks themselves, are primarily located in the US, Vietnam, and India.
This is why it is so important to segment corporate networks as this not only prevents an attacker from moving sideways and reaching strategic assets and crown jewels on the network, it also helps to minimize damage (reduce blast radius). by creating boundaries between servers on the network and limiting network traffic between them.
More reads:
Sasser Worm – The virus that restarted the computer
ZLoader – A Dangerous malware Distributor
