Cybereason catches WannaCry’s remote infection using DOUBLEPULSAR exploit

The WannaCry ransomware attack leveraged two vulnerabilities — EternalBlue and DoublePulsar — to infect more than 200,000 Windows computers in 150 countries in the span of a few days. The Cybereason Endpoint Detection and Response platform detected and stopped the WannaCry attack using its built-in ransomware detection modules. In this post, we’ll share how Cybereason spotted the behavior of the DoublePulsar exploit in a few customer environments in Asia.

DoublePulsar, which was leaked by The Shadow Brokers, is a persistent backdoor that exploits Windows SMB protocol and functions as a malware downloader. It allows remote attackers to load and execute malware on an endpoint without the victim’s knowledge. It is currently propagating by using a very small piece of code that generates two sets of random IP addresses. One set is within the private network space, the other is in the public network space. This allows the worm to spread both internally once it gains a foothold in a network and increase its infection rate by scanning the internet for other vulnerable hosts.

Below is a description of how Cybereason detected the initial intrusion attempt of WannaCry  in one of our customer environments, followed with identifying the internal network scan that would allow it to move laterally throughout the network. Here’s how this situation played out:

1. A victim machine randomly generated the IP address of our customer
2. The victim machine attempted to connect to the generated IP on the Internet
3. Once the host was detected as having Port 445 open, an exploitation attempt was made into our client’s network using the SMB vulnerability
4. The WannaCry ransomware payload is detected and flagged as a Malop

Cybereson observed a suspicious incoming external connection on Port 445 right before the WannaCry infection:

The “owner process” system refers to Windows’ System Process – PID 4.

When checking the connections on this listening connection, the only external connection observed was our WannaCry intrusion.

Connection used for lateral movement 17:12 – 17:14

Beginning of WannaCry payload execution at 17:14

Detection of the WannaCry ransomware by Cybereason:

Following the infection, the new victim machine initiated multiple internal connections to port 445 of other machines within the network, attempting further lateral movement.

The Cybereason platform provided a very easy to use platform for hunting such exploits, based on their behaviors. The ability to query the system in a way that it yields a clear results and to detect exploits based on patterns make it very useful for detection and response to new threats, like in the case of the WannaCry campaign.