Indexsinas SMB Worm Campaign Infests Whole Enterprises

[silversurfer]

The Indexsinas SMB worm is on the hunt for vulnerable environments to self-propagate into, researchers warned – with a particular focus on the healthcare, hospitality, education and telecommunications sectors. Its end goal is to drop cryptominers on compromised machines.
 
Indexsinas, aka NSABuffMiner, has been lurking since 2019. It makes use of the old Equation Group weapons arsenal, including the infamous EternalBlue and EternalRomance exploits for invading Windows SMB shares, as well as the DoublePulsar backdoor. Indexsinas’ hallmark is making aggressive use of lateral movement to fully consume targeted environments. Lately, the activity has resurged.
 
“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar and EternalRomance,” according to a Guardicore Labs analysis published Wednesday. “These exploits are used to breach new victim machines, obtain privileged access and install backdoors.”
 
EternalBlue and EternalRomance, the NSA-developed exploits that gained notoriety for their key roles in the WannaCry and NotPetya cyberattacks four years ago, remain effective, researchers noted. According to Shodan, there are more than 1.2 million internet-facing SMB servers out there today.
 
Since 2019, Indexsinas has used a large infrastructure made up of more than 1,300 devices acting as attack sources (most likely compromised machines, Guardicore noted, mainly in India, the U.S. and Vietnam), with each device responsible for only a few attack incidents each. There have been around 2,000 separate attacks in Guardicore’s telemetry to date, it said.
 
It remains difficult to pierce the veil of the attacks to discover more about the cyberattackers behind Indexsinas.
“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched and exposes no redundant ports to the internet. The attackers use a private mining pool for their cryptomining operations, which prevents anyone from accessing their wallets’ statistics.”

Read more: Indexsinas SMB Worm Campaign Infests Whole Enterprises | Threatpost