A new security report from Microsoft says a new variant of the malicious code that infected at least 20,000 computers worldwide could be used to take over a network or even install ransomware.
The report, published on Wednesday by the security firm Kaspersky Lab, says the new version of the code, known as the EternalBlue, can run on most Windows and Linux machines, but only the ones running Microsoft’s latest operating system, Windows 10.
It can also be used remotely to infect computers.
Kaspersky found the Eternalblue variant, dubbed EternalBlue 2.0, could exploit a bug in Microsoft’s Windows Defender service, which protects against a variety of exploits.
“In addition to exploiting an existing vulnerability in Windows Defender, the EternalBlack 2.x variant can also exploit the previously released EternalBlue exploit, which was released in March 2018 and was patched in March 2019,” Kasperski wrote.
“The new EternalBlack 1.x exploit is also included in the Eternal Blue 2.1 variant.”
Kasperski says EternalBlue’s attack could be carried out by exploiting the EternalRed exploit, a flaw in the Windows Defender software.
Microsoft patched EternalRed in March 2020.
“In the case that an EternalBlue or EternalBlack variant exploits a vulnerability in the WDFS security feature, it may execute a shell script that, in addition to the standard vulnerability injection and remote code execution vulnerabilities, may cause the victim to execute arbitrary code on the victim’s system, including the ability to perform various types of malicious activities such as stealing sensitive information,” the Kaspersk report said.
Microsoft patched the WdfS security service in March 2021.
Kaspersk said EternalBlue and EternalBlack variants of EternalBlue had previously been detected in the wild by researchers in 2017.
Earlier this year, KaspersKasperskhash discovered the Eternal Red variant was already used by malicious actors to infect more than 1,000 machines across the world, according to Kasperskovas report.
As of Wednesday, the company’s researchers had identified over 5,700 instances of EternalRed on the web, with the Eternalblack variant still lurking online.
Microsoft said the new variant is being distributed through malicious websites and downloads.
Security researchers at KaspersKy said they were alerted by Microsoft to the issue by a third party, who contacted Kasperska.
But KaspersKY said it did not receive the notification until it was notified by the same third party that it had detected the Eternalred exploit.
A Microsoft representative declined to comment on the report.
The Eternalblue exploits can be installed on many machines and are used to infect users.
According to the report, EternalBlue can run in memory, and it’s also possible to exploit the EternalWhite exploit to run code in memory.
Windows Defender patched EternalWhite in May 2018.
“The EternalBlue variant can even run code remotely to execute code on victims’ machines,” the report said, adding that the Eternal Black exploit was only found in one of the three EternalBlue variants that Kasperskaya was tracking.
“Windows Defender can also bypass EternalBlue by exploiting EternalWhite, which is not a known vulnerability in any previous versions of Windows Defender,” Kalsky wrote.
Microsoft has been working with the Windows and Mac security teams to investigate the vulnerability and has patched EternalBlue in May 2019.
The new attack could potentially make a lot of machines vulnerable to ransomware, but it could also affect customers who do not run a Windows or Mac operating system.