Indexsinas SMB Worm Campaign Infests Whole Enterprises
#1
Information 
Quote:The Indexsinas SMB worm is on the hunt for vulnerable environments to self-propagate into, researchers warned – with a particular focus on the healthcare, hospitality, education and telecommunications sectors. Its end goal is to drop cryptominers on compromised machines.
 
Indexsinas, aka NSABuffMiner, has been lurking since 2019. It makes use of the old Equation Group weapons arsenal, including the infamous EternalBlue and EternalRomance exploits for invading Windows SMB shares, as well as the DoublePulsar backdoor. Indexsinas’ hallmark is making aggressive use of lateral movement to fully consume targeted environments. Lately, the activity has resurged.
 
“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar and EternalRomance,” according to a Guardicore Labs analysis published Wednesday. “These exploits are used to breach new victim machines, obtain privileged access and install backdoors.”
 
EternalBlue and EternalRomance, the NSA-developed exploits that gained notoriety for their key roles in the WannaCry and NotPetya cyberattacks four years ago, remain effective, researchers noted. According to Shodan, there are more than 1.2 million internet-facing SMB servers out there today.
 
Since 2019, Indexsinas has used a large infrastructure made up of more than 1,300 devices acting as attack sources (most likely compromised machines, Guardicore noted, mainly in India, the U.S. and Vietnam), with each device responsible for only a few attack incidents each. There have been around 2,000 separate attacks in Guardicore’s telemetry to date, it said.
 
It remains difficult to pierce the veil of the attacks to discover more about the cyberattackers behind Indexsinas.
“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched and exposes no redundant ports to the internet. The attackers use a private mining pool for their cryptomining operations, which prevents anyone from accessing their wallets’ statistics.”

Read more: Indexsinas SMB Worm Campaign Infests Whole Enterprises | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
ON1 Software
ON1 Photo RAW 2025.1...jasonX — 06:29
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06
GFYI [Official] Revo Uninstaller Pro v5...
"Share feedback...damien76 — 09:01
GFYI [Official] SpyShelter PRO v15 Chri...
Merry Christmas and ...damien76 — 08:56

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>