While no cybersecurity company can offer 100% protection, Cylance has confirmed that numerous forms of this campaign are actually detected and prevented by Cylance.
Shadow Brokers’ release of suspected NSA-developed exploits has caused yet another stir in the security industry following the disclosure that IDT was hit with a diversionary ransomware attack while also suffering a stealthy credential stealing breach.
In a New York Times article, Cylance and several other vendors were identified as missing the attack. The article alludes to EternalBlue (CVE-2017-0144) and DoublePulsar being used to deliver a different form of ransomware from WannaCry.
Bad actors are taking advantage of the EternalBlue SMB exploit and DoublePulsar backdoor for a number of things beyond just being leveraged in the already well-documented WannaCry ransomware campaign.
The article is devoid on specifics including the exact vector and payload of the attack as well as what type of ransomware was used, however Cylance recently posted a blog discussing another observed method of how EternalBlue was being used to deliver malware dubbed EternalRocks.
After reviewing the CylancePROTECT® configurations, we strongly recommend to IDT and all Cylance customers that they be sure to enable our memory protection capabilities and configure the technology to prevent malicious in-memory exploitation attempts, including selecting “Terminate” for running processes it catches as malicious.
The good news is that in a recent report, the number of systems infected with DoublePulsar is down dramatically – down about 84% from last month - suggesting that the Microsoft Patches are being generously applied.