EternalBlue

Last updated
Eternal Exploit
Common nameEternal
Technical nameL** Trojan:Win32/EternalBlue (Microsoft) [1]
  • Rocks Variant
  • Synergy Variant
    • Win32/Exploit.Equation.EternalSynergy (ESET) [4]
Type Exploit
Author(s) Equation Group
Operating system(s) affected Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2003, Windows Server 2003 R2, Windows Server 2012, Windows Server 2016

EternalBlue [5] is a computer exploit developed by the U.S. National Security Agency (NSA). [6] It was based on a vulnerability in Microsoft networking software that the NSA had known about for several years but had not disclosed to Microsoft. When the NSA discovered in 2017 that the exploit was stolen, Microsoft was informed and released security patches in March 2017. The Shadow Brokers hacker group publicly released EternalBlue on April 14, 2017.

Contents

On May 12, 2017, the worldwide WannaCry ransomware used this exploit to attack unpatched computers. [5] [7] [8] [9] [10] [11] :1 On June 27, 2017, the exploit was again used to help carry out the 2017 NotPetya cyberattack on more unpatched computers. [12]

The exploit was also reported to have been used since March 2016 by the Chinese hacking group Buckeye (APT3), after they likely found and re-purposed the tool, [11] :1 as well as reported to have been used as part of the Retefe banking trojan since at least September 5, 2017. [13]

Details

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE - 2017-0144 [14] [15] in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer. [16]

The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017, [17] after delaying its regular release of security patches in February 2017. [18] On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010, [19] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. [20] [21]

The Shadow Brokers publicly released the EternalBlue exploit code on April 14, 2017, along with several other hacking tools from the NSA.

Many Windows users had not installed the Microsoft patches when, on May 12, 2017, the WannaCry ransomware attack started to use the EternalBlue vulnerability to spread itself. [22] [23] The next day (May 13, 2017), Microsoft released emergency security patches for the unsupported Windows XP, Windows 8, and Windows Server 2003. [24] [25]

In February 2018, EternalBlue was ported to all Windows operating systems since Windows 2000 by RiskSense security researcher Sean Dillon. EternalChampion and EternalRomance, two other exploits originally developed by the NSA and leaked by The Shadow Brokers, were also ported at the same event. They were made available as open sourced Metasploit modules. [26]

At the end of 2018, millions of systems were still vulnerable to EternalBlue. This has led to millions of dollars in damages due primarily to ransomware worms. Following the massive impact of WannaCry, both NotPetya and BadRabbit caused over $1 billion worth of damages in over 65 countries, using EternalBlue as either an initial compromise vector or as a method of lateral movement. [27]

City of Baltimore cyberattack

In May 2019, the city of Baltimore struggled with a cyberattack by digital extortionists; the attack froze thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. Nicole Perlroth, writing for the New York Times, initially attributed this attack to EternalBlue; [28] in a memoir published in February 2021, Perlroth clarified that EternalBlue had not been responsible for the Baltimore cyberattack, while criticizing others for pointing out "the technical detail that in this particular case, the ransomware attack had not spread with EternalBlue". [29]

Since 2012, four Baltimore City chief information officers have been fired or have resigned; two left while under investigation. [30] Some security researchers said that the responsibility for the Baltimore breach lay with the city for not updating their computers. Security consultant Rob Graham wrote in a tweet: "If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that’s squarely the fault of the organization, not EternalBlue." [31]

Responsibility

According to Microsoft, it was the United States's NSA that was responsible because of its controversial strategy of not disclosing but stockpiling vulnerabilities. The strategy prevented Microsoft from knowing of (and subsequently patching) this bug, and presumably other hidden bugs. [32] [33] However several commentators, including Alex Abdo of Columbia University's Knight First Amendment Institute, have criticised Microsoft for shifting the blame to the NSA, arguing that it should be held responsible for releasing a defective product in the same way a car manufacturer might be. [34] The company was faulted for initially restricting the release of its EternalBlue patch to recent Windows users and customers of its $1,000 per device Extended Support contracts, a move that left organisations such the UK's NHS vulnerable to the WannaCry attack. A month after the patch was first released, Microsoft took the rare step of making it available for free to users of all vulnerable Windows editions dating back to Windows XP. [35]

EternalRocks

EternalRocks or MicroBotMassiveNet is a computer worm that infects Microsoft Windows. It uses seven exploits developed by the NSA. [36] Comparatively, the WannaCry ransomware program that infected 230,000 computers in May 2017 only uses two NSA exploits, making researchers believe EternalRocks to be significantly more dangerous. [37] The worm was discovered via a honeypot. [38]

Infection

EternalRocks first installs Tor, a private network that conceals Internet activity, to access its hidden servers. After a brief 24 hour "incubation period", [36] the server then responds to the malware request by downloading and self-replicating on the "host" machine.

The malware even names itself WannaCry to avoid detection from security researchers. Unlike WannaCry, EternalRocks does not possess a kill switch and is not ransomware. [36]

See also

Related Research Articles

Samba is a free software re-implementation of the SMB networking protocol, and was originally developed by Andrew Tridgell. Samba provides file and print services for various Microsoft Windows clients and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Ransomware is a type of cryptovirological malware that permanently block access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

JASBUG is a security bug disclosed in February 2015 and affecting core components of the Microsoft Windows Operating System. The vulnerability dated back to 2000 and affected all supported editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1.

Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack. A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.

Marcus Hutchins, also known online as MalwareTech, is a British computer security researcher known for stopping the WannaCry ransomware attack. He is employed by cybersecurity firm Kryptos Logic. Hutchins is from Ilfracombe in Devon.

<span class="mw-page-title-main">Petya (malware family)</span> Family of encrypting ransomware discovered in 2016

Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.

<span class="mw-page-title-main">2017 Ukraine ransomware attacks</span> Series of powerful cyberattacks using the Petya malware

A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.

The Zealot Campaign is a cryptocurrency mining malware collected from a series of stolen National Security Agency (NSA) exploits, released by the Shadow Brokers group on both Windows and Linux machines to mine cryptocurrency, specifically Monero. Discovered in December 2017, these exploits appeared in the Zealot suite include EternalBlue, EternalSynergy, and Apache Struts Jakarta Multipart Parser attack exploit, or CVE-2017-5638. The other notable exploit within the Zealot vulnerabilities includes vulnerability CVE-2017-9822, known as DotNetNuke (DNN) which exploits a content management system so that the user can install a Monero miner software. An estimated USD $8,500 of Monero having been mined on a single targeted computer. The campaign was discovered and studied extensively by F5 Networks in December 2017.

During the Baltimore ransomware attack of May 2019, the American city of Baltimore, Maryland had its servers largely compromised by a variant of ransomware called RobbinHood. Baltimore became the second U.S. city to fall victim to this new variant of ransomware after Greenville, North Carolina and was the second major US city with a population of over 500,000 people to be hacked by ransomware in two years, after Atlanta was attacked the previous year.

<span class="mw-page-title-main">BlueKeep</span> Windows security hole

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

SMBGhost is a type of security vulnerability, with wormlike features, that affects Windows 10 computers and was first reported publicly on 10 March 2020. A Proof-of-Concept (PoC) exploit code was published 1 June 2020 on GitHub by a security researcher. The code could possibly spread to millions of unpatched computers, resulting in as much as tens of billions of dollars in losses.

A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Attackers typically install a backdoor that allows the attacker full access to impacted servers even if the server is later updated to no longer be vulnerable to the original exploits. As of 9 March 2021, it was estimated that 250,000 servers fell victim to the attacks, including servers belonging to around 30,000 organizations in the United States, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

References

  1. "Trojan:Win32/EternalBlue threat description - Microsoft Security Intelligence". www.microsoft.com.
  2. "TrojanDownloader:Win32/Eterock.A threat description - Microsoft Security Intelligence". www.microsoft.com.
  3. "TROJ_ETEROCK.A - Threat Encyclopedia - Trend Micro USA". www.trendmicro.com.
  4. "Win32/Exploit.Equation.EternalSynergy.A | ESET Virusradar". www.virusradar.com.
  5. 1 2 Goodin, Dan (April 14, 2017). "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica . p. 1. Retrieved May 13, 2017.
  6. Nakashima, Ellen; Timberg, Craig (May 16, 2017). "NSA officials worried about the day its potent hacking tool would get loose. Then it did". Washington Post. ISSN   0190-8286 . Retrieved December 19, 2017.
  7. Fox-Brewster, Thomas (May 12, 2017). "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes . p. 1. Retrieved May 13, 2017.
  8. Goodin, Dan (May 12, 2017). "An NSA-derived ransomware worm is shutting down computers worldwide". Ars Technica . p. 1. Retrieved May 13, 2017.
  9. Ghosh, Agamoni (April 9, 2017). "'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools". International Business Times UK . Retrieved April 10, 2017.
  10. "'NSA malware' released by Shadow Brokers hacker group". BBC News . April 10, 2017. Retrieved April 10, 2017.
  11. 1 2 Greenberg, Andy (May 7, 2019). "The Strange Journey of an NSA Zero-Day—Into Multiple Enemies' Hands". Wired . Archived from the original on May 12, 2019. Retrieved August 19, 2019.
  12. Perlroth, Nicole; Scott, Mark; Frenkel, Sheera (June 27, 2017). "Cyberattack Hits Ukraine Then Spreads Internationally". The New York Times . p. 1. Retrieved June 27, 2017.
  13. "EternalBlue Exploit Used in Retefe Banking Trojan Campaign". Threatpost. Retrieved September 26, 2017.
  14. "CVE-2017-0144". CVE - Common Vulnerabilities and Exposures . The MITRE Corporation. September 9, 2016. p. 1. Retrieved June 28, 2017.
  15. "Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability". SecurityFocus . Symantec. March 14, 2017. p. 1. Retrieved June 28, 2017.
  16. "Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN". ESET North America. Archived from the original on May 16, 2017. Retrieved May 16, 2017.
  17. "NSA officials worried about the day its potent hacking tool would get loose. Then it did". The Washington Post . Retrieved September 25, 2017.
  18. Warren, Tom (April 15, 2017). "Microsoft has already patched the NSA's leaked Windows hacks". The Verge . Vox Media. p. 1. Retrieved April 25, 2019.
  19. "Microsoft Security Bulletin MS17-010 – Critical". technet.microsoft.com. Retrieved May 13, 2017.
  20. Cimpanu, Catalin (May 13, 2017). "Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decrypt0r". Bleeping Computer . Retrieved May 13, 2017.
  21. "Windows Vista Lifecycle Policy". Microsoft . Retrieved May 13, 2017.
  22. Newman, Lily Hay (March 12, 2017). "The Ransomware Meltdown Experts Warned About Is Here". wired.com . p. 1. Retrieved May 13, 2017.
  23. Goodin, Dan (May 15, 2017). "Wanna Decryptor: The NSA-derived ransomware worm shutting down computers worldwide". Ars Technica UK . p. 1. Retrieved May 15, 2017.
  24. Surur (May 13, 2017). "Microsoft release Wannacrypt patch for unsupported Windows XP, Windows 8 and Windows Server 2003" . Retrieved May 13, 2017.
  25. MSRC Team. "Customer Guidance for WannaCrypt attacks". microsoft.com. Retrieved May 13, 2017.
  26. "NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000". www.bleepingcomputer.com. Retrieved February 5, 2018.
  27. "One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever". www.bleepingcomputer.com. Retrieved February 20, 2019.
  28. Perlroth, Nicole; Shane, Scott (May 25, 2019). "In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc". The New York Times.
  29. Perlroth, Nicole (February 9, 2021). This Is How They Tell Me the World Ends: The Cyberweapons Arms Race. Bloomsbury.
  30. Gallagher, Sean (May 28, 2019). "Eternally Blue: Baltimore City leaders blame NSA for ransomware attack". Ars Technica.
  31. Rector, Ian Duncan, Kevin. "Baltimore political leaders seek briefings after report that NSA tool was used in ransomware attack". baltimoresun.com.{{cite web}}: CS1 maint: multiple names: authors list (link)
  32. "The need for urgent collective action to keep people safe online: Lessons from last week's cyberattack - Microsoft on the Issues". Microsoft on the Issues. May 14, 2017. Retrieved June 28, 2017.
  33. Titcomb, James (May 15, 2017). "Microsoft slams US government over global cyber attack". The Telegraph . p. 1. Retrieved June 28, 2017.
  34. Bass, Dina (May 16, 2017). "Microsoft faulted over ransomware while shifting blame to NSA". Bloomberg News. Retrieved March 11, 2022.
  35. Waters, Richard; Kuchler, Hannah (May 17, 2017). "Microsoft held back free patch that could have slowed WannaCry". Financial Times. Retrieved March 11, 2022.
  36. 1 2 3 "New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two".
  37. "Newly identified ransomware 'EternalRocks' is more dangerous than 'WannaCry' - Tech2". Tech2. May 22, 2017. Retrieved May 25, 2017.
  38. "Miroslav Stampar on Twitter". Twitter. Retrieved May 30, 2017.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.