<font face="oswald" EternalBlue is both the name given to a number of Microsoft software vulnerabilities and the exploit created by the NSA as a cyber attack tool.While the EternalBlue exploit (official name MS17-010 by Microsoft) only affects Windows operating systems, anything that uses the SMBv1 (Server Message Block version 1) file-sharing protocol is technically at risk of being targeted for ransomware and other cyberattacks.
What is EternalBlue?
EternalBlue is both the name given to a series of Microsoft software vulnerabilities and the exploit created by the NSA as a cyber attack tool.While the EternalBlue exploit (official name MS17-010 by Microsoft) only affects Windows operating systems, anything that uses the SMBv1 (Server Message Block version 1) file-sharing protocol is technically at risk of being targeted for ransomware and other cyberattacks.
How was EternalBlue developed?
You might be wondering who created EternalBlue first. The origins of the SMB vulnerability are what spy stories are made of – dangerous NSA hacking tools leaked, a notorious group called Shadow Brokers for widespread vulnerabilities and exposures, and a very popular operating system used by individuals, governments, and companies around the world.
According to statements of condemnation byMicrosoft, EternalBlue was developed by the United States National Security Agency as part of its controversial program on stockpiling and arming cybersecurity vulnerabilities rather than marking them to the appropriate vendor.
First leakage and fallout
That's where things get interesting – the NSA is hacking and unwittingly unleashing the eternal threat of EternalBlue on the world. Little does it officially know how the NSA was hacked, but what we do know about how EternalBlue was leaked.
The Shadow Brokers, now the notorious hacking group, EternalBlue, gained access and leaked the NSA h-acking tool via a link on its Twitter account onApril 14, 2017.This was not the first time that Shadow Brokers hackers had leaked vulnerabilities and vulnerabilities online, but the fifth time. This special version, titled "Lost in Translation," included the EternalBlue exploit that targeted Windows operating systems.
The NSA discovered a Windows vulnerability and created the eternalblue exploit, which was later stolen and leaked by the hacker group Shadow Brokers.
On March 14, 2017, exactly one month before the Shadow Brokers leak, Microsoft released Security Bulletin MS17-010. The timeline shows that Microsoft has been informed about the NSA breach and is in a hurry to do everything in its power to protect millions of vulnerable Windows systems.
The MS17-010 patch is designed to correct SMBv1 software flaws for all supported Windows operating systems, including Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016. Microsoft also automatically disables SMBv1 by default in the latest versions of Windows 10 and Windows Servers 2012 and 2016.
Also, in an unprecedented move to demonstrate the seriousness of the EternalBlue exploit, Microsoft released a second emergency patch for unsupported operating systems after the leak was made public. This second release supported Windows XP, Windows 8, and Windows Server 2003.
How does EternalBlue work?
The EternalBlue exploit works by exploiting SMBv1 vulnerabilities found in older versions of Microsoft operating systems. SMBv1 was first developed in early 1983 as a network communication protocol to enable shared access to files, printers, and ports. It was actually a way for Windows machines to talk to each other and to other devices for remote services.
EternalBlue exploits SMBv1 vulnerabilities to inject malicious data packets and spread malware across the network.
This vulnerability could take advantage of, or rather misuse, the way that Microsoft Windows handles specially crafted packets from malicious attackers. All the attacker has to do is send a maliciously crafted packet to the target server, and the bug spreads the malware and a cyber attack ensues.
The number of Common Vulnerabilities and Exposures of EternalBlue is recorded in the National Vulnerability Database as CVE-2017-0144.
Microsoft's patch completely closes the vulnerability, thus preventing attempts to distribute ransomware, malware, crypto theft, or other worm-like digital infiltration attempts using the EternalBlue exploit.But a major problem persists — for many versions of Windows, a software update must be installed to provide protection.
It is this major issue that gives EternalBlue such a long shelf life – many individuals and even businesses are unable to update their software regularly, leaving their operating systems vulnerable to eternalBlue and other attacks. To date, the number of vulnerable Windows systems without patches remains in the millions.
How is EternalBlue used in cyber attacks?
EternalBlue has been famously used to spread WannaCry and Petya ransomware. But the exploit can be used to distribute all kinds of cyberattacks, including crypto theft and worm-like malware. The NSA hack has opened the door for any attacker to send a malicious packet to a vulnerable server that has not patched cve-2017-0144 to fix it.
WannaCry
The name says it all. WannaCry is the name of a worldwide ransomware attack made possible by the EternalBlue exploit. Even hackers have a comedy side.
The WannaCry cyberattack began on May 12, 2017, and immediately had a global impact. The ransomware spread at a rate of 10,000 devices per hour and infected more than 230,000 Windows PCs in 150 countries in a single day.
While no specific target is clear, some big names and organisations have been hit, including FedEx, the University of Montreal, LATAM Airlines, Deutsche Bahn, and in particular the UK's National Health Service (NHS). The NHS reported that thousands of appointments and operations had been cancelled and patients had to travel further to accidents and emergency rooms due to safety breaches.
Petya
Petya, It is another ransomware cyber attack that uses the EternalBlue exploit to wreak havoc.
Petya was technically released in early 2016, before WannaCry, but with very little fanfare and damage. The first version of Petya spread through a malicious email attachment and was a fairly simple form of ransomware – your computer becomes infected and your files are encrypted (or ransomed) until you pay $300 worth of Bitcoin to buy a decryption key.
Petya encrypts the ransomware files and demands a ransom of Bitcoin to release them.
Thanks to the unfortunate success of EternalBlue and WannaCry, the Petya ransomware has been given a second chance of destruction. In June 2017, NotPetya was distributed using the EternalBlue exploit,and this time people noticed it.
The main difference between the first and second versions of Petya was that NotPetya (Petya V2) aimed to completely disable a system. Whether the ransom was paid or not, there was no cure.The cyber attack permanently encrypted a computer's master file table (MFT) and master boot record (MBR).
How much property damage has EternalBlue caused?
What is EternalBlue's bill and who is based? The answer starts with a B, as in the billions, and the people who pay for it range from individuals like you, to multinational corporations, both directly and through taxes.
Estimates put the cost of NotPetya at a loss of over $10 billion and the cost of WannaCry at a loss of about $4 billion.
Some big names have been dealt a very hard blow. Maersk, the world's largest shipping company, lost $300 million; delivery company FedEx lost $400 million; and Merck Pharmaceuticals (known as MSD outside of North America) lost $870 million after 15,000 Windows machines succumbed to NotPetya in just 90 seconds.
A deeper loss, which was not measurable in USD, was the loss of data and access for hospitals and healthcare organizations.
When a network collapses in a hospital, doctors can't see information about potential life-saving surgeries that need to take place. They also can't save or access medication changes. Hospitals can even lose their GPS signals to find ambulances, as happened in Ukraine during the NotPetya cyberattack.
It is this type of non-monetary loss that makes cyber attacks so dangerous for society.
Is EternalBlue still out there?
The short answer is, yes, EternalBlue is alive and well. While WannaCry and NotPetya did most of the damage in early 2017, the other attacks that exploited EternalBlue are unfortunately still going strong. As of May 2019, there were hundreds of thousands of EternalBlue attack attempts every day.
In fact, as of June 2020, Avast still blocks nearly 20 million EternalBlue attack attempts every month.
Almost a million machines are still using the vulnerable SMBv1 protocol and staying online. This fact alone ensures the permanence of EternalBlue. Computers remain unprotected as long as they remain unpatched and online.
However, the deeper threat may be in the untapped exploits released by the Shadow Brokers during the NSA hack as well. EternalBlue was just one of many.
The most dangerous threat looming on the horizon has been dubbed EternalRocks and is on the verge of development. Unlike WannaCry, which took advantage of the two exploits revealed in the NSA hack, EternalRocks is said tohave used seven exploits, including EternalBlue, EternalRomance, EternalSynergy, EternalChampion, ArchiTouch, and SMBTouch. Potential threats include shell code that is executed immediately after Eternal exploits such as DoublePulsar.
Is my system under threat?
Perhaps.
But the good news is that there are powerful tools to help you protect yourself. While the EternalBlue threat persists, you can counter it by using security patches such as MS17-010 and free antivirus software.
We recommend that all Windows users deploy the MS17-010 security patch that is available from Microsoft. All you need to do is update your software to the latest version of Windows. Without doing that, you would try to tackle the problems of the present with the tools of the past. The SMBv1 protocol must be obsolete, so all Windows users should patch it.
Do your part by updating your computer with the latest software updates and follow these five tips for ultimateonline safety and privacy.
Want to see if your computer is vulnerable to the EternalBlue cyber attack? Our Wi-Fi Checker can check it for you right now.
Defend yourself against future abuse
Cyber attackers mean business, but so do we. That's why Avast has built powerful antivirus software to block malicious ransomware attacks like WannaCry and Petya. We use cloud-based AI to provide six layers of protection against malware and other threats, including those that exploit the SMBv1 vulnerability. Also, our Wi-Fi Inspector feature will check if you are vulnerable to EternalBlue attacks.
Arif Akyuz
Senior Information Technology System Network and
Cyber Security Specialist
M: [email protected]