Jump to content

EternalBlue

From Wikipedia, the free encyclopedia
Eternal - Anonymous
Technical nameL** Trojan:Win32/EternalBlue (Microsoft)[1]
  • Rocks Variant
  • Synergy Variant
    • Win32/Exploit.Equation.EternalSynergy (ESET)[4]
TypeExploit
AuthorsEquation Group
Technical details
PlatformWindows 95,Windows 98,Windows Me,Windows NT,Windows 2000,Windows XP,Windows Vista,Windows 7,Windows 8,Windows 8.1,Windows 10,Windows Server 2003,Windows Server 2003 R2,Windows Server 2012,Windows Server 2016

EternalBlue[5]is a computerexploitsoftware developed by the U.S.National Security Agency(NSA).[6]It is based on avulnerabilityinMicrosoft Windowsthat allowed users to gain access to any number of computers connected to anetwork.The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as theShadow Brokers.Microsoft was informed of this and released security updates in March 2017patchingthe vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.[citation needed]

On May 12, 2017, acomputer wormin the form ofransomware,nicknamedWannaCry,used the EternalBlue exploit to attack computers using Windows that had not received the latest system updates removing the vulnerability.[5][7][8][9][10][11]: 1On June 27, 2017, the exploit was again used to help carry out the2017 NotPetya cyberattackon more vulnerable computers.[12]

The exploit was also reported to have been used since March 2016 by the Chinese hacking groupBuckeye (APT3),after they likely found and re-purposed the software,[11]: 1as well as reported to have been used as part of the Retefe bankingtrojansince at least September 5, 2017.[13]

Details

[edit]

EternalBlue exploits a vulnerability inMicrosoft's implementation of theServer Message Block(SMB) protocol. This vulnerability is denoted by entryCVE-2017-0144[14][15]in theCommon Vulnerabilities and Exposures(CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions ofMicrosoft Windowsmishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer.[16]

The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,[17]after delaying its regular release of securitypatchesin February 2017.[18]OnTuesday,March 14, 2017, Microsoft issued security bulletin MS17-010,[19]which detailed the flaw and announced thatpatcheshad been released for all Windows versions that were currently supported at that time, these beingWindows Vista,Windows 7,Windows 8.1,Windows 10,Windows Server 2008,Windows Server 2012,andWindows Server 2016.[20][21]

The Shadow Brokerspublicly released the EternalBlue exploit code on April 14, 2017, along with several other hacking tools from the NSA.

Many Windows users had not installed the Microsoft patches when, on May 12, 2017, theWannaCry ransomware attackstarted to use the EternalBlue vulnerability to spread itself.[22][23]The next day (May 13, 2017), Microsoft released emergency security patches for the unsupportedWindows XP,Windows 8,andWindows Server 2003.[24][25]

In February 2018, EternalBlue was ported to all Windows operating systems sinceWindows 2000byRiskSensesecurity researcher Sean Dillon.EternalChampionandEternalRomance,two other exploits originally developed by the NSA and leaked byThe Shadow Brokers,were also ported at the same event. They were made available asopen sourcedMetasploitmodules.[26]

At the end of 2018, millions of systems were still vulnerable to EternalBlue. This has led to millions of dollars in damages due primarily to ransomware worms. Following the massive impact ofWannaCry,bothNotPetyaandBadRabbitcaused over $1 billion worth of damages in over 65 countries, using EternalBlue as either an initial compromise vector or as a method of lateral movement.[27]

City of Baltimore cyberattack

[edit]

In May 2019, the city ofBaltimorestruggled with acyberattackby digital extortionists; the attack froze thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. Nicole Perlroth, writing forThe New York Times,initially attributed this attack to EternalBlue;[28]in a memoir published in February 2021, Perlroth clarified that EternalBlue had not been responsible for the Baltimore cyberattack, while criticizing others for pointing out "the technical detail that in this particular case, the ransomware attack had not spread with EternalBlue".[29]

Since 2012, four Baltimore City chief information officers have been fired or have resigned; two left while under investigation.[30]Some security researchers said that the responsibility for the Baltimore breach lay with the city for not updating their computers. Security consultant Rob Graham wrote in a tweet: "If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that’s squarely the fault of the organization, not EternalBlue."[31]

Responsibility

[edit]

After the WannaCry attack, Microsoft took "first responsibility to address these issues", but criticized government agencies like the NSA andCIAfor stockpiling vulnerabilities rather than disclosing them, writing that "an equivalent scenario with conventional weapons would be theU.S. militaryhaving some of itsTomahawk missilesstolen ".[32]The stockpiling strategy prevented Microsoft from knowing of (and subsequently patching) this bug, and presumably other hidden bugs.[32][33]However several commentators, including Alex Abdo ofColumbia University'sKnight First Amendment Institute, have criticised Microsoft for shifting the blame to the NSA, arguing that it should be held responsible for releasing a defective product in the same way a car manufacturer might be.[34]The company was faulted for initially restricting the release of its EternalBlue patch to recent Windows users and customers of its $1,000 per device Extended Support contracts, a move that left organisations such the UK's NHS vulnerable to the WannaCry attack. A month after the patch was first released, Microsoft took the rare step of making it available for free to users of all vulnerable Windows editions dating back to Windows XP.[35]

EternalRocks

[edit]

EternalRocksorMicroBotMassiveNetis acomputer wormthat infects Microsoft Windows. It uses seven exploits developed by the NSA.[36]Comparatively, the WannaCryransomwareprogram that infected 230,000 computers in May 2017 only uses two NSA exploits, so researchers believe EternalRocks to be significantly more dangerous.[37]The worm was discovered via ahoneypot.[38]

Infection

[edit]

EternalRocks first installsTor,a private network that conceals Internet activity, to access its hidden servers. After a brief 24 hour "incubation period",[36]the server then responds to the malware request by downloading and self-replicating on the "host"machine.

The malware even names itself WannaCry to avoid detection from security researchers. Unlike WannaCry, EternalRocks does not possess akill switchand is not ransomware.[36]

See also

[edit]

References

[edit]
  1. ^"Trojan:Win32/EternalBlue threat description - Microsoft Security Intelligence".www.microsoft.com.
  2. ^"TrojanDownloader:Win32/Eterock.A threat description - Microsoft Security Intelligence".www.microsoft.com.
  3. ^"TROJ_ETEROCK.A - Threat Encyclopedia - Trend Micro USA".www.trendmicro.com.
  4. ^"Win32/Exploit.Equation.EternalSynergy.A | ESET Virusradar".www.virusradar.com.
  5. ^abGoodin, Dan (April 14, 2017)."NSA-leaking Shadow Brokers just dumped its most damaging release yet".Ars Technica.p. 1.RetrievedMay 13,2017.
  6. ^Nakashima, Ellen; Timberg, Craig (May 16, 2017)."NSA officials worried about the day its potent hacking tool would get loose. Then it did".Washington Post.ISSN0190-8286.RetrievedDecember 19,2017.
  7. ^Fox-Brewster, Thomas (May 12, 2017)."An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak".Forbes.p. 1.RetrievedMay 13,2017.
  8. ^Goodin, Dan (May 12, 2017)."An NSA-derived ransomware worm is shutting down computers worldwide".Ars Technica.p. 1.RetrievedMay 13,2017.
  9. ^Ghosh, Agamoni (April 9, 2017)."'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools ".International Business Times UK.RetrievedApril 10,2017.
  10. ^"'NSA malware' released by Shadow Brokers hacker group ".BBC News.April 10, 2017.RetrievedApril 10,2017.
  11. ^abGreenberg, Andy (May 7, 2019)."The Strange Journey of an NSA Zero-Day—Into Multiple Enemies' Hands".Wired.Archivedfrom the original on May 12, 2019.RetrievedAugust 19,2019.
  12. ^Perlroth, Nicole; Scott, Mark; Frenkel, Sheera (June 27, 2017)."Cyberattack Hits Ukraine Then Spreads Internationally".The New York Times.p. 1.RetrievedJune 27,2017.
  13. ^"EternalBlue Exploit Used in Retefe Banking Trojan Campaign".Threatpost.RetrievedSeptember 26,2017.
  14. ^"CVE-2017-0144".CVE - Common Vulnerabilities and Exposures.The MITRE Corporation.September 9, 2016. p. 1.RetrievedJune 28,2017.
  15. ^"Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability".SecurityFocus.Symantec.March 14, 2017. p. 1.RetrievedJune 28,2017.
  16. ^"Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN".ESET North America.Archivedfrom the original on May 16, 2017.RetrievedMay 16,2017.
  17. ^"NSA officials worried about the day its potent hacking tool would get loose. Then it did".The Washington Post.RetrievedSeptember 25,2017.
  18. ^Warren, Tom (April 15, 2017)."Microsoft has already patched the NSA's leaked Windows hacks".The Verge.Vox Media.p. 1.RetrievedApril 25,2019.
  19. ^"Microsoft Security Bulletin MS17-010 – Critical".technet.microsoft.com.RetrievedMay 13,2017.
  20. ^Cimpanu, Catalin (May 13, 2017)."Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decrypt0r".Bleeping Computer.RetrievedMay 13,2017.
  21. ^"Windows Vista Lifecycle Policy".Microsoft.RetrievedMay 13,2017.
  22. ^Newman, Lily Hay (March 12, 2017)."The Ransomware Meltdown Experts Warned About Is Here".wired.com.p. 1.RetrievedMay 13,2017.
  23. ^Goodin, Dan (May 15, 2017)."Wanna Decryptor: The NSA-derived ransomware worm shutting down computers worldwide".Ars Technica UK.p. 1.RetrievedMay 15,2017.
  24. ^Surur (May 13, 2017)."Microsoft release Wannacrypt patch for unsupported Windows XP, Windows 8 and Windows Server 2003".RetrievedMay 13,2017.
  25. ^MSRC Team."Customer Guidance for WannaCrypt attacks".microsoft.com.RetrievedMay 13,2017.
  26. ^"NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000".www.bleepingcomputer.com.RetrievedFebruary 5,2018.
  27. ^"One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever".www.bleepingcomputer.com.RetrievedFebruary 20,2019.
  28. ^Perlroth, Nicole; Shane, Scott (May 25, 2019)."In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc".The New York Times.
  29. ^Perlroth, Nicole (February 9, 2021).This Is How They Tell Me the World Ends: The Cyberweapons Arms Race.Bloomsbury.
  30. ^Gallagher, Sean (May 28, 2019)."Eternally Blue: Baltimore City leaders blame NSA for ransomware attack".Ars Technica.
  31. ^Rector, Ian Duncan, Kevin (May 26, 2019)."Baltimore political leaders seek briefings after report that NSA tool was used in ransomware attack".baltimoresun.com.{{cite web}}:CS1 maint: multiple names: authors list (link)
  32. ^ab"The need for urgent collective action to keep people safe online: Lessons from last week's cyberattack - Microsoft on the Issues".Microsoft on the Issues.May 14, 2017.RetrievedJune 28,2017.
  33. ^Titcomb, James (May 15, 2017)."Microsoft slams US government over global cyber attack".The Telegraph.p. 1.RetrievedJune 28,2017.
  34. ^Bass, Dina (May 16, 2017)."Microsoft faulted over ransomware while shifting blame to NSA".Bloomberg News.RetrievedMarch 11,2022.
  35. ^Waters, Richard; Kuchler, Hannah (May 17, 2017)."Microsoft held back free patch that could have slowed WannaCry".Financial Times.RetrievedMarch 11,2022.
  36. ^abc"New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two".
  37. ^"Newly identified ransomware 'EternalRocks' is more dangerous than 'WannaCry' - Tech2".Tech2.May 22, 2017. Archived fromthe originalon June 4, 2017.RetrievedMay 25,2017.
  38. ^"Miroslav Stampar on Twitter".Twitter.RetrievedMay 30,2017.

Further reading

[edit]
[edit]
Retrieved from "https://en.wikipedia.org/w/index.php?title=EternalBlue&oldid=1245022621"