EternalBlue: The Lethal Nation-State Exploit Tool Gone Wild
There’s a good chance you’ve heard of EternalBlue, the infamous exploit responsible for a slew of high-profile cyber attacks since 2017. But EternalBlue isn’t only the name of an exploit: It’s also the name of a group of vulnerabilities (CVE-2017-0143 to 48) in Windows OS. So, how much do you know about this EternalBlue vulnerability exploit, the attacks it has enabled, and where it stands today? In this post, we’ll explore this menace—and why the name EternalBlue is frustratingly appropriate.
The Discovery of the EternalBlue Exploit
The EternalBlue vulnerabilities in Windows OS were discovered by the Equation Group, an advanced persistent-threat group widely considered to be the hacking arm of the NSA. The group then developed the EternalBlue exploit to abuse those vulnerabilities.
Of course, upon discovering the vulnerabilities, the Equation Group should have alerted Microsoft to their existence. But they kept it to themselves until it was stolen by yet another hacking group, the Shadow Brokers, in August 2016. As soon the Equation Group told Microsoft, the software giant issued the necessary patches in an effort to protect their users. But, by then, it was too late—on April 14, 2017, the Shadow Brokers leaked the Equation Group’s hugely damaging exploits onto the Internet.
According to security expert, Matthew Hickey, EternalBlue “is quite possibly the most damaging thing I’ve seen in the last several years…This puts a powerful nation state-level attack tool in the hands of anyone who wants to download it to start targeting servers.”
How Does the EternalBlue Exploit Work?
EternalBlue exploits a vulnerability in SMBv1, or Server Message Block version 1. This is a commonly used protocol that allows machines running a Windows OS to communicate with each other and with other devices. With the EternalBlue exploit, by manipulating a flaw in the way SMBv1 deals with packets, attackers can remotely execute any kind of code.
The WannaCry Attack: The Granddaddy of EternalBlue Exploits
On May 12, 2017, Windows users across the globe were hit with a ransomware attack of epic proportions. Over 200,000 still-unpatched corporations, organizations, and home users in over 150 countries fell prey to WannaCry, which used EternalBlue to spread with a virulence previously unseen. WannaCry was a massive attack that moved through systems unaided, thanks to worming capabilities provided by EternalBlue. All it had to do was locate a public-facing SMB port and establish a connection to move through victims’ networks. This allowed WannaCry to become the fastest spreading—and one of the most destructive—ransomware variants ever discovered.
WannaCry famously took down the U.K.’s National Health Service, halting services such as surgeries and doctor appointments. It also affected European telecom providers and gas companies, FedEx, car manufacturer Renault, units of India’s police force, universities in China, over 600 companies in Japan, and numerous hospitals in Indonesia. Clean-up costs for that initial wave of attacks topped $8 billion.
Today, over two years later, companies and individuals are still getting hit with WannaCry, and some victims continue to pay the ransom fee. This means that people are still failing to patch against this very public vulnerability. In fact, data from search engine, Shodan, shows that there are over 1 million machines still using SMBv1, despite its known risks.
WannaCry also represented a turning point for ransomware usage, as in the early days of ransomware, the threat mostly focused on individuals. Even when a group of employees within a single organization got hit, the damage was mostly limited to the time that IT departments had to spend on re-imaging machines and bringing them back to production.
But, as ransomware tactics matured, attackers began to focus more heavily on organizations, with the goal of encrypting—and profiting from—critical information. Now, thanks to EternalBlue and automatic propagation, threats like WannaCry can have a huge impact with relatively little input. All it takes is one click by a well-meaning employee to infect an entire company.
Other High-Profile EternalBlue Attacks
But wait—there’s more: EternalBlue just keeps on wreaking havoc. Other incredibly damaging attacks include:
Just a month after WannaCry first hit, another, even more harmful, attack using EternalBlue hit organizations worldwide, from law firms to shipping conglomerates, drug companies to oil companies. NotPetya initially appeared to be a variation of the Petya ransomware. But, unlike other known ransomware variants, NotPetya scrambled files without decrypting them upon payment. Moreover, the attack heavily focused on Ukranian businesses and was released on Constitution Day, one of the country’s public holidays. It’s clear that NotPetya is no mere ransomware; it’s most likely a state-sponsored attack of Russian origin.
Retefe is a banking trojan that has been targeting European and Japanese banks and their customers via spam email campaigns for years. Though it has never been as popular as some other banking trojans, it is used consistently with much success. This is why its latest development is worrisome; it has been leveraging EternalBlue to spread unaided through networks. Other banking trojans, including TrickBot, have been spotted adding EternalBlue to their arsenal as well.
This crypto-mining malware uses EternalBlue to mine for cryptocurrency and can slow down systems. WannaMine mines for Monero, the cryptocurrency of choice for attackers, due to its ease of use and focus on privacy. As with all crypto-mining threats, WannaMine eats computing resources and, over time, can entirely destroy machines. What’s unique is how it spreads: It leverages PowerShell and WMI to collect login info that may allow it to remotely connect to other computers. If that proves unsuccessful, it uses EternalBlue to propagate across networks.
Eternal Blue Today
Typically, exploits have a short shelf life, as attackers prefer new, less detectable methods. But EternalBlue’s popularity continues to grow, even though potential victims have (or could have) already deployed the patches needed to stay safe. The unfortunate reality is that although patching seems to be a quick fix, it’s not always so simple to implement. Due to issues like reliance on hard-to-patch legacy software and applications, the sheer volume of patches released, and an understandable aversion to interrupting operations, patching doesn’t always happen when it should.
This means that there are still millions of vulnerable machines. Apparently, the Equation Group knew what they were talking about when they named all their exploits with the “Eternal” prefix. To illustrate, WannaCry was the most detected malware in 2019, with four times as many ransomware detections as all other ransomware variants combined. And, as we’ve seen, EternalBlue is now used heavily in many other types of attacks.
EternalBlue Usage by Year: 2017–2019
To get an idea of just how prevalent EternalBlue is, let’s look at the campaigns that have utilized it since it first broke out in WannaCry.
- EternalRocks: Discovered soon after WannaCry, this attack uses seven vulnerabilities leaked by the Shadow Brokers to replicate and move throughout systems. EternalRocks remains dormant for 24 hours before spreading to evade detection. Thankfully, the malware’s author called it quits before it was ever weaponized. If it had been, the impact would have been truly epic in scale.
- Adylkuzz: Adylkuzz uses EternalBlue to install crypto-mining capabilities onto the computers of unsuspecting victims.
- UIWIX: Although UIWIX is similar to WannaCry in how it uses EternalBlue, it is fileless and uses two separate encryption algorithms.
- Gamefish: Attributed to APT28, or Russia’s Fancy Bear/Sofacy/Pawn Storm, Gamefish targeted the WiFi networks of European hotels, using EternalBlue to spread.
- Smominru: This rampant crypto-mining botnet uses EternalBlue to infect and enlist older devices into its massive botnet to mine for Monero.
- TrickBot: As mentioned earlier, the notorious TrickBot now uses EternalBlue to spread laterally through networks.
- Satan: Although not new, the Satan ransomware variant began to leverage EternalBlue to self-spread in 2018.
- Glupteba: This malvertising malware-turned-cryptominer uses EternalBlue to make its way through networks.
- Ludicrouz: This botnet malware uses EternalBlue to spread to as many endpoints as possible.
- Vools: This is a backdoor that uses EternalBlue to deliver other types of malware payloads.
- PCASTLE: Focused on China, this crypto-mining malware leverages EternalBlue to move on to other victims.
- Yatron: This low-cost ransomware-as-a-service is serious about spreading. It now uses EternalBlue, and by charging users only $100 to rent out, aims to reach as many people as possible—in the shortest period of time.
- BlackSquid: EternalBlue is only one of the eight exploits used by BlackSquid, a new crypto-mining malware, to spread.
The Extra Dangers of Nation-State Exploits
As we’ve shown, government-created hacking exploits can—and do—get exposed. And these highly powerful tools are more damaging than other tools because they have nation-backed funding. Their creators often make them simple to operate so that less skilled agents can use them, which means that when attackers get ahold of these tools, the repercussions can be huge.
Thankfully, at least where the EternalBlue exploit is concerned, the fix is relatively simple. As we mentioned, consistent patching practices prevent the exploit from harming systems. Combined with a powerful detection and response platform like Cynet 360, you can prevent EternalBlue, and other advanced threats, from taking root in your system. And, in cases where your organization is unable to patch—for whatever reason—Cynet identifies and stops EternalBlue to keep it from causing harm. With Cynet 360, your team has the power to combat the most destructive threats that come your way.