Jump to content

EternalBlue NSA Exploit Becomes Commodity Hacking Tool, Spreads to Other Malware


CrAKeN

Recommended Posts

EternalBlue.jpg

 

ETERNALBLUE, an alleged NSA exploit targeting the SMBv1 protocol leaked by the Shadow Brokers in mid-April, has become a commodity hacking tool among malware developers.

 

The tool's notoriety comes from its successful usage as part of the WannaCry ransomware's self-spreading mechanism, where it was deployed alongside another NSA hacking tool called DOUBLEPULSAR to help WannaCry infect random computers via unprotected SMB services.

 

ETERNALBLUE - the go-to exploit for today's malware


After WannaCry has become the most infamous cyber-incident known to date, evidence has surfaced that there have been other malware families that used ETERNALBLUE even before WannaCry.

 

This included a report from Proofpoint, who discovered ETERNALBLUE deployed with the Adylkuzz cryptocurrency miner, a report from Cyphort, who found ETERNALBLUE deployed with various RATs deployed by Chinese threat actors, and a report from Secdo, who found ETERNALBLUE deployed with an infostealer originating out of Russia, and a botnet in China.

 

Things only got worse after the WannaCry outbreak. For example, Forcepoint found ETERNALBLUE deployed with various RATs, French security research Benkow found it used for the UIWIX ransomware, and Croatian security researcher Miroslav Stampar found it bundled with six other NSA hacking tools, part of the EternalRocks SMB worm.

 

To make matters worse, today, FireEye published another report, revealing it found ETERNALBLUE deployed with a version of the Gh0st RAT in Singapore, and together with the Nitol backdoor trojan across the South Asia region.

 

Adding ETERNALBLUE to Metasploit lowered the bar


All these malware campaigns use ETERNALBLUE for its ability to exploit a vulnerability (CVE-2017-0144) in Microsoft's Server Message Block (SMB) protocol.

 

ETERNALBLUE works by sending malformed packets to computers running vulnerable versions of the SMB service, allowing other malware to run code on the machine and get an initial foothold. Overall, exploit ETERNALBLUE is not difficult, but it's not hard either.

 

After the Shadow Brokers leaked ETERNALBLUE in mid-April, the exploit has been added as a module to the Metasploit framework, a tool used by sysadmins and security researchers to test their computers for vulnerabilities.

 

While developed with good intentions, the framework's exploit modules are often plundered by malware developers, who use them as the base for developing malware.

 

"The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities," said the FireEye team today, attempting to justify this flurry of malware families leveraging ETERNALBLUE.

 

Their colleague, Christopher Glyer‏, FireEye Chief Security Architect, agreed with their assessment. "Adding [ETERNALBLUE] to Metasploit lowers the bar significantly," Glyer wrote on Twitter.

 

What this means is that you can now expect that any low-skilled hacker that has basic grasp of C coding to be able to integrate ETERNALBLUE into his malware project.

 

The only way to negate this risk is by installing the security updates Microsoft released in security bulletin MS17-010.

 

Source

Link to comment
Share on other sites


  • Replies 2
  • Views 806
  • Created
  • Last Reply
straycat19
1 hour ago, CrAKeN said:

The only way to negate this risk is by installing the security updates Microsoft released in security bulletin MS17-010.

 

That is NOT the only way.  You can negate it by turning off SMB.  I posted a guide on turning off SMB and I replied to someone else's post with a long tutorial on turning off SMB using the registry or group policy, plus a few other methods.

Link to comment
Share on other sites


Fun fact: There's also a worm going around that uses EternalBlue to infect systems, install the SMB patch from MS, then delete itself. Effectively limiting the range of this other malware.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...