Home Malware Programs Malware EternalBlue

EternalBlue

Posted: April 12, 2019

EternalBlue is a vulnerability in the Server Message Block or SMB protocol that affects most versions of Windows. Threat actors typically use this weakness for introducing new threats to a system, such as a file-locking Trojan, or compromising the other systems that are accessible over a local network. Windows users should install the relevant security patches for removing the EternalBlue vulnerability and, if appropriate, run anti-malware scans for determining whether any threats took advantage of its presence.

EternalBlue as an Eternal Trojan Abettor

From its point of revelation by the notorious Shadow Brokers hacker group in 2017 up to the present day, the EternalBlue vulnerability is finding itself in productive, if not benevolent, usage by hackers and threat actors who need widely-applicable ways of circulating their Trojans. It's especially notable for its long-term abuse by file-locking Trojans' campaigns, as well as at least one incident centering around Ukraine where threat actors are believed to have used similar payloads as excuses for causing significant systemic damage instead of collecting ransoms. While EternalBlue, alone, is a concerning vulnerability for any Windows PC, it also has heavy correlations with Mimikatz's password-collecting capabilities.

The Shadow Brokers that periodically reveal hacking-related information from US NSA operations publicized the vulnerability in April of 2017, and threat actors proceeded to use the exploit for distributing file-locker Trojans on a massive scale one month later. EternalBlue is a weakness in the SMB protocol, referenced as CVE-2017-0144, that lets hackers execute code after Windows mishandles specially-crafted packets. Criminals can use EternalBlue for various attacks, but, in most attack scenarios that malware experts can confirm, utilize it for either an initial infection vector against a previously secure system or for spreading to a local network's systems after infecting an initial entry point.

EternalBlue's history includes assisting with the spread of threats such as the password collector Mimikatz, the XMRig Monero cryptocurrency miner, the DBGer Ransomware, NRSMiner, and numerous others. Statistically, campaigns that use EternalBlue tend to focus on file-locking attacks, which encrypt the media of infected PCs and hold them for ransom. Such an attack, while not highly technical, can block most or even all of the contents of the system's hard drives, including documents, pictures or more critical work.

Changing the Color of Your Windows Security

While EternalBlue suffices for allowing a hacker's dropping and installation of a threat such as a backdoor Trojan, RAT, spyware or miner, many attacks using the EternalBlue exploit do so with supplementary tactics as additional options. Users can reduce the risk to their systems by avoiding passwords that are at risk for brute-forcing methods of cracking, which are at their most effective against short and low-complexity text strings that have no mixed casing or alphanumeric shifts. A failure of exploiting EternalBlue doesn't necessarily imply the lack of a payload's delivery, as readers may tell from the January crypto-jacking attacks against China that used EternalBlue alongside other techniques, such as 'pass the hash.'

Microsoft has provided security updates that are relevant to correcting the EternalBlue vulnerability on Windows systems, including Windows 7, 8.1, 10, Server 2008, and even 'unsupported' editions like Vista, XP, and Server 2003. Updating Windows with these patches will block EternalBlue's exploitation against the system, although, as elaborated earlier, other exploits may remain in play. Anti-malware products can't directly resolve an EternalBlue vulnerability but may delete the threats that hackers install through it.

EternalBlue's enabling digital plundering is near-entirely courtesy of users who aren't updating their operating systems promptly. When OS vendors provide security updates, they're offering far more than fluff, and users would be wise if they remembered the value in preventing problems before they're in front of one's face.

Loading...