NSA

LOSE ONE OF THEIR

OWN WEAPONS

"THE ETERNALBLUE"

By

Søren Nielsen

2019

EternalBlue, is a cyberattack exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees.

It was leaked by "The Shadow Brokers" hacker group on April 14, 2017, and was used as part of "The worldwide WannaCry" ransomware attack on May 12, 2017.

The exploit was also used to help carry out "The 2017 NotPetya cyberattack" on June 27, 2017 and reported to be used as part of "The Retefe banking trojan" since at least September 5, 2017.

"EternalBlue" exploits a vulnerability in "Microsoft's" implementation of "the Server Message Block" (SMB) protocol. This vulnerability is denoted by entry "CVE-2017-0144" in "the Common Vulnerabilities and Exposures" (CVE) catalog. 

The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of "Microsoft Windows" mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.

"The NSA" did not alert "Microsoft" about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned "Microsoft" after learning about "EternalBlue’s" possible theft, allowing the company to prepare a software patch issued in March 2017, after delaying its regular release of security patches in February 2017.

On Tuesday, March 14, 2017, "Microsoft" issued "security bulletin MS17-010", which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being "Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016."

Many Windows users had not installed the patches when, two months later on May 12, 2017, "the WannaCry ransomware" attack used "the EternalBlue" vulnerability to spread itself. The next day, "Microsoft" released emergency security patches for the unsupported "Windows XP, Windows 8, and Windows Server 2003."

In February 2018, "EternalBlue" was ported to all Windows operating systems since "Windows 2000" by "RiskSense security" researcher "Sean Dillon". "EternalChampion" and "EternalRomance", two other exploits originally developed by "the NSA" and leaked by "The Shadow Brokers", were also ported at the same event. They were made available as open sourced Metasploit modules.

At the end of 2018, millions of systems were still vulnerable to "EternalBlue". This has led to millions of dollars in damages due primarily to ransomware worms. Following the massive impact of "WannaCry", both "NotPetya" and "BadRabbit" caused over $1 billion worth of damages in over 65 countries, using "EternalBlue" as either an initial compromise vector or as a method of lateral movement.

In May 2019, Baltimore struggled with a cyberattack by digital extortionists using "EternalBlue". The attack froze thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. 

Since 2012, four Baltimore City chief information officers have been fired or have resigned; two left while under investigation. 

"The EternalBlue" tool relies on a flaw in "Microsoft software", though the company issued a patch before the leakers posted the tools online.

Many systems remain vulnerable two years later, but the existence of the patch prompted some security researchers to argue Saturday that the responsibility for the Baltimore breach lies with the city. 

Security consultant "Rob Graham" wrote in a tweet: 

"If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that’s squarely the fault of the organization, not Eternalblue".

Responsibility.

According to "Microsoft", it was "the United States's NSA" that was responsible, by dint of its controversial strategy of "stockpiling of vulnerabilities", for, at the least, preventing "Microsoft" from timely public patching of this, and presumably other, hidden bugs.

EternalRocks.

"EternalRocks" or "MicroBotMassiveNet" is a computer worm that infects "Microsoft Windows". It uses seven exploits developed by "the NSA".

Comparatively, "the WannaCry ransomware program" that infected 230,000 computers in May 2017 only uses two "NSA" exploits, making researchers believe "EternalRocks" to be significantly more dangerous.

The worm was discovered via honeypot.


"EternalBlue" was among the several exploits used, in conjunction with "the DoublePulsar backdoor implant tool".

Infection.
"EternalRocks" first installs "Tor", a private network that conceals "Internet activity", to access its hidden servers. After a brief 24 hour "incubation period", the server then responds to the malware request by downloading and self-replicating on the "host" machine.


The malware even names itself "WannaCry" to avoid detection from security researchers. 

Unlike "WannaCry", "EternalRocks" does not possess a kill switch and is not ransomware.