EternalBlue is a vulnerability exploit created by the National Security Agency (NSA) that landed on threat actors’ hands when hacker group Shadow Brokers leaked it on 14 April 2017.
EternalBlue made huge waves because it was used in the now-infamous WannaCry and NotPetya attacks after the exploit got leaked. The two attacks have since been the most devastating ransomware campaigns to date.
Read More about “EternalBlue Exploit”
EternalBlue exploits a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol. SMB is a communication protocol to give users shared access to files and printers across a network.
How Does the EternalBlue Exploit Work?
In straightforward terms, when attackers send the EternalBlue exploit to a vulnerable computer, it allows them to take over the system and execute malware like WannaCry. The video below shows how exactly that happens.
Can Users Protect against the EternalBlue Exploit?
The EternalBlue leak forced the NSA to inform Microsoft about the exploit. Microsoft released a patch for the vulnerability, dubbed “CVE-2017-0144” on the National Vulnerability Database, on 16 March 2017.
The only way to effectively address the vulnerability and attacks that use it is to install the patch Microsoft created. You can download it here if you haven’t already.
What Attacks Used the EternalBlue Exploit?
Several attacks used EternalBlue to get to target systems; the most popular ones are detailed below.
The WannaCry ransomware outbreak occurred in May 2017, and estimates put the financial damage from the attacks at US$4 billion. The threat actors used EternalBlue to compromise vulnerable computers. Once they’ve taken over unpatched systems, they planted WannaCry, which locked out users from their files and even computers. Those who wished to regain access were asked to pay a ransom of US$300 each in Bitcoin.
The NotPetya ransomware attack in June 2017 was even more devastating than its predecessor WannaCry. The estimated financial damage reached US$10 billion, making it the most destructive attack that used EternalBlue to date. Unlike WannaCry, NotPetya’s ransom note didn’t promise users they’d get access to their files back.
Sednit, also known as “APT28,” “Fancy Bear,” and “Sofacy,” is a targeted attack on Wi-Fi networks that belonged to hotels across Europe in August 2017. Like its forebears, the threat actors used EternalBlue to get to their targets.
4. Bad Rabbit
Bad Rabbit ransomware also used EternalBlue in attacks in October 2017, causing cybersecurity researchers to believe it was created by the same group behind NotPetya. The attackers asked victims to pay US$285 in Bitcoin each in exchange for their files.
EternalBlue was also used to distribute Satan ransomware in November 2017, following the success of the WannaCry, NotPetya, and Bad Rabbit attacks. Victims were asked to pay 0.3 Bitcoin each to retrieve access to their files.
WannaMine, a cryptominer malware, made headway in September 2018. Like the rest of the malware discussed in this section, it used EternalBlue to infiltrate target systems.
Like WannaMine, NRSMiner uses victims’ computers to mine Monero coins. It was believed to have been redesigned to use EternalBlue to infect systems. The revamped malware made the rounds in January 2019.
Indexsinas is an SMB worm that uses EternalBlue to infiltrate target systems as far back as June 2021. It has been used to plant cryptominers (malware that mines cryptocurrency without the user’s knowledge) into infected computers.
As you’ve seen, despite the availability of a patch for EternalBlue, it has still been wreaking havoc years after. Why is that?
Why Does EternalBlue Remain a Threat Despite the Patch’s Availability?
EternalBlue remains a threat even until today because users haven’t installed the patch. As mentioned earlier, the only way to stay safe from related threats is to install the update. Another reason is that vulnerable systems can’t be patched because they used unlicensed Microsoft Windows software.
It doesn’t help that patching the vulnerability would cost organizations a significant sum, and the process could affect productivity if the unpatched computers are part of mission-critical operations.
Due to the continued existence of systems vulnerable to EternalBlue, hackers have begun including the exploit in kits that any cybercriminal can buy from underground markets and the Deep Web.
EternalBlue’s longevity and proven success have made it one of the most dangerous exploits to date. But users can stay safe from it and the threats it brings with the simple act of patching the Microsoft bug it targets.