ADVERTISEMENT

Unraveling EternalBlue: inside the WannaCry’s enabler

WannaCry and NotPetya, probably two most damaging cyberattacks in recent history, were both only made possible because of EternalBlue. Here is how the NSA-developed cyber monster works, and how you should defend against it.

EternalBlue Wanna Cry

Image by Cybernews.

Cybernews Team
Sep 1, 2023 Updated: 15 November 2023 5 min read

What is the EternalBlue vulnerability?

EternalBlue
By Avast/Cybernews

How would EternalBlue look in a real attack scenario?

Recon process

  • Scanning for Open Ports: The bad actor could use port scanning tools like Nmap to identify systems with open ports, such as SMB (Server Message Block) ports (e.g., port 445). By scanning a range of IP addresses, they can identify potential targets that have SMB services exposed to the internet.
Discovering EternalBlue
Cybernews screenshot
  • Exploit Frameworks: There are well-known exploit frameworks like Metasploit that contain modules specifically designed to exploit the EternalBlue vulnerability. These frameworks provide a wide range of tools and exploits for attackers to leverage, including EternalBlue. By using such frameworks, the attacker can automate the process of identifying vulnerable systems and launching attacks.
EternalBlue exploits
Cybernews screenshot
  • Shodan and Similar Tools: Shodan is a search engine that scans and indexes internet-connected devices, including vulnerable systems. By using specific search queries, an attacker can identify systems that are potentially susceptible to EternalBlue. Similar tools or databases listing vulnerable systems can also aid in identifying targets.
  • Targeted Phishing and Social Engineering: In some cases, attackers may employ targeted phishing emails or social engineering techniques to gain initial access to a system within the target network. Once they’ve compromised a user's device, they can then perform internal network reconnaissance to find vulnerable systems and exploit EternalBlue.

Exploit execution

What is Metasploit Framework?

EternalBlue exploit
Cybernews screenshot
Successful EternalBlue exploitation
Cybernews screenshot
ADVERTISEMENT
EternalBlue privilege escalation
Cybernews screenshot
EternalBlue privilege escalation 2
Cybernews screenshot
EternalBlue privilege escalation 3

The lateral movement phase

Does EternalBlue still exist?

Top 10 countries with EternalBlue vulnerability
  • Windows 7 Professional 7600
  • Windows 8.1 Pro 9600
  • Windows Server 2021 R2 Standard
Operating systems vulnerable to EternalBlue

How to defend against EternalBlue?

  • Patching and Updates: Apply security patches and updates promptly. Microsoft released patches for the EternalBlue vulnerability in March 2017. Ensure that all affected systems, including servers and workstations, have the necessary updates installed. Additionally, keep all software, operating systems, and network devices up to date with the latest security patches.
  • Disable SMBv1: Since EternalBlue targets the SMBv1 protocol, consider disabling or blocking SMBv1 across your network, especially if it is not required. SMBv2 or SMBv3 should be used as more secure alternatives.
  • Network Segmentation: Implement network segmentation to isolate critical systems and restrict access between different parts of the network. This reduces the lateral movement potential of attackers and contains the impact of any successful exploitation.
  • Firewalls and Intrusion Detection Systems: Configure firewalls to block suspicious network traffic and restrict unnecessary access to SMB services. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) can help detect and block exploit attempts targeting the EternalBlue vulnerability.
  • Access Controls and Privilege Management: Enforce strong access controls and least privilege principles. Limit user privileges to only what is necessary for their roles, and regularly review and revoke unnecessary privileges. This reduces the potential impact of an attacker who successfully exploits the vulnerability.
  • Security Awareness and User Education: Train users to recognize and report phishing emails and suspicious attachments. Promote security awareness and educate users about the risks of clicking on unknown links or opening attachments from untrusted sources, as these can be entry points for attacks.
  • Endpoint Protection: Deploy and maintain reliable antivirus and anti-malware solutions on all systems. Ensure that these security tools are regularly updated with the latest threat definitions to detect and block known malware that may utilize EternalBlue or similar vulnerabilities.
  • Network Monitoring and Incident Response: Implement robust network monitoring and logging capabilities to detect and respond to any potential exploitation attempts or suspicious activity. Have an incident response plan in place to quickly respond and mitigate the impact if an exploitation occurs.

Summary

ADVERTISEMENT