Although the term "EternalBlue" sounds magical and suiting, it turns out to be an extremely dangerous exploit that caused disruption to millions of computers around the world.
The WannaCry ransomware was one of the historical malware that utilized EternalBlue in 2017. As a result, WannaCry caused damages to a variety of facility operations including government, finance institutions, hospital facilities, and many other organizations.
Let's look into the details of EternalBlue by understanding its origin history, attack mechanisms, and effective protection measures to prepare for your safety.
EternalBlue is a type of exploit that designed to attack software vulnerability in Microsoft Windows OS. The exploit was initially developed by the U.S. National Security Agency (NSA) in 2017 but got stolen shortly after by a hacker group.
EternalBlue increased its fame through the event caused by a ransomware called WannaCry. A month after the EternalBlue was stolen, a hacker group created a WannaCry that utilizes EternalBlue to gain control over Windows OS computers.
The SMBv1 vulnerability that EternalBlue is designed to attack exists on the following OS versions.
- Windows XP
- Windows 7
- Windows 8
- Windows Server 2008
- Windows 10
History of EternalBlue
The background of EternalBlue is quite unique and unusual compare to other exploits. This chapter will describe the timeline and details of the major events related to EternalBlue.
September 2016: Microsoft discovered a vulnerability in the Server Message Block version 1 (SMBv1) system. An alert was sent out alongside with an instruction to disable SMBv1. This is when the issue was categorized to zero-day vulnerability.
September 2016 ~ April 2017: The U.S. NSA developed the EternalBlue.
March 2017: Microsoft released the patch to fix the Windows OS vulnerability caused by SMBv1.
April 2017: The EternalBlue was leaked to the hacker group known as Shadow Brokers.
May 2017: WannaCry attack that utilizes the EternalBlue exploit was reported causing lockdown to more than 300,000 devices throughout over 150 countries. The spread span was only within 24 hours.
Although the peek of EternalBlue exploit was in 2017, the number of attack occurrence is still high today.
How does EternalBlue Work?
EternalBlue exploits a vulnerability that exists on Microsoft's legacy implementation of the Server Message Block (SMB) protocol that can be accessed through port 445.
Typically the attack using EternalBlue exploit starts by attacker scanning for a publicly available SMB port to target the exploit execution. If the vulnerability is exposed enough for the attack to penetrate, the attacker will then use the EternalBlue exploit to send commands and data payloads to the remote control.
What Harms Can EternalBlue Cause?
Despite the WannaCry incident which caused one of the largest cyber corruptions in history, let's look into the details of what can EternalBlue do.
- Exploit SMBv1 protocol vulnerability
- Execute arbitrary exploit command to remote control
- Cause buffer overflow on the target computer
- Overwrite target file
Measure Methods for EternalBlue Vulnerability
What approaches can we take to protect our computers from the EternalBlue exploit?
Install Antimalware with Latest Security Patch
Since the WannaCry breakout in 2017, the EternalBlue exploit has been publicly aware and researched by security experts. Therefore, most of the antimalware software today has already developed the security patches that will apply for proper protection.
To protect your Windows computer from EternalBlue exploit, install an antimalware software on your computer and install the latest security patches. Although most antimalware software will provide security for EternalBlue, make sure to research and choose an appropriate antimalware.
Perform Version Updates
When performing an OS or software update, it will not only apply new features but also fix feature bugs and apply new security protections for vulnerability. Microsoft has released the EternalBlue specific security patch in 2017 so applying the latest update will definitely help protect from exploit attacks.