top of page

Windows 7 Eternal Blue

CVE-2017-0144

EternalBlue is a Windows exploit created by the US National Security Agency (NSA) and used in the 2017 WannaCry ransomware attack. 

 

EternalBlue allows arbitrary remote code execution. Attackers can gain access to a network by sending specially crafted packets. It exploits a software vulnerability in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1) protocol, a network file sharing protocol that allows access to files on a remote server.

2-eternalblue-folder.jpg

EternalBlue screenshot from LINK

The vulnerability doesn’t just apply to Microsoft Windows. Anything that uses the Microsoft SMBv1 server protocol is potentially vulnerable.

Impact

EternalBlue was among the information spilled by a hacking group called the Shadow Brokers, who in 2017 hacked an NSA trove of cyber weapons. Shadow Brokers published EternalBlue on the internet causing chaos and embarrassment for the NSA. Microsoft was advised and took action by urgently sharing a security patch for Windows sysadmins. 

The flaws in SMBv1 protocol were patched by Microsoft in March 2017 with the MS17-010 security update. Unfortunately, despite the patch being available, there are still reportedly around a million machines connected to the internet that remain vulnerable.

Blue Smoke

SMB & EternalBlue

The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. 

SMB graph from LINK

The flaws in SMBv1 protocol were patched by Microsoft in March 2017 with the MS17-010 security update. Unfortunately, despite the patch being available, there are still reportedly around a million machines connected to the internet that remain vulnerable.

EternalBlue opened the door for attackers to install malware on any computer running SMB1, and it costed billions.

If you lived in 2017, your might have opened your work laptop and saw this one day:

WannaCry screenshot LINK

Estimates put the cost of NotPetya (ransomware) at over $10 billion in damages and WannaCry (ransomware) at around $4 billion in damages

The world’s largest shipping firm, Maersk, lost $300 million; the delivery company FedEx lost $400 million; and Merck Pharmaceuticals (known as MSD outside North America) lost $870 million after 15,000 of their Windows machines succumbed to NotPetya in just 90 seconds.

References

03.

EternalBlue: SMB

What Is EternalBlue and Why Is the MS17-010 Exploit Still Relevant?

bottom of page