“EternalBlue” is the name for a leaked NSA developed exploit for a vulnerability in SMBv1 that was present in all Windows operating systems between Windows 95 and Windows 10. Server Message Block version 1, or SMBv1, is a communication protocol that’s used to share access to files, printers, and serial ports over the network.
Tip: The NSA was previously identified as an “Equation Group” threat actor before this and other exploits and activity were tied to them.
The NSA identified the vulnerability in the SMB protocol at least as early as 2011. Under its strategy of stockpiling vulnerabilities for its own use, chose not to disclose it to Microsoft so the issue could be patched. The NSA then developed an exploit for the issue which they called EternalBlue. EternalBlue is capable of granting complete control over a vulnerable computer as it grants administrator-level arbitrary code execution without requiring user interaction.
The Shadow Brokers
At some point, before August 2016 the NSA was hacked by a group calling themselves “The Shadow Brokers”, believed to be a Russian state-sponsored hacking group. The Shadow Brokers gained access to a large trove of data and hacking tools. They initially tried auctioning them off and selling them for money but received little interest.
Tip: A “state-sponsored hacking group” is one or more hackers operating either with a government’s explicit consent, support, and direction or for official governmental offensive cyber groups. Either option indicates that the groups are very well qualified, targeted, and deliberate in their actions.
After understanding that their tools were compromised, the NSA informed Microsoft of the details of the vulnerabilities so a patch could be developed. Initially scheduled for release in February 2017, the patch was pushed to March to ensure the issues were correctly fixed. On the 14th of March 2017, Microsoft published the updates, with the EternalBlue vulnerability being detailed by the security bulletin MS17-010, for Windows Vista, 7, 8.1, 10, Server 2008, Server 2012, and Server 2016.
A month later on the 14th of April, The Shadow Brokers published the exploit, along with dozens of other exploits and details. Unfortunately, despite the patches being available for a month before the exploits were published, many systems did not install the patches and remained vulnerable.
Use of the EternalBlue
Just under a month after the exploits were published, on the 12th of May 2017 the “Wannacry” ransomware worm was launched using the EternalBlue exploit to spread itself to as many systems as possible. The next day Microsoft released emergency security patches for the unsupported Windows versions: XP, 8, and Server 2003.
Tip: “Ransomware” is a class of malware that encrypts infected devices and then holds the decryption key to ransom, typically for Bitcoin or other cryptocurrencies. A “Worm” is a class of malware that automatically propagates itself to other computers, rather than requiring computers to be individually infected.
According to IBM X-Force the “Wannacry” ransomware worm was responsible for more than US$8 Billion in damages across 150 countries even though the exploit only reliably worked on Windows 7 and Server 2008. In February 2018, security researchers successfully modified the exploit to be able to work reliably on all versions of Windows since Windows 2000.
In May 2019 the US City of Baltimore was hit with a cyberattack utilising the EternalBlue exploit. A number of cybersecurity experts pointed out that this situation was entirely preventable as patches had been available for more than two years at that point, a time period over which, at least “Critical Security Patches” with “Public Exploits” should have been installed.