EternalBlue is a computer

exploit Exploit means to take advantage of something (a person, situation, etc.) for one's own end, especially unethically or unjustifiably. Exploit can mean: *Exploitation of natural resources *Exploit (computer security) * Video game exploit *Exploitat ...

developed by the U.S.

National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

(NSA). It was leaked by the

Shadow Brokers The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of ...

hacker group on April 14, 2017, one month after Microsoft released patches for the

vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." A window of vulnerability (WOV) is a time frame within which defensive measures are diminished, com ...

. On May 12, 2017, the worldwide

WannaCry ransomware The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptovirology, cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom paymen ...

used this exploit to attack unpatched computers. On June 27, 2017, the exploit was again used to help carry out the 2017 NotPetya cyberattack on more unpatched computers. The exploit was also reported to have been used since March 2016 by the Chinese hacking group Buckeye (APT3), after they likely found and re-purposed the tool, as well as reported to have been used as part of the Retefe banking

trojan Trojan or Trojans may refer to: * Of or from the ancient city of Troy * Trojan language, the language of the historical Trojans Arts and entertainment Music * ''Les Troyens'' ('The Trojans'), an opera by Berlioz, premiered part 1863, part 1890 ...

since at least September 5, 2017. EternalBlue was among the several exploits used, in conjunction with the

DoublePulsar DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few wee ...

backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...

implant tool, in executing the 2017 WannaCry attacks.

Details

EternalBlue exploits a vulnerability in

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

's implementation of the

Server Message Block Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provides ...

(SMB) protocol. This vulnerability is denoted by entry in the

Common Vulnerabilities and Exposures The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. The United States' National Cybersecurity FFRDC, operated by The MITRE Corporation, maintai ...

(CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of

Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

mishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer. The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017, after delaying its regular release of security patches in February 2017. On

Tuesday Tuesday is the day of the week between Monday and Wednesday. According to international standard ISO 8601, Monday is the first day of the week; thus, Tuesday is the second day of the week. According to some commonly used calendars, however, ...

, March 14, 2017, Microsoft issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being

Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...

Windows 7 Windows 7 is a major release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on July 22, 2009, and became generally available on October 22, 2009. It is the successor to Windows Vista, released nearly ...

Windows 8.1 Windows 8.1 is a release of the Windows NT operating system developed by Microsoft. It was released to manufacturing on August 27, 2013, and broadly released for retail sale on October 17, 2013, about a year after the retail release of its pre ...

Windows 10 Windows 10 is a major release of Microsoft's Windows NT operating system. It is the direct successor to Windows 8.1, which was released nearly two years earlier. It was released to manufacturing on July 15, 2015, and later to retail on J ...

Windows Server 2008 Windows Server 2008 is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on Fe ...

Windows Server 2012 Windows Server 2012, codenamed "Windows Server 8", is the sixth version of the Windows Server operating system by Microsoft, as part of the Windows NT family of operating systems. It is the server version of Windows based on Windows 8 and succe ...

, and

Windows Server 2016 Windows Server 2016 is the eighth release of the Windows Server server operating system developed by Microsoft as part of the Windows NT family of operating systems. It was developed concurrently with Windows 10 and is the successor to the Wind ...

. Many Windows users had not installed the patches when, two months later on May 12, 2017, the

WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitco ...

used the EternalBlue vulnerability to spread itself. The next day (May 13, 2017), Microsoft released emergency security patches for the unsupported

Windows XP Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and ...

Windows 8 Windows 8 is a major release of the Windows NT operating system developed by Microsoft. It was Software release life cycle#Release to manufacturing (RTM), released to manufacturing on August 1, 2012; it was subsequently made available for downl ...

, and

Windows Server 2003 Windows Server 2003 is the sixth version of Windows Server operating system produced by Microsoft. It is part of the Windows NT family of operating systems and was released to manufacturing on March 28, 2003 and generally available on April 24, 2 ...

. In February 2018, EternalBlue was ported to all Windows operating systems since

Windows 2000 Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was Software release life cycle#Release to manufacturing (RTM), releas ...

by RiskSense security researcher Sean Dillon. EternalChampion and EternalRomance, two other exploits originally developed by the NSA and leaked by

The Shadow Brokers The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of ...

, were also ported at the same event. They were made available as open sourced

Metasploit The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. It is owned by Boston, Massachusetts-based security company Rapid7. It ...

modules. At the end of 2018, millions of systems were still vulnerable to EternalBlue. This has led to millions of dollars in damages due primarily to ransomware worms. Following the massive impact of

WannaCry The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bi ...

, both

NotPetya Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents ...

and BadRabbit caused over $1 billion worth of damages in over 65 countries, using EternalBlue as either an initial compromise vector or as a method of lateral movement. In May 2019, the city of

Baltimore Baltimore ( , locally: or ) is the List of municipalities in Maryland, most populous city in the U.S. state of Maryland, fourth most populous city in the Mid-Atlantic (United States), Mid-Atlantic, and List of United States cities by popula ...

struggled with a

cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted ...

by digital extortionists; the attack froze thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. Nicole Perlroth, writing for the ''New York Times'', initially attributed this attack to EternalBlue; in a memoir published in February 2021, Perlroth clarified that EternalBlue had not been responsible for the Baltimore cyberattack, while criticizing others for pointing out "the technical detail that in this particular case, the ransomware attack had not spread with EternalBlue". Since 2012, four Baltimore City chief information officers have been fired or have resigned; two left while under investigation. Some security researchers said that the responsibility for the Baltimore breach lay with the city for not updating their computers. Security consultant Rob Graham wrote in a tweet: "If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that’s squarely the fault of the organization, not EternalBlue."

Responsibility

According to

, it was the United States's

NSA The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...

that was responsible because of its controversial strategy of not disclosing but stockpiling vulnerabilities. The strategy prevented Microsoft from knowing of (and subsequently patching) this bug, and presumably other hidden bugs. However several commentators, including Alex Abdo of Columbia University's Knight First Amendment Institute, have criticised Microsoft for shifting the blame to the NSA, arguing that it should be held responsible for releasing a defective product in the same way a car manufacturer might be. The company was faulted for initially restricting the release of its EternalBlue patch to recent Windows users and customers of its $1,000 per device Extended Support contracts, a move that left organisations such the UK's NHS vulnerable to the WannaCry attack. A month after the patch was first released, Microsoft took the rare step of making it available for free to users of all vulnerable Windows editions dating back to Windows XP.

EternalRocks

EternalRocks or MicroBotMassiveNet is a

computer worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. It often uses a computer network to spread itself, relying on security failures on the target computer to access it. It wil ...

that infects Microsoft Windows. It uses seven exploits developed by the NSA. Comparatively, the WannaCry

ransomware Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, ...

program that infected 230,000 computers in May 2017 only uses two NSA exploits, making researchers believe EternalRocks to be significantly more dangerous. The worm was discovered via a honeypot.

Infection

EternalRocks first installs

Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...

, a private network that conceals Internet activity, to access its hidden servers. After a brief 24 hour "

incubation period Incubation period (also known as the latent period or latency period) is the time elapsed between exposure to a pathogenic organism, a chemical, or radiation, and when symptoms and signs are first apparent. In a typical infectious disease, the i ...

", the server then responds to the malware request by downloading and self-replicating on the "

host A host is a person responsible for guests at an event or for providing hospitality during it. Host may also refer to: Places * Host, Pennsylvania, a village in Berks County People *Jim Host (born 1937), American businessman * Michel Host ...

" machine. The malware even names itself WannaCry to avoid detection from security researchers. Unlike WannaCry, EternalRocks does not possess a

kill switch A kill switch, also known as an emergency stop (E-stop), emergency off (EMO) and as an emergency power off (EPO), is a safety mechanism used to shut off machinery in an emergency, when it cannot be shut down in the usual manner. Unlike a normal ...

and is not ransomware.

References

External links

Microsoft Security Bulletin MS17-010Microsoft Update Catalog entries for EternalBlue patches
* Entry in CVE catalog {{Hacking in the 2010s, collapsed Computer security exploits National Security Agency Windows communication and services