Russia ranked second in terms of the number of systems that remain vulnerable to a critical exploit. How EternalBlue works and what it can threaten Russian companies – read the Cyber Media article.
EternalBlue is an exploit for Windows that was created by the US National Security Agency (NSA), from where hackers from the Shadow Brokers group stole it in 2016. Further events spread all over the world: the WannaCry cryptographer epidemic, ransomware attacks on the world's largest companies, financial organizations and entire cities. The NSA hid information about EternalBlue from Microsoft for five years, and only a leaked exploit forced it to disclose the vulnerability. However, details about the hack and EternalBlue were not publicly disclosed.
Technically, EternalBlue has the capabilities of a worm, which allows malware to spread inside networks without user action. This feature helped attackers quickly and effectively compromise vulnerable systems.
The exploit exploits a vulnerability in the SMB (Server Message Block) protocol – a standard Windows service that provides connectivity between corporate network participants. Attackers have learned how to add malware to data packets sent over SMB: Trojans, cryptographers, etc.
In a large organization, the network architecture includes a huge number of interconnected systems: servers, workstations, IoT devices, and mobile gadgets. If this network has Windows without a patch against EternalBlue, this is enough to hit the entire infrastructure.
To automate these operations, there are large platforms with tools for testing for penetration and conducting attacks. For example, one of these platforms, the Metasploit Framework, is a modular system with functions for checking vulnerabilities, probing networks, performing attacks, and evading detection.
When a suitable target is found, the attacker sends a data packet with malicious code to the vulnerable system, which triggers the exploit. Technically, EternalBlue works on a combination of three different OS errors: first provoking an integer overflow, which in turn leads to a buffer overflow, and allows you to apply heap spraying at the last step. As a result, an attacker can execute the shellcode and gain control of the system.
The next stage is exploration. The hacker explores the network, looking for vulnerable systems and other potential targets. At this stage, it can collect accounts with weak passwords or default data, implement a keylogger to intercept information from users with high privileges, or use a ransomware cryptographer.
The attacker will act covertly, avoiding detection and obfuscating their activities. Throughout this process, suspicious traffic is hidden using encryption and tunneling. In most cases, the company learns about an attack when it can no longer do anything.
Experts note that these figures alone do not necessarily indicate a real threat. "It is very likely that the list of these 'vulnerable' machines also includes false positive results and so – called honeypots," said Alexander Zubrikov, General Director ITGLOBAL.COM Security. – These are deliberately vulnerable devices designed to confuse a potential attacker, slow them down, collect data about the attacking software, and notify the defending party of the attack."
Upgrading your infrastructure will be a challenge for any organization. Small companies may not have enough resources, medium-sized companies may feel more strongly about financial costs, and large companies may have to think about the impact of vulnerabilities on business processes.
Experts say that test zones help simplify updating important software, where a team of specialists can work out in advance the implementation and scaling of current versions. From the test zone, the process moves to a limited number of users, and then to all computers in the organization.
"[With this approach], considerable time can pass between testing and installation, and the probability of missing an attack on the infrastructure increases, " says Sergey Polunin,head of the infrastructure IT solutions protection group at Gazinformservis. "But the risks of rushing to install updates are too high, so test zones are the right approach."
The growing number of attacks is a good reason to think about the security of the corporate perimeter. Since 2022, leaks, fraud, or website defacement have occurred in a wide variety of organizations. And if a company has neglected to update its software for a long time, this increases the likelihood of incidents in the infrastructure.
EternalBlue is an exploit for Windows that was created by the US National Security Agency (NSA), from where hackers from the Shadow Brokers group stole it in 2016. Further events spread all over the world: the WannaCry cryptographer epidemic, ransomware attacks on the world's largest companies, financial organizations and entire cities. The NSA hid information about EternalBlue from Microsoft for five years, and only a leaked exploit forced it to disclose the vulnerability. However, details about the hack and EternalBlue were not publicly disclosed.
Technically, EternalBlue has the capabilities of a worm, which allows malware to spread inside networks without user action. This feature helped attackers quickly and effectively compromise vulnerable systems.
The exploit exploits a vulnerability in the SMB (Server Message Block) protocol – a standard Windows service that provides connectivity between corporate network participants. Attackers have learned how to add malware to data packets sent over SMB: Trojans, cryptographers, etc.
In a large organization, the network architecture includes a huge number of interconnected systems: servers, workstations, IoT devices, and mobile gadgets. If this network has Windows without a patch against EternalBlue, this is enough to hit the entire infrastructure.
How does the Eternal Blue attack work?
At the first stage, the attacker needs to find a target. To do this, they can use Internet scanning tools such as Nmap or Shodan, or use targeted phishing or social engineering techniques.To automate these operations, there are large platforms with tools for testing for penetration and conducting attacks. For example, one of these platforms, the Metasploit Framework, is a modular system with functions for checking vulnerabilities, probing networks, performing attacks, and evading detection.
When a suitable target is found, the attacker sends a data packet with malicious code to the vulnerable system, which triggers the exploit. Technically, EternalBlue works on a combination of three different OS errors: first provoking an integer overflow, which in turn leads to a buffer overflow, and allows you to apply heap spraying at the last step. As a result, an attacker can execute the shellcode and gain control of the system.
The next stage is exploration. The hacker explores the network, looking for vulnerable systems and other potential targets. At this stage, it can collect accounts with weak passwords or default data, implement a keylogger to intercept information from users with high privileges, or use a ransomware cryptographer.
The attacker will act covertly, avoiding detection and obfuscating their activities. Throughout this process, suspicious traffic is hidden using encryption and tunneling. In most cases, the company learns about an attack when it can no longer do anything.
How relevant is EternalBlue today
According to open data, there are more than 4,300 operating systems with the EternalBlue vulnerability on the Internet. The top 10 countries look like this:- Taiwan – 651
- Russia – 488
- US – - 470
- India – 308
- Japan – 179
- France – 153
- Germany-130
- Netherlands-125
- Mexico – 113
- Brazil – 99
Experts note that these figures alone do not necessarily indicate a real threat. "It is very likely that the list of these 'vulnerable' machines also includes false positive results and so – called honeypots," said Alexander Zubrikov, General Director ITGLOBAL.COM Security. – These are deliberately vulnerable devices designed to confuse a potential attacker, slow them down, collect data about the attacking software, and notify the defending party of the attack."
Upgrading your infrastructure will be a challenge for any organization. Small companies may not have enough resources, medium-sized companies may feel more strongly about financial costs, and large companies may have to think about the impact of vulnerabilities on business processes.
Experts say that test zones help simplify updating important software, where a team of specialists can work out in advance the implementation and scaling of current versions. From the test zone, the process moves to a limited number of users, and then to all computers in the organization.
"[With this approach], considerable time can pass between testing and installation, and the probability of missing an attack on the infrastructure increases, " says Sergey Polunin,head of the infrastructure IT solutions protection group at Gazinformservis. "But the risks of rushing to install updates are too high, so test zones are the right approach."
Reason to plan an infrastructure update
Even if EternalBlue doesn't pose a specific threat right now, the number of vulnerable systems that remain online now raises an important question: what other vulnerabilities from previous years remain relevant, despite long-released patches?The growing number of attacks is a good reason to think about the security of the corporate perimeter. Since 2022, leaks, fraud, or website defacement have occurred in a wide variety of organizations. And if a company has neglected to update its software for a long time, this increases the likelihood of incidents in the infrastructure.
