Contact Us

|

Careers

|

Change Locale
close

EternalBlue Exploit Still Popular

Uncategorized | Posted on August 28, 2018 by schap

It’s been a year since the WannaCryptor.D ransomware (aka WannaCry and WCrypt) caused one of the largest cyber-disruptions the world has ever seen. And while the threat itself is no longer wreaking havoc around the world, the exploit that enabled the outbreak, known as EternalBlue, is still threatening unpatched and unprotected systems. And as ESET’s telemetry data shows, its popularity has been growing over the past few months and a recent spike even surpassed the greatest peaks from 2017.

The EternalBlue exploit targets a vulnerability (addressed in Microsoft Security Bulletin MS17-010) in an obsolete version of Microsoft’s implementation of the Server Message Block (SMB) protocol, via port 445. In an attack, black hats scan the internet for exposed SMB ports, and if found, launch the exploit code. If it is vulnerable, the attacker will then run a payload of the attacker’s choice on the target. This was the mechanism behind the effective distribution of WannaCryptor.D ransomware across networks.

Interestingly, according to ESET’s telemetry, EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily. Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.

One possible explanation for the latest peak is the Satan ransomware campaign seen around those dates, but it could be connected to other malicious activities as well.

We must stress that the infiltration method used by EternalBlue is not successful on devices protected by ESET. One of the multiple protection layers – ESET’s Network Attack Protection module – blocks this threat at the point of entry. This can be compared to a silent knocking on the door at 2 a.m. testing if someone is still up. As such activity is most likely driven by malicious intentions, the entrance is securely sealed off to keep the intruder out.

This was true during the WannaCryptor outbreak on May 12, 2017 as well as all previous and subsequent attacks by malicious actors and groups.

EternalBlue has enabled many high-profile cyber attacks. Apart from WannaCryptor, it also powered the destructive Diskcoder.C (aka Petya, NotPetya and ExPetya) attack in June 2017 as well as the BadRabbit ransomware campaign in Q4 2017. It was also used by the Sednit (aka APT28, Fancy Bear and Sofacy) cyberespionage group to attack Wi-Fi networks in European hotels.

The exploit has also been identified as one of the spreading mechanisms for malicious crypto miners. More recently, it was deployed to distribute the Satan ransomware campaign, described only a few days after ESET’s telemetry detected the mid-April 2018 EternalBlue peak.

The EternalBlue exploit was allegedly stolen from the National Security Agency (NSA) probably in 2016 and leaked online on April 14, 2017 by a group dubbed Shadow Brokers. Microsoft issued updates that fixed the SMB vulnerability on March 14, 2017, but to this day, there are many unpatched machines in the wild.

This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool.

This article was originally published here.

Categories

Related Articles

“A people without knowledge of their past history, origin and culture is like a tree without roots.” – Marcus Garvey

Culture | April 9, 2019 by Kelly Breedon

Softchoice is very proud to have been named to the Great Place to Work Institute’s first ever list of Best Workplaces for Giving Back. This list recognizes organizations with a strong employee commitment to giving back, and a robust range of programs that support positive change in their communities. Taking care and giving back are […]

When we talk about Digital Transformation, three key topics always come to the fore: optimizing IT investments, enabling end users, and IT agility. On a granular level, these three factors form an axis of issues companies must deal with when making the digital leap. At our recent roundtable dinner in Boston, we sat down with […]