High-profile cyber attacks are infecting tens of thousands of computers every day. The success of many of these attacks is attributed to EternalBlue, which is a Microsoft Windows security vulnerability.

In 2017, WannaCry exploited EternalBlue to damage large parts of the National Health Service (NHS) in the United Kingdom; and Petya malware, which was discovered in 2016, still targets Windows operating systems worldwide. In may 2019, a ransomware attack on Baltimore used the EternalBlue vulnerability to stop many city services and shut down thousands of computers.

EternalBlue is at the center of these attacks, and many others. However, even though this vulnerability was made public in 2017, many businesses aren’t aware of its continual damaging implications, let alone know how to fix it.

What Is EternalBlue?

The U.S National Security Agency (NSA) developed the EternalBlue exploitation tool for the purpose of counterterrorism operations and intelligence gathering. EternalBlue exploits the Microsoft Server Message Block (SMB) protocol, through port 445. It works on all Windows versions prior to Windows 8.

The tool was allegedly stolen from NSA and leaked online by a group known as Shadow Brokers. The NSA agency informed Microsoft about the stolen exploitation tool. Microsoft was able to release a patch a month before EternalBlue was leaked online.

Unfortunately, the patch came in too late. Most computers remained unpatched, and cyber criminals were able to use the tool to attack systems that were not up to date.

Consequences of the EternalBlue Vulnerability

The EternalBlue vulnerability was exploited during the WannaCry ransomware attack back in 2017. The attack affected approximately 230,000 computers in over 150 countries. Since then, the popularity of this exploit has been continuously growing among attackers.

According to Shodan, there are currently about one million systems worldwide using the SMB protocol. Hackers can easily use EternalBlue to exploit these SMB systems if they are poorly secured. In fact, EternalBlue attack attempts are reaching historical peaks, with hundreds of thousands of incidents occurring every day.

Besides WannaCry, EternalBlue opened the door to many high-profile cyberattacks, like Petya. In addition, notorious cyber spies like Sednit (aka Fancy Bear) also use EternalBlue to access Wi-Fi networks in hotels. Recent trojans and crypto mining malware attacks in China also exploited the EternalBlue vulnerability.

Hackers are also promoting an EternalBlue-based Ransomware as a Service on Twitter called Yatron. According to their Tweets, this ransomware service can delete encrypted files if you don’t pay the ransom in 72 hours.

How EternalBlue Works?

EternalBlue is based on the srv!SrvOS2FeaListSizeToNt Windows function. To understand how this leads to a security attack, you first need to have a quick look at the SMB protocol.

The SMB protocol is mainly used for file and print requests from a server. The protocol allows you to retrieve information about extended file attributes like the file’s properties metadata.

EternalBlue exploits three different SMB bugs:

1. A mathematical error
This bug occurs when the protocol tries to determine how much memory an SMB request needs. A calculation error produces an integer overflow that allocates less memory than expected, which results in a buffer overflow. When you allocate more data than expected, the additional data can overwrite adjacent memory locations.

2. Sub commands
Exploits the difference between two related sub commands: SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2. Both use _SECONDARY command when there is redundant data to include in a single packet.

The central difference between them is that NT_TRANSACT requests data packet that are twice the size of TRANSACTION2. If a client sends a message using the NT_TRANSACT sub-command just before TRANSACTION2, it will result in a validation error.

In this situation, the protocol notices that it receives two different commands. As a result, it allocates memory based only on the last command type. Because the last one is always smaller, the first packet will take over more memory space than it is allocated.

3. Heap spraying
The third bug allows heap spraying, which is a technique that results in allocating a chunk of memory at a given address. From here, the attacker can take control of the system by writing and executing a shellcode.

How to Protect your Systems From EternalBlue

Make sure to follow the tips below, if you want to protect your data from this exploit.

Update your Windows Operating System
New Windows updates include patches to potential flaws that security experts have discovered. These updates may assist you to find and fix backdoor vulnerabilities in your system that attackers may try to exploit.

Your top priority should be to continuously update your Windows operating system. It doesn’t have to be a time-consuming process. You can configure your machines to download and install the updates automatically. By leveraging the latest software updates, you reduce risks.

Use Anti-Malware Software
Anti-malware tools protect you against breaches by scanning your computer and network for any security vulnerabilities. In addition, they notify you of potential security flaws.
A modern multi-layered anti-malware tool detects abnormal network activity and blocks it before it causes any damage. You can also include firewalls and EDR security solutions to improve your security.

Increase awareness among users
Since 1 in every 99 corporate emails is a phishing attack, employees must learn how to detect malicious emails. That includes checking out suspicious links and file attachments and identifying false domain names. Training your staff on how hackers deliver threats and how to react to security breaches can enhance your cybersecurity practices.

Conclusion

Microsoft is continuously releasing patches that are designed to block the EternalBlue threat. However, EternalBlue is vigorously evolving, and cyber criminals use it together with other tools to exploit vulnerabilities. To protect your organization from cyber threats you have to update your Windows systems, deploy robust anti-malware tools, and train your staff.