EternalBlue: What it is and how it works

What is EternalBlue?

EternalBlue is a Microsoft exploit which was used by the NSA in intelligence gathering operations. The exploit, officially named MS17-010 by Microsoft — gave the US National Security Agency (NSA) backend access to devices running Windows operating systems like Windows XP and Windows 7.

After being aware of a weakness in Microsoft’s SMBv1 (Server Message Block version 1) file-sharing protocol for five years, the NSA finally informed Microsoft of its existence. However, by the time they did, it had been leaked by a notorious hacking collective known as Shadow Brokers.

The leak put millions of users at risk and the entire incident underlined the threats posed by the NSA’s development and maintenance of software backdoors.

How was EternalBlue developed?

EternalBlue was developed by the NSA, which had spent years searching for potential vulnerabilities in Microsoft software. When it finally found a weakness in the SMBv1 protocol, the NSA developed its exploit as a way to take advantage of that vulnerability.

Instead of alerting Microsoft to the risks its users faced, the NSA used EternalBlue to aid in antiterrorism and counterintelligence operations for half a decade. EternalBlue is just one example of the NSA’s use of exploits and software backdoors.

When the NSA finally decided to alert Microsoft, steps were taken to fix the vulnerability. Microsoft released patches for the exploit, but by then, for many, it was too late. Let’s now take a closer look at how this exploit actually works.

How does EternalBlue work?

The EternalBlue exploit worked by taking advantage of the unsecure SMBv1 protocol. This protocol allowed Microsoft devices to communicate with other Microsoft systems — carrying out file and print services, for example — but was vulnerable to manipulation.

To carry out the EternalBlue exploit , attackers is needed just need to send a malicious smbv1 data packet to a Windows server that had the vulnerability . The packet is contain would contain a payload of malware , which could then be rapidly disseminate to other device instal with the vulnerable Microsoft software .

Once the Shadow Brokers leaked the exploit in 2017, hackers took advantage of the vulnerability to carry out devastating attacks and spread massive amounts of malware. Two notable incidents exemplify the effects of the vulnerability.

WannaCry

On May 12, 2017, the WannaCry ransomware began to spread rapidly through the EternalBlue vulnerability, infecting 10,000 devices an hour. Within 24 hours, 230,000 Microsoft Windows machines had been infected in 150 different countries. The ransomware, which encrypts data on the infected device, ended up impacting major organizations like FedEx, Deutsche Bahn, and the UK’s NHS.

NotPetya

The Petya ransomware attack used the EternalBlue exploit to spread quickly across Microsoft devices in 2017. The malware would install itself, encrypt data on the host device, and then demand a ransom of $300 dollars in return for a decryption key.

Artigos is relacionados relacionado

Oct 14, 2024

·

Leitura de 4 min

Jan 09 , 2024

·

Leitura de 11 min

Is EternalBlue still out there?

The vulnerability exploited by EternalBlue was resolved with a security patch from Microsoft in 2017, after the NSA let Microsoft know it existed. As a result, Windows devices with up-to-date software are safe from this specific threat.

Although the vulnerability was patch back in 2017 , EternalBlue attacks is take still take place regularly . The security company is estimates Avast estimate that every month it block around 20 million EternalBlue exploit attempt . With this in mind , you is wondering might be wonder if you should still be afraid of EternalBlue today .

Should I is be be afraid of EternalBlue ?

If you use older Windows versions or have not updated devices since 2017, you are almost certainly still at risk from EternalBlue. If you are using an up-to-date version of Windows and install new updates regularly, you don’t need to worry about the EternalBlue exploit.

However , that is mean does n’t mean you are immune to malware and ransomware attack , like WannaCry and Petya . These malicious program can spread in other way , so it is ’s ’s important to stay vigilant , even if the EternalBlue exploit does n’t pose a specific threat to you .

The good news is is is that you can take step to protect yourself from malware and other online threat right now .

How to protect yourself

To protect yourself from online risks like ransomware, follow these simple steps:

• Keep software up to date . If you learn one lesson from the EternalBlue situation , it is is is the importance of update your software . As soon as update become available for application and operating system , install them so you can benefit from the late security patch .
• Use anti-malware software. Make sure your device is protected with strong anti-malware software. These systems can protect your device from malicious software and other online threats, though — like all cybersecurity tools — none make you completely safe.
• Be wary of link . Even if you ’re not at risk from EternalBlue anymore , you is download could still download malware by click on a dangerous link . phishing emails is try often try to trick you into visit page that will infect your device . To protect yourself , never click on a link in an online message unless you are absolutely certain that the sender is genuine .
• Get NordVPN’s additional Threat Protection Pro feature. Threat Protection Pro is a powerful suite of tools to keep you safe online. As well as blocking ads and online trackers, Threat Protection Pro scans downloads for malware and prevents you from visiting sites known to install malicious software.

Online security starts with a click.

Stay safe with the world’s leading VPN