How Leaked NSA Spy Tool ‘EternalBlue’ Became a Hacker Favorite

综合技术 WIRED (源链)

An elite Russian
hacking team, a historic ransomware attack, an espionage group in the Middle East, and countless small time cryptojackers all have one thing in common. Though their methods and objectives vary, they all lean on leaked NSA hacking tool EternalBlue to infiltrate target computers and spread malware across networks.

Leaked to the public not quite a year ago, EternalBlue has joined a long line of reliable hacker favorites. The Conficker
Windows worm infected millions of computers in 2008, and the Welchia
remote code execution worm wreaked havoc 2003. EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere. If anything, security analysts only see use of the exploit diversifying as attackers develop new, clever applications, or simply discover how easy it is to deploy.

“When you take something that’s weaponized and a fully developed concept and make it publicly available you’re going to have that level of uptake,” says Adam Meyers, vice president of intelligence at the security firm CrowdStrike. “A year later there are still organizations that are getting hit by EternalBlue—still organizations that haven’t patched it.”

The One That Got Away

EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release
of alleged NSA tools by the still mysterious group known as the Shadow Brokers. Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports
corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA.

The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.

‘It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors.’

Vikram Thakur, Symantec

Microsoft released its EternalBlue patches
on March 14 of last year. But security update adoption is spotty
, especially on corporate and institutional networks. Within two months, EternalBlue was the centerpiece of the worldwide WannaCry ransomware attacks
that were ultimately traced to North Korean
government hackers. As WannaCry hit, Microsoft even took the “highly unusual step” of issuing patches
for the still popular, but long-unsupported Windows XP and Windows Server 2003 operating systems.

In the aftermath of WannaCry, Microsoft and others criticized the NSA
for keeping the EternalBlue vulnerability a secret
for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected.

Eternal Blues

The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue’s profile, many attackers had already realized the exploit’s potential by then.

Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners
on target devices. “WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them,” says Jérôme Segura, lead malware intelligence analyst at the security firm Malwarebytes. “There are definitely a lot of machines that are exposed in some capacity.”

Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. “EternalBlue will be a go-to tool for attackers for years to come,” says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. “Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed. There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms.”

At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker’s toolbox—much like the password extraction tool Mimikatz
. But EternalBlue’s widespread use is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers, including those in Russia’s Fancy Bear group
, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks.

'EternalBlue will be a go-to tool for attackers for years to come.'

Jake Williams, Rendition Infosec

New examples of EternalBlue’s use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. “EternalBlue is ideal for many attackers because it leaves very few event logs,” or digital traces, Rendition Infosec’s Williams notes. “Third-party software is required to see the exploitation attempts.”

And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer
, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms.

“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors,” says Vikram Thakur, technical director of Symantec’s security response. “To [a hacker] it’s just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three.”

It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for it—and to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks.

Blue’s Clues


Cyber-Physical Systems Are at Risk Cyber-physical Systems (CPSs) have become the core components of safety-critical infrastructures such as smart grid, Building Automation Networks (...
加紧建设存储芯片工厂,中国有望摆脱对日韩依赖... 中国的智能手机企业饱受存储芯片短期的困扰,存储芯片价格的暴涨导致国产手机企业的利润下滑,加上存储芯片对国家信息安全的重要性,这让中国加速发展自己的存储芯片产业,目前中国三大存储芯片企业--长江存储、合肥长鑫、福建晋华等正加紧建设它们的存储芯片工厂,最快在明年将开始投产,不久的将来中国将成...
GitHub’s Total Security Facepalm Github's Total Security Facepalm Comments: 0 Tags: Security Golang ...
Samsung Galaxy S7 Active Receiving June 2017 Secur... The Samsung Galaxy S7 Active is currently getting a new update which brings the June 2017 security patch along for the ride, as well as some other bu...
当心黑客窃取你物联网设备中的数据!... 随着智能传感器和其他物联网设备逐渐普及,所收集的数据质量至关重要。然而,这些数据通常受到环境、人为错误和黑客的影响。 智能设备和传感器的价值在于其收集的数据,但这些设备通常存在于恶劣的环境中,需要正确配置才能运行,并且经常被黑客利用。 当传感器数据错误或者没有按预期时会发生什么? 请考虑...
WIRED责编内容来自:WIRED (源链) | 更多关于

本站遵循[CC BY-NC-SA 4.0]。如您有版权、意见投诉等问题,请通过eMail联系我们处理。
酷辣虫 » How Leaked NSA Spy Tool ‘EternalBlue’ Became a Hacker Favorite

专业 x 专注 x 聚合 x 分享 CC BY-NC-SA 4.0

使用声明 | 英豪名录