EternalBlue

ETERNALBLUE, an alleged NSA exploit targeting the SMBv1 protocol leaked by the Shadow Brokers in mid-April, has become a commodity hacking tool among malware developers.

The tool's notoriety comes from its successful usage as part of the WannaCry ransomware's self-spreading mechanism, where it was deployed alongside another NSA hacking tool called DOUBLEPULSAR to help WannaCry infect random computers via unprotected SMB services.

ETERNALBLUE - the go-to exploit for today's malware

After WannaCry has become the most infamous cyber-incident known to date, evidence has surfaced that there have been other malware families that used ETERNALBLUE even before WannaCry.

This included a report from Proofpoint, who discovered ETERNALBLUE deployed with the Adylkuzz cryptocurrency miner, a report from Cyphort, who found ETERNALBLUE deployed with various RATs deployed by Chinese threat actors, and a report from Secdo, who found ETERNALBLUE deployed with an infostealer originating out of Russia, and a botnet in China.

Things only got worse after the WannaCry outbreak. For example, Forcepoint found ETERNALBLUE deployed with various RATs, French security research Benkow found it used for the UIWIX ransomware, and Croatian security researcher Miroslav Stampar found it bundled with six other NSA hacking tools, part of the EternalRocks SMB worm.

To make matters worse, today, FireEye published another report, revealing it found ETERNALBLUE deployed with a version of the Gh0st RAT in Singapore, and together with the Nitol backdoor trojan across the South Asia region.

Adding ETERNALBLUE to Metasploit lowered the bar

All these malware campaigns use ETERNALBLUE for its ability to exploit a vulnerability (CVE-2017-0144) in Microsoft's Server Message Block (SMB) protocol.

ETERNALBLUE works by sending malformed packets to computers running vulnerable versions of the SMB service, allowing other malware to run code on the machine and get an initial foothold. Overall, exploit ETERNALBLUE is not difficult, but it's not hard either.

After the Shadow Brokers leaked ETERNALBLUE in mid-April, the exploit has been added as a module to the Metasploit framework, a tool used by sysadmins and security researchers to test their computers for vulnerabilities.

While developed with good intentions, the framework's exploit modules are often plundered by malware developers, who use them as the base for developing malware.

"The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities," said the FireEye team today, attempting to justify this flurry of malware families leveraging ETERNALBLUE.

Their colleague, Christopher Glyer‏, FireEye Chief Security Architect, agreed with their assessment. "Adding [ETERNALBLUE] to Metasploit lowers the bar significantly," Glyer wrote on Twitter.

What this means is that you can now expect that any low-skilled hacker that has basic grasp of C coding to be able to integrate ETERNALBLUE into his malware project.

The only way to negate this risk is by installing the security updates Microsoft released in security bulletin MS17-010.

Image credits: Bleeping Computer, Deivid Sáenz