Experts at RiskSense have ported the leaked NSA exploit named ETERNALBLUE for the Windows 10 platform. This is the same exploit that was used by the WannaCry ransomware as part of its SMB self-spreading worm in the mid-May WannaCry outbreak that affected over millions of computers across the world.
The exploit was dumped online in mid-April by a group known as The Shadow Brokers, who claimed they stole it from the Equation Group, a codename given to the NSA.
Researchers who analyzed the exploit said ETERNALBLUE only worked against older Windows versions such as Windows XP, Windows Vista, Windows 7, Windows Server 2003, and Windows Server 2008. Nonetheless, during the WannaCry ransomware attacks, because of the way the exploit was implemented, it mainly targeted Windows 7 machines, while on Windows XP, ETERNALBLUE caused a Blue Screen of Death.
Soon after the WannaCry update, researchers ported ETERNALBLUE for the Windows 8, Windows 8.1, and Windows Server 2012 platforms.
Yesterday, two RiskSense researchers, Sean Dillon and Dylan Davis, announced their own port of ETERNALBLUE for Windows 10 systems.
This ETERNALBLUE port only works against Windows 10 versions before the Redstone 1 release (April 2016). Furthermore, these older versions must have not received the MS17-010 security patch, which Microsoft released in March 2017.
In a technical write-up of their findings, researchers say the Windows 10 Redstone 1 (April 2016) release added improvements that blocked a DEP (Data Execution Prevention) bypass contained in the ETERNABLUE exploit. Similarly, the Windows 10 Redstone 2 release (Creators Update, April 2017) added protection against an ASLR (Address Space Layout Randomization) bypass, also used by ETERNALBLUE.
While this prevents the Windows 10 port of ETERNALBLUE to work on cutting-edge Windows 10 versions, there are still many older versions that are vulnerable to attacks.
Besides porting ETERNALBLUE to target Windows 10, the RiskSense crew also made improvements of their own, such as reducing the exploit code's size by up to 20%. Another improvement was to remove DOUBLEPULSAR from the ETERNALBLUE exploitation chain.
WannaCry and most malware that leverages the ETERNALBLUE exploit to infect vulnerable machines will use ETERNALBLUE to deliver malformed packets to a PC running an unpatched SMB service and gain an initial foothold on the host.
Almost everyone to our knowledge used the DOUBLEPULSAR implant (backdoor) as the second part of the exploitation chain, where they actually took control of the host and executed malicious code on the user's machine.
The RiskSense team has also removed the need for ETERNABLUE to work with DOUBLEPULSAR, allowing anyone to deliver their custom payloads instead.
According to Dillon, the purpose of this was to gain awareness to a bad practice that has been established in the security community after the WannaCry attacks.
Security companies and infosec experts have set up detection rules that search for the DOUBLEPULSAR backdoor as a sign of an ETERNALBLUE attack. This is wrong, Dillon says, who'd like to see companies search for attempts to use the exploit itself.
The RiskSense Cyber Security Research team slowly dissected the original exploit, discovering parts of the data that were deemed unnecessary for exploitation. By removing superfluous fragments in network packets, our research makes it possible to detect all potential future variants of the exploit before a stripped-down version is used in the wild. We also substantiated the premise that the original exploit's DOUBLEPULSAR payload is a red herring for defenders to focus on, as stealthier payload mechanism can be crafted.
The technical report also omits many technical details that would help malware authors create their own Windows 10 port, but includes the necessary information that companies create detection and exploitation rules.
To put things into perspective as how dangerous ETERNABLUE is, in their research, the RiskSense team says ETERNABLUE is "one of the most complex exploits ever written."
All Windows users should make sure they've installed the updates included in Microsoft's MS17-010 security bulletin.