Sales Engineer | Technical Sales | Pre-Sales at SUSE
Vendor
2020-07-09T16:30:03Z
Jul 9, 2020
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
EternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.
The best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.
By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.
If, for some reason, that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.
Ensuring you have a capable EDR security solution should go without saying, but if your organization is still behind the curve on that one, remember that passive EDR solutions are already behind-the-times and active EDR is required.
Please contact me on cybersec@global.co.za for more information on SentinelOne and Cyber Protection Services
Find out what your peers are saying about CrowdStrike, Microsoft, SentinelOne and others in Endpoint Detection and Response (EDR). Updated: November 2024.
Attacks leveraging the EternalBlue exploit generally follow this pattern:
A vulnerable system with an open, unpatched port is identified.
EternalBlue (or another exploit) is used to achieve remote code execution.
The DoublePulsar backdoor is uploaded. This allows remote control of the infected system and the upload of an additional payload.
An arbitrary payload is injected into the target system’s memory using the DoublePulsar backdoor. In the case of WannaCry, this payload was ransomware, but it could potentially be any payload, including malware that does a much more effective job at hiding on a system.
In the case of WannaCry, the payload also contained code that attempted to spread additional infections with the EternalBlue/DoublePulsar attack chain. This effectively made WannaCry a worm, a kind of malware that could spread without any kind of user intervention.
Though Microsoft published a patch for a number of the exploits contained in the Shadow Broker’s dump, unpatched systems still remain vulnerable to this kind of attack. It is important to note that a potential attacker could use any payload in the attack chain described above.
Endpoint Detection and Response (EDR) solutions designed to monitor endpoint and network events while recording and storing this information in a centralized database. EDR solutions are especially crucial for organizations involving endpoints like desktops, laptops, and mobile devices.
You can use Palo Alto Cortex XDR networks to protect against this type of attack at the endpoint level.
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
Ref:
https://cve.mitre.org/cgi-bin/...
https://www.avast.com/c-eterna...
EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.
So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.
Microsofts Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilising the latest version.
Additionally, you should ensure that the following safeguards are in place:
PATCH PATCH PATCH - is the answer every time
EternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.
The best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.
By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.
If, for some reason, that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.
Ensuring you have a capable EDR security solution should go without saying, but if your organization is still behind the curve on that one, remember that passive EDR solutions are already behind-the-times and active EDR is required.
Please contact me on cybersec@global.co.za for more information on SentinelOne and Cyber Protection Services
“EternalBlue” exploit that targeted open server message block (SMB) ports and was used to great effect in the recent WannaCry ransomware attack.
Attacks leveraging the EternalBlue exploit generally follow this pattern:
Though Microsoft published a patch for a number of the exploits contained in the Shadow Broker’s dump, unpatched systems still remain vulnerable to this kind of attack. It is important to note that a potential attacker could use any payload in the attack chain described above.
Basic tool to protect from EternalBlue
1) Second generation AV
2) Cloud Backup
3) Cloud Second generation VPN and Firewall