Why the 'fixed' Windows EternalBlue exploit won't die

Cryptojacking, endless infection loops, and more are ensuring that the leaked NSA tool continues to disrupt the enterprise worldwide.
Written by Charlie Osborne, Contributing Writer

EternalBlue simply refuses to go away and unpatched, unlicensed operating systems are part of the problem.

The Microsoft Windows EternalBlue exploit was released to the public in 2017 as part of a leaked cache of surveillance tools owned by the US National Security Agency (NSA)'s Equation Group hacking team.

Following whistleblower and former NSA contractor Edward Snowden's disclosure of the agency's mass surveillance activities, hackers calling themselves the Shadow Brokers compromised NSA systems and leaked the toolset.

Among the exploit cache were exploits and zero-day vulnerabilities which allowed the NSA to compromise Windows and Linux systems, network equipment, firewalls, and more.

Security researchers and affected vendors immediately set to work patching the leaked vulnerabilities, and whilst EternalBlue is a security flaw which was resolved, outdated and unpatched systems still permit the exploit to flourish in the hands of threat actors.

The EternalBlue vulnerability, CVE-2017-0144, targets the Microsoft Windows Server Message Block (SMB) protocol and allows attackers to execute arbitrary code. A fix was issued in March 2017 by Microsoft.

The bug has caused misery worldwide since its release and was used to infect systems with ransomware during the infamous WannaCry global outbreak last year. The UK's National Health Service (NHS), FedEx, Deutsche Bahn, Renault, and banks were among the targets of the campaign which compromised an estimated 230,000 PCs.

See also: Windows support scam uses evil cursor attack to hijack Google Chrome sessions


EternalBlue was also used in a ransomware campaign that followed soon after. The cyberattack spread the Petya ransomware from Ukraine to countries worldwide.

The critical flaw has been patched but its legacy lives on.

In June last year, for example, the exploit was integrated into exploit kits to make Trojans such as Nitol and Gh0st RAT more effective.

Security researchers from Avira have been tracking the vulnerability and reinfection rates across the world. In a blog post last week, the team said that unpatched PCs are a key reason EternalBlue won't die, with impacted devices "getting stuck in an endless infection cycle with new infections occurring at the kernel level as the previous ones are removed."

Avira says that the exploit is finding its way to cracked and pirate versions of Microsoft Windows which are operating on the old SMB1 protocol, which is vulnerable to EternalBlue.

CNET: AT&T lets NSA hide and surveil in plain sight, The Intercept reports

"We were researching the reasons behind a number of machines having repeated infections," said Mikel Echevarria-Lizarraga, senior virus analyst in the Avira Protection Lab. "We've found that many of these serially infected machines were running activation cracks which means that they cannot or do not want to update Windows and install updates. It also means that they did not receive the emergency patch from Microsoft for this vulnerability."

Avira has uncovered roughly 300,000 systems which are impacted by EternalBlue. Indonesia is the hardest hit, followed by Taiwan, Vietnam, Thailand, and Egypt, among others.

It is not just Windows machines which are running unlicensed software, however, that is a problem -- threat actors worldwide are also utilizing EternalBlue for covert cryptojacking operations.

TechRepublic: Here's why the NSA just deleted all of the calls and texts it collected since 2015

Cryptojacking is the use of computational power without the consent of users for the purpose of mining cryptocurrencies including Ethereum (ETH) and Monero (XMR).

A common way to conduct cryptojacking is through the use of covert mining scripts, such as Coinhive, through browsers and web page visits. However, malware able to compromise PCs is also utilized -- and the EternalBlue exploit has become a weapon of choice.

In February, researchers discovered the Smominru miner botnet was using the exploit to mine for Monero, bending 526,000 nodes -- otherwise known as infected systems -- to its will at its peak, netting its operators an estimated $3.6m from fraudulent mining.

It was only a month later that another cryptojacking scheme, RedisWannaMine, was found to have harnessed EternalBlue to compromise Windows Servers for the same purpose.

Unfortunately, EternalBlue is still very active in the cryptojacking space. According to recent research from Cybereason, a new outbreak of Wannamine, based on EternalBlue, has shown that the attack is still highly active a year after disclosure.

"Wannamine isn't a new attack," the researchers say. "It leverages the EternalBlue vulnerabilities that were used to wreak havoc around the world almost a year and a half ago. But more than a year later, we're still seeing organizations severely impacted by attacks based on these exploits."

Wannamine is not sophisticated and its components are made up of copy-and-paste code gained from repositories such as GitHub. A number of IPs associated with Wannamine servers are still active a year after being reported to associate hosting providers.

Although the coding is crude, failure to patch has caused yet another outbreak -- and unless individuals and companies take responsibility for protecting themselves, EternalBlue will continue to remain an effective tool harnessed by threat actors.

"Until organizations patch and update their computers, they'll continue to see attackers use these exploits for a simple reason: they lead to successful campaigns," Cybereason added. "There's no reason for security analysts to still be handling incidents that involve attackers leveraging EternalBlue. And there's no reason why these exploits should remain unpatched."

The worst cyberattacks undertaken by nation-state hackers

Previous and related coverage

Editorial standards