Analysis of the EternalBlue Vulnerability and Mitigation Strategies

Verified

Added on 2019/09/20

AI Summary

This report provides a detailed analysis of the EternalBlue vulnerability, a critical security flaw in Microsoft Windows operating systems, identified by the security reference code MS17-010. The report discusses the technical aspects of the vulnerability, including its origins in the SMB service and the use of the FUZZBUNCH framework. It outlines the attack vector, explaining how malicious code is executed via remote sessions, often in conjunction with the DoublePulsar backdoor, and how the WannaCry ransomware exploited this vulnerability. The report then explores the exploitation scenario, detailing the process of injecting code into the LSASS process and spreading across networks. It further provides mitigation strategies, such as disabling SMBv1 and implementing firewall rules, and outlines remediation steps, including patching vulnerable systems and blocking inbound connections to SMB ports. The report concludes with a list of references used in the analysis.

Contents
Executive Summary...................................................................................................................1
Technical Description................................................................................................................1
Vulnerability Description.......................................................................................................1
Attack Vector..........................................................................................................................1
Exploitation Scenario.............................................................................................................1
Mitigation...............................................................................................................................2
Remediation............................................................................................................................2
References..................................................................................................................................2
Executive Summary
EternalBlue is the name that has been given to a vulnerability present in Microsoft’s
Windows Operating systems. The company has given a security reference code known as
MS17-010 and has also issues a security update in response to the vulnerability on March 14,
2017. The patch was issued before the WannaCry ransomware which was based on the same
vulnerability got out and has spread across the world. Those who had applied the patch would
have been protected but those who had not were exposed to the dangers of the vulnerability.
Microsoft has named the security vulnerability as Critical.
Technical Description
Vulnerability Description
On April 14, 2017, an internet group known as the Shadow Brokwers group released a
framework known as FUZZBUNCh which is an exploitation of the Windows toolkit. This
toolkit was written by another group know nas the Equation Group that is known to be among
one of the most sophisticated attackers and has been diet to the United States National
Security Agency or NSA. The framework that has been included in this vulnerability is
known as ETERNALBLUE. EternalBle is a remote kernel exploit that began with targeting
the SMB service or Server Message Block service typically being used in systems prior to
Windows 8 such as Windows 7 and Windows XP among others. This is because these

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

versions of Windows operating system contains something known as interprocess
communication share or IPC$ that if executed allows to create a null session. This in turn
means that connection that would be initiated would be an anonymous connection via a null
session by default. The vulnerability exists because Null session allows one to send a variety
of commands to the system.
Attack Vector
All the cases that has been analysed for this vulnerability showcase a same behaviour. This
behaviour is that the malicious code first gets executed on a target computer via remote
sessions through the Eternalblue exploit combined together with a modification of
DoublePulsar backdoor. With the help of this, the WannaCry manages to successfully inject
code in the LSASS process of the operating system. As mentioned previously, Eternalblue
exploit takes full advantage of the SMB vulnerability that has already been addressed by
Microsoft in their security bulletin MS17-010 that spreads across internal network and gets
connected by the Port TCP 445 of systems that have not been patched yet.
Exploitation Scenario
 After the SMB handshake, the ransomware gets connected to the IPC$ share on the
target’s host.
 Once this is done, it sends out an NT Trans request that contains a huge payload size
and is made up of a sequence of NOPs. This basically makes the SMB server
exploitable so that the full advantage of vulnerability can be had.
 The NT Trans request then leads to several secondary Trans2 requests in order to
accommodate large size. They request the data that is essentially the encrypted
payload and the shellcode which allows for full-fledged malware attack on the remote
system.
 Once the vulnerability has been triggered, the payload that contains a stager of the
malware is offloaded to the remote system. This payload launches the ‘mssecsvc’
service from lsass process and this service then further scans the entire local network
in hope of finding more machines that have SMB ports exposed.
 The service then make use of the previously mentioned vulnerability in order to gain
access to other remote machines and delivering the payload effectively completing the
cycle.

Mitigation
 Disabling the SMBv1 with the guide provided by Microsoft KB Article 2696547.
 Adding a rule on the firewall so as to block various incoming SMB related traffic on
the 445 port.
 Discovering which systems within a network could be susceptible to the attack and
then isolating them and furthermore updating them.
 There are many patterns and anomalies in NT Trans and Trans 2 requests as well as
response packets that many make use of to create a powerful network level detection.
 Carrying out an internal audit of the entire network so as to establish where the attack
began so as to secure the entry point.
Remediation
 It is essential to patch vulnerable computers to prevent the SMB vulnerability from
being exploited.
 It is essential that the Microsoft released patch for the SMB vulnerability be applied.
The security patch is available under security bulletin code MS17-010 and is available
for the following operating systems :
 Blocking of inbound connection to the SMB ports on both 139 and 445 from outside
the perimeters of the organization.
o Windows XP
o Windows 2003
o Microsoft Windows Vista SP2
o Windows Server 2008 SP2 y R2 SP1
o Windows 7
o Windows 8.1
o Windows RT 8.1
o Windows Server 2012 R2
o Windows 10
o Windows Server 2016

References
[1]F. Blogs, T. Research and S. "EternalBlue", "SMB Exploited: WannaCry Use of
"EternalBlue" « SMB Exploited: WannaCry Use of "EternalBlue"", FireEye, 2018. [Online].
Available: https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-
use-of-eternalblue.html. [Accessed: 24- Apr- 2018].
[2]#WannaCry Report. 2017.
[3]WannaCry Ransomware Campaign Exploiting SMB Vulnerability. 2017.
[4]ETERNALBLUE Exploit Analysis and Port to Microsoft Windows 10. 2017.a
[5]"WannaCry ransomware: Everything you need to know", CNET, 2018. [Online].
Available: https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-
you-need-to-know/. [Accessed: 24- Apr- 2018].