ETERNALBLUE: Windows SMBv1 Exploit (Patched)
Microsoft released a blog post outlining which patches address which vulnerability exploited by various "Shadowbroker" exploits. According to the table released by Microsoft, "ETERNALBLUE" was fixed by MS17-010 released in March. Interestingly, MS17-010 listed all vulnerabilities as "not used in exploits". Microsofts acknowledgement page does not list a source for the vulnerability disclosure.
We decided to keep our "Infocon" at Green in light fo the availability of a patch.
To protect yourself from this exploit, you can also disable SMBv1 (see this KB article by Microsoft about details), and make sure you are blocking port 445.
A snort rule for ETERNALBLUE was released by Cisco as part of the "registered" rules set. Check for SID 41978.
-----
Shadowbroker, as part of the set of exploits it collected and had offered for auction, today released a number of Windows-related exploits. One that looks in particular interesting as it promises an exploit via SMB for Windows hosts up to Windows 8 and Windows Server 2012, was published under the name "ETERNALBLUE".
Right now, I haven't been able to make it fully work yet, but I was able to collect some packets to a Windows 7 system. The exploit makes by default three attempts to attack a system. An XML file accompanying the exploit allows the attacker to configure various parameters.
In general, an SMB exploit *should* not be all that exciting these days, as blocking port 445 is standard best practice. I am attaching a link to a packet capture below to allow you to analyze it further. In the packet capture, the vulnerable hosts IP address is 10.128.0.243.
After repeated attempts, the Windows 7 host crashed.
pcap: https://isc.sans.edu/diaryimages/eternalblue.pcap
---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
STI|Twitter|
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
Anonymous
Apr 14th 2017
7 years ago
Anonymous
Apr 15th 2017
7 years ago
The Register
https://www.theregister.co.uk/2017/04/14/latest_shadow_brokers_data_dump/
Slashdot
https://it.slashdot.org/story/17/04/14/2017200/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet
Ars:
https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/
Eternalblue and Eternalchampion are in the data dumps too.. and they are forked like crazy
hxxps://github.com/misterch0c/shadowbroker/tree/master/windows/specials
current fork count is at 350+ copies and multiplying by the minute.
edit: and that's without counting the forks of the secondary forks.
/edit
edit2: or forks of separate uploads of the same file tree
/edit2
Anonymous
Apr 15th 2017
7 years ago
Anonymous
Apr 15th 2017
7 years ago
Because of the 2007-2015 (-ish) economic crisis a lot of public IT systems are still stuck in the XP era and the beancounters see no reason to dump funds into license upgrades since the systems can still be powered on and sort-of run.
Anonymous
Apr 15th 2017
7 years ago
Anonymous
Apr 15th 2017
7 years ago
No, otherwise they would have fixed it before last month. They may have been getting paid by the feds to not patch certain things, though. Wouldn't it get interesting if a Snowden or ShadowBrokers dump reveals that to be true and that a material amount of some tech company's profits are in fact coming from the feds to implement and not patch vulnerabilities? In effect the taxpayers who are the investors in the tech industry are paying twice, once to buy the stock and once to create their profits through their tax payments.
I think it was Cryptome that had a doc a few years ago that was a court filing that accidentally revealed that a federal government agency was paying a company for certain activities and the filing revealed that the company was supposed to report the income a certain way and that the IRS was not to audit it to keep from revealing the true source of the income. It's really not much different than the feds telling police agencies that they were not to reveal the true source of intelligence about criminal activities, such as Stingrays, and that they had to develop parallel evidence in order to hide the true source.
Anonymous
Apr 16th 2017
7 years ago
Anonymous
Apr 17th 2017
7 years ago
Anonymous
Apr 21st 2017
7 years ago