NSA’s EthernalBlue exploit ported to Windows 10

If you were running Windows 10, then you didn’t need to worry about your box being hit with the leaked NSA EternalBlue exploit; but things change and now researchers have ported EternalBlue to Windows 10.

After the WannaCry ransomware attack, some defenders focused on building detection rules to protect against the DoublePulsar backdoor implant; but beware as RiskSense researchers completely removed DoublePulsar. They warned that DoublePulsar is a “red herring for defenders to focus on, as stealthier payload mechanisms can be crafted.”

While they are not revealing all the details about the exploit chain so attackers can jump on them, they hope white hat security researchers benefit from the technical overview of the exploit process “so that new generic and targeted techniques can be developed to prevent attacks.”

The report reads, “By removing superfluous fragments in network packets, our research makes it possible to detect all potential future variants of the exploit before a stripped-down version is used in the wild.”

The source code, they said, “will not be made available until a later time.”

RiskSense Cyber Security researchers Sean Dillon and Dylan Davis first identified what parts of the original exploit were unnecessary for exploitation. They tweaked it to create a leaner version of EternalBlue, with the code size about 20% smaller, which can be ported to unpatched versions of Windows 10.

They proved that even after removing the DoublePulsar backdoor, a new payload can load the malware. “In our improved payload, an Asynchronous Procedure Call (APC) is queued directly to cause normal Metasploit usermode payloads to be executed without requiring the backdoor.”

According to the report (pdf download), the exploit analysis and port targeted, “Microsoft Windows 10 x64 Version 1511, the November Update with the codename Threshold 2.” While version 1511 is currently supported by Microsoft in the Windows Current Branch for Business, it is not what Microsoft recommends. The researchers were using Windows build number 10.0.10586 and did not install the MS17-010 patch.

Porting the EternalBlue exploit to more versions of Windows is “difficult,” but “not an impossible feat.” In fact, they explained that a “port to virtually all vulnerable Microsoft Windows versions that use the NT kernel is possible, apart from the key defenses recently made available in the bleeding-edge versions of Microsoft Windows 10. Redstone 1 (August 2016) and Redstone 2 (April 2017) introduce mitigations such as the Page Table Entry and HAL Heap randomizations, which will help protect users against future exploits of this class.”

RiskSense researchers concluded:

The EternalBlue exploit is highly dangerous in that it can provide instant, remote, and unauthenticated access to almost any unpatched Microsoft Windows system, which is one of the most widely used operating systems in existence for both the home and business world. The vulnerabilities fixed in the MS17-010 patch, like the unwavering MS08-067 vulnerability before it, will continue to be exploited by black-hat criminal organizations, white-hat security researchers and penetration testers, and many nation-states for presumably a decade to come.

Gh0st RAT and Nitol backdoor

It’s of the utmost importance to keep Windows updated and patched. Last week, FireEye researchers warned the boxes vulnerable to the SMB exploit were being attacked “by a threat actor using the EternalBlue exploit to gain shell access to the machine.” The attackers were distributing Backdoor.Nitol and Trojan Gh0st RAT.

FireEye added:

The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads. It is critical that Microsoft Windows users patch their machines and update to the latest software versions as soon as possible.