If you were running Windows 10, then you didn\u2019t need to worry about your box being hit with the leaked NSA EternalBlue exploit; but things change and now researchers have ported EternalBlue to Windows 10.After the WannaCry ransomware attack, some defenders focused on building detection rules to protect against the DoublePulsar backdoor implant; but beware as RiskSense researchers completely removed DoublePulsar. They warned that DoublePulsar is a \u201cred herring for defenders to focus on, as stealthier payload mechanisms can be crafted.\u201dWhile they are not revealing all the details about the exploit chain so attackers can jump on them, they hope white hat security researchers benefit from the technical overview of the exploit process \u201cso that new generic and targeted techniques can be developed to prevent attacks.\u201dThe report reads, \u201cBy removing superfluous fragments in network packets, our research makes it possible to detect all potential future variants of the exploit before a stripped-down version is used in the wild.\u201dThe source code, they said, \u201cwill not be made available until a later time.\u201dRiskSense Cyber Security researchers Sean Dillon and Dylan Davis first identified what parts of the original exploit were unnecessary for exploitation. They tweaked it to create a leaner version of EternalBlue, with the code size about 20% smaller, which can be ported to unpatched versions of Windows 10.They proved that even after removing the DoublePulsar backdoor, a new payload can load the malware. \u201cIn our improved payload, an Asynchronous Procedure Call (APC) is queued directly to cause normal Metasploit usermode payloads to be executed without requiring the backdoor.\u201dAccording to the report (pdf download), the exploit analysis and port targeted, \u201cMicrosoft Windows 10 x64 Version 1511, the November Update with the codename Threshold 2.\u201d While version 1511 is currently supported by Microsoft in the Windows Current Branch for Business, it is not what Microsoft recommends. The researchers were using Windows build number 10.0.10586 and did not install the MS17-010 patch.Porting the EternalBlue exploit to more versions of Windows is \u201cdifficult,\u201d but \u201cnot an impossible feat.\u201d In fact, they explained that a \u201cport to virtually all vulnerable Microsoft Windows versions that use the NT kernel is possible, apart from the key defenses recently made available in the bleeding-edge versions of Microsoft Windows 10. Redstone 1 (August 2016) and Redstone 2 (April 2017) introduce mitigations such as the Page Table Entry and HAL Heap randomizations, which will help protect users against future exploits of this class.\u201dRiskSense researchers concluded:The EternalBlue exploit is highly dangerous in that it can provide instant, remote, and unauthenticated access to almost any unpatched Microsoft Windows system, which is one of the most widely used operating systems in existence for both the home and business world. The vulnerabilities fixed in the MS17-010 patch, like the unwavering MS08-067 vulnerability before it, will continue to be exploited by black-hat criminal organizations, white-hat security researchers and penetration testers, and many nation-states for presumably a decade to come.Gh0st RAT and Nitol backdoorIt's of the utmost importance to keep Windows updated and patched. Last week, FireEye researchers warned the boxes vulnerable to the SMB exploit were being attacked \u201cby a threat actor using the EternalBlue exploit to gain shell access to the machine.\u201d The attackers were distributing Backdoor.Nitol and Trojan Gh0st RAT.FireEye added:The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads. It is critical that Microsoft Windows users patch their machines and update to the latest software versions as soon as possible.