EternalBlue

From Wikipedia, the free encyclopedia
Jump to: navigation, search

EternalBlue, sometimes stylized as ETERNALBLUE,[1] is an exploit generally believed to have been developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on 14 April 2017, and was used as part of the worldwide WannaCry ransomware attack on 12 May 2017.[1][2][3][4][5]

Details[edit]

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.[6]

The Windows security update on 14 March 2017 resolved the issue via security update MS17-010, for all Windows versions that were currently supported at that time, these being Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.[7][8]

Many Windows users had not installed MS17-010 when, two months later on 12 May 2017, the WannaCry attack used the EternalBlue vulnerability to spread itself.[9][10][11]

On 13 May 2017, a day after the attack, Microsoft took the highly unusual step of also providing a security update for Windows XP, Windows 8, and Windows Server 2003 via download from the Microsoft Update Catalog.[12][13]

See also[edit]

References[edit]

  1. ^ a b "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Retrieved 13 May 2017. 
  2. ^ Fox-Brewster, Thomas. "An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak". Forbes. Retrieved 13 May 2017. 
  3. ^ "An NSA-derived ransomware worm is shutting down computers worldwide". Ars Technica. Retrieved 13 May 2017. 
  4. ^ Ghosh, Agamoni (April 9, 2017). "'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools". International Business Times UK. Retrieved April 10, 2017. 
  5. ^ "'NSA malware' released by Shadow Brokers hacker group". BBC News. April 10, 2017. Retrieved April 10, 2017. 
  6. ^ "Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN". ESET North America. Archived from the original on 16 May 2017. Retrieved 16 May 2017. 
  7. ^ Cimpanu, Catalin (13 May 2017). "Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decrypt0r". Bleeping Computer. Retrieved 13 May 2017. 
  8. ^ "Windows Vista Lifecycle Policy". Microsoft. Retrieved 13 May 2017. 
  9. ^ "Microsoft Security Bulletin MS17-010 – Critical". technet.microsoft.com. Retrieved 13 May 2017. 
  10. ^ Newman, Lily Hay. "The Ransomware Meltdown Experts Warned About Is Here". Wired.com. Retrieved 13 May 2017. 
  11. ^ "Wanna Decryptor: The NSA-derived ransomware worm shutting down computers worldwide". Ars Technica UK. Retrieved May 13, 2017. 
  12. ^ Surur (13 May 2017). "Microsoft release Wannacrypt patch for unsupported Windows XP, Windows 8 and Windows Server 2003". Retrieved 13 May 2017. 
  13. ^ MSRC Team. "Customer Guidance for WannaCrypt attacks". microsoft.com. Retrieved 13 May 2017. 

External links[edit]