A powerful hacking tool original used by the National Security Agency and subsequently leaked in April by the Shadow Brokers will give defenders problems for years to come as hackers continue to adopt and repurpose the malicious computer code, experts and former U.S. intelligence officials tell CyberScoop.
The tool, codenamed EternalBlue, effectively leverages two different coding flaws in older versions of Microsoft Windows to propagate malware on a targeted computer network. In practice, this exploit breaks a network file sharing protocol known as the server message block, or SMB.
Although Microsoft promptly released several software updates for affected versions of Windows in March, and then again most recently in May, millions of systems remain unpatched and therefore vulnerable to hackers using EternalBlue.
Experts believe that the high-quality exploit will be used in the coming years by both amateurish hackers and sophisticated threat actors to steal information.
“EternalBlue will exist and be viable as long as systems are not patched consistently as good cyber hygiene recommends,” explained Nehemiah Security Vice President Bob Wandell, a former Defense Department information assurance chief. “The payloads that can be loaded onto EternalBlue are boundless and uniformly malicious.”
Unnamed former U.S. intelligence officials familiar with EternalBlue told the Washington Post that they had “marveled at both its uncommon power and the widespread havoc” the tool allows for.
“We expect EternalBlue to be used for years to come by both espionage and criminal actors,” said Area 1 Security co-founder Blake Darché, a former network analyst with the NSA. “SMB vulnerabilities are key to conducting a destructive computer network attack with great efficacy.”
The masterfully engineered hacking tool had once provided U.S. spies with “unreal” intelligence, one former U.S. official told the Washington Post.
Without an update, operating systems vulnerable to EternalBlue include Windows XP, Windows Vista SP2, Windows 7, Windows Server 2008 R2 and Windows Server 2012 — each remains popularly used, especially outside of the U.S.
Craig Williams, a senior technical leader with Cisco’s elite threat intelligence collection unit, Talos, described the module as a sort of “lock pick that can open windows machines which have not been patched.”
“Once the door has been unlocked any payload can be snuck inside,” said Williams. “This means we will continue to see threats like botnets, ransomware, DDoS kits, etc. continue to take advantage of this as long as there are vulnerable machines. It’s likely it will be years until we see the end of this threat.”
A recent global ransomware campaign known as WannaCry, which already infected upwards of 300,000 computers in more than 150 countries, lifted code from EternalBlue — causing the virus to quickly spread to susceptible computers across the planet.
“The discovery of a near-ubiquitous remote code execution exploit in a default Windows service can be devastating,” said Eric Klonowski, a senior advanced threat research analyst at U.S. cybersecurity firm Webroot, in reference to EternalBlue.
He added, “It’s no wonder that malware authors were quick to adopt the exploit in WannaCry. Exploits as serious as this only appear once every few years, and malware authors are prepared to take full advantage.”
A number of hospitals and commercial businesses had their computers held ransom by WannaCry.
It’s likely that EternalBlue will be used in other ransomware-style attacks in the near future, predicts Brian Martin, a vice president of vulnerability intelligence for U.S. cybersecurity consultancy Risk Based Security.
“There is really no upper limit on where these types of exploits and crimeware go until they definitively cause human casualty,” said Martin. “When that happens, especially if it happens to any scale, we’ll see governments around the world belatedly step in and try to react to the issue.”
In the last week, a different malware variant dubbed EternalRocks was also discovered in the wild using code from both EternalBlue and another leaked NSA tool codenamed DoublePulsar, which functions as a backdoor implant.
EternalRocks appears to have been developed by a hacker to establish a foothold in Windows machines to then upload a myriad of different computer viruses, including other exploits from the Shadow Brokers dump, according to a blog post written by Cisco’s Talos team.
The rapid adoption of stolen computer code — in this case, a redeployment of mutated NSA weapons — underscores just how disruptive an offensive hacking tool can be when it is leaked. The FBI remains involved in an investigation into the matter.