EternalBlue is a Windows exploit created by the US National Security Agency (NSA) and used in the 2017 ransomware attack.
EternalBlue exploits a vulnerability in the Microsoft implementation of the Server Message Block (SMB) Protocol. This dupes a Windows machine that has not been patched against the vulnerability into allowing illegitimate data packets into the legitimate network. These data packets can contain malware such as a trojan, ransomware, or similar dangerous program.
The SMB Protocol is a standard, system that creates a connection between client and server by sending responses and requests. When printing a document, a person may use their computer, the client, to send a request to a colleague’s computer, the server, with a request to print the document. The client and server communicate over the SMB Protocol.
The NSA did not alert Microsoft about EternalBlue’s existence for a period of five years, until a breach of the NSA compelled the agency to do so. Microsoft blames the agency for EternalBlue’s existence and its fallout, even though EternalBlue is based on what was then a Windows vulnerability. The NSA has declined to speak in detail about the hack or EternalBlue.
Imagine a large organization with a network infrastructure comprising multiple interconnected systems, including servers, workstations, and IoT devices. Within this network, there is a vulnerable Windows system that has not been patched with the necessary security updates to protect against EternalBlue.
A bad actor, seeking to exploit the vulnerability, initiates an attack by sending a specially crafted network packet to the vulnerable system. This packet contains the exploit code that takes advantage of the EternalBlue vulnerability, allowing the attacker to gain unauthorized access and execute arbitrary code on the compromised system.
In the first stage of a cyberattack, a bad actor may employ various methods to identify systems vulnerable to the EternalBlue vulnerability. Here are a few techniques they might use:
The image below shows successful finding of EternalBlue vulnerability using nmap
The image below shows prebuilt EternalBlue exploits
It’s important to note that discovering vulnerable systems is only the first step for bad actors. Once they identify a vulnerable system, they proceed to exploit the vulnerability, gain access, and then move laterally within the network to escalate privileges and achieve their objectives
Once the target system is identified, the attacker launches an exploit against the vulnerable system. One of the most popular exploitation tools is Metasploit Framework.
The Metasploit Framework is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code. The Metasploit Framework contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. At its core, the Metasploit Framework is a collection of commonly used tools that provide a complete environment for penetration testing and exploit development.
Metasploit Framework has anEternalBlue exploit, which can be used directly to exploit vulnerable system
The image below shows successful exploitation of the EternalBlue vulnerability
EternalBlue takes advantage of three different bugs. The first is a mathematical error when the protocol tries to cast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much memory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than expected, which in turns leads to a buffer overflow.
With more data than expected being written, the extra data can overflow into adjacent memory space triggering the buffer overflow. This is achieved thanks to the second bug, which results from a difference in the SMB protocol’s definition of two related sub commands: SMB_COM_TRANSACTION2 and SMB_COM_NT_TRANSACT.
Both have a _SECONDARY command that is used when there is too much data to include in a single packet. The crucial difference between TRANSACTION2 and NT_TRANSACT is that the latter calls for a data packet twice the size of the former. This is significant because an error in validation occurs if the client sends a crafted message using the NT_TRANSACT sub-command immediately before the TRANSACTION2 one.
While the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of both packets (and allocates memory accordingly) based only on the type of the last one received. Since the last one is smaller, the first packet will occupy more space than it is allocated.
Once the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows heap spraying, a technique which results in the allocation of a chunk of memory at a given address. From here, the attacker can write and execute shellcode to take control of the system.
Upon successfully compromising the initial system, the attacker begins their reconnaissance phase. They explore the network, scanning for other vulnerable systems or potential targets. Using tools like Nmap or Metasploit, the attacker identifies additional systems with unpatched vulnerabilities, possibly even finding weak or default credentials that grant further access.
The image below shows successful privilege escalation
With a growing foothold within the organization’s network, the attacker starts to escalate privileges and move laterally, traversing from one compromised system to another. They may use techniques like Pass-the-Hash or Pass-the-Ticket to escalate privileges and impersonate legitimate users, enabling them to access more sensitive resources and expand their control over the network.
During this lateral movement, the attacker may deploy various tools and malware to further their objectives. For example, they might use keyloggers or credential-stealing malware to harvest login credentials of high-privileged users, allowing them to gain even greater control over critical systems and sensitive data.
In some instances, the attacker might choose to deploy ransomware across the network, encrypting important files and bringing operations to a halt. They then demand a ransom in exchange for the decryption keys, causing financial losses and potential reputational damage to the organization.
Throughout this entire process, the attacker may operate stealthily, attempting to evade detection by leveraging anti-forensic techniques and obfuscating their activities. They might use encryption and tunneling techniques to hide their network traffic and maintain persistence within the compromised systems to ensure long-term access.
Yes, there are 4332 servers or Operating systems exposed on the internet with EternalBlue vulnerability.
The Top 10 countries that have systems with EternalBlue vulnerability:
Top Operating systems vulnerable to EternalBlue:
Give a look at the original post at
EternalBlue has been widely exploited by bad actors for various malicious activities, including ransomware attacks, botnet creation, credential theft, and lateral movement within networks. Its exploitation can have serious consequences, resulting in data breaches, financial losses, operational disruption, and reputation damage to organizations.
The flaw affects a wide range of Windows operating systems, including older versions like Windows XP and Windows Server 2003, which were still in use by many organizations at the time of its discovery. The widespread presence increased the potential attack surface and made it a critical concern for security professionals.
EternalBlue gained notable attention through its involvement in prominent cyber attacks. The WannaCry ransomware outbreak in 2017 infected hundreds of thousands of systems worldwide, causing widespread disruption in various sectors such as healthcare, government, and financial services. The NotPetya malware, another highly impactful cyber attack, also leveraged EternalBlue for propagation.
EternalBlue has a worm-like capability, allowing it to propagate within networks without user interaction. This self-spreading feature facilitated the rapid propagation of malware, enabling attackers to compromise vulnerable systems quickly and effectively.
About the author:
Follow me on Twitter: and and Mastodon
(SecurityAffairs – National Safety Council, NASA)