EternalBlue

EternalBlue is an exploit that takes advantage of programming errors in the SMB implementation (also NetBIOS or Common Internet File System) of the Windows operating system. The vulnerability is known as CVE-2017-0144 (SMB Remote Windows Kernel Pool Corruption).

NSA development and loss

A subdivision of the US American NSA , the special unit Tailored Access Operations (TAO), had originally developed the software to exploit the weakness after researching the press. For a year, the intelligence people had worked software Microsoft on detection of weak points of and their project internally "Eternal Blue Screen" ( German Perpetual blue screen baptized) because the elaborate of them attack often unwanted crashes and thus to a blue error screen ( Blue Screen led) . The finished hacking software belonged to the NSA group of so-called NOBUS (Nobody but us), which were exclusively available to the US service.

Parts of the TAO arsenal finally fell into the hands of a group called The Shadow Brokers , which published the stolen information piece by piece from August 2016. It was still unclear in mid-2019 whether The Shadow Brokers got hold of the EternalBlue software through a third-party hacker attack or an NSA employee.

The NSA used the vulnerability for more than five years for their own break-in purposes (hacking) before they were forced to report the vulnerability to Microsoft simply because of the constant revelations by The Shadow Brokers .

Patch and spread

After the patch day failed in February 2017, Microsoft was able to offer the patch MS17-010 to deactivate the SMBv1 network protocol from March 12, 2017 .

On April 14, 2017, the hackers The Shadow Brokers published the attack possibility. On May 12, 2017, the vulnerability was misused for global attacks by the WannaCry blackmail trojan . On June 27, 2017, the hole was misused for attacks by a supposedly new variant of the Petya extortion trojan : NotPetya mainly deleted hard drives there via a software update for a Ukrainian control software. EternalBlue was installed with DoublePulsar .

By May 2019, all powers competing with the USA at the state or non-state level had made use of EternalBlue or even launched their own programs related to the software. The secret service of the People's Republic of China uses EternalBlue to espionage against countries in the Middle East, Iran is accused of attacking airlines in the Gulf region with EternalBlue, North Korea is considered responsible for WannaCry and the makers of Petya are attributed to the Russian Federation .

Individual evidence

↑ CVE-2017-0144. In: CVE - Common Vulnerabilities and Exposures . The MITER Corporation , September 9, 2016, p. 1 , accessed June 28, 2017 .
↑ Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability. In: SecurityFocus . Symantec , March 14, 2017, p. 1 , accessed June 28, 2017 .
↑ ^a ^b Security Breach and Spilled Secrets Have Shaken the NSA to Its Core. In: The New York Times . Arthur Ochs Sulzberger Jr. , November 12, 2017, accessed May 25, 2019 .
↑ ^a ^b ^c In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc. In: The New York Times . Arthur Ochs Sulzberger Jr. , May 25, 2019, accessed May 25, 2019 .
↑ NSA officials worried about the day its potent hacking tool would get loose. Then it did. In: The Washington Post . Fred Ryan, accessed September 25, 2017 .
↑ Microsoft Security Bulletin MS17-010 - Critical. In: technet.microsoft.com. Microsoft , accessed May 13, 2017 .
↑ Lily Hay Newman: The Ransomware Meltdown Experts Warned About Is Here. In: Wired . March 12, 2017, p. 1 , accessed on May 13, 2017 (English).
↑ Dan Goddin: Wanna Decryptor: The NSA-derived ransom ware worm shutting down computers worldwide. In: Ars Technica UK . May 15, 2017, p. 1 , accessed on May 15, 2017 (English).
↑ Nicole Perlroth, Mark Scott, Sheera Frenkel: Cyber Attack Hits Ukraine Then spreads Internationally. In: The New York Times . Arthur Ochs Sulzberger Jr. , June 27, 2017, p. 1 , accessed June 27, 2017 (English).
↑ stamparm / EternalRocks. In: GitHub . Retrieved May 25, 2017 (English).

[1] CVE-2017-0144. In: CVE - Common Vulnerabilities and Exposures . The MITER Corporation , September 9, 2016, p. 1 , accessed June 28, 2017 .

[2] Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability. In: SecurityFocus . Symantec , March 14, 2017, p. 1 , accessed June 28, 2017 .

[NYT121117-3] Security Breach and Spilled Secrets Have Shaken the NSA to Its Core. In: The New York Times . Arthur Ochs Sulzberger Jr. , November 12, 2017, accessed May 25, 2019 .

[NYT250519-4] In Baltimore and Beyond, a Stolen NSA Tool Wreaks Havoc. In: The New York Times . Arthur Ochs Sulzberger Jr. , May 25, 2019, accessed May 25, 2019 .

[5] NSA officials worried about the day its potent hacking tool would get loose. Then it did. In: The Washington Post . Fred Ryan, accessed September 25, 2017 .

[microsoft.com-6] Microsoft Security Bulletin MS17-010 - Critical. In: technet.microsoft.com. Microsoft , accessed May 13, 2017 .

[7] Lily Hay Newman: The Ransomware Meltdown Experts Warned About Is Here. In: Wired . March 12, 2017, p. 1 , accessed on May 13, 2017 (English).

[8] Dan Goddin: Wanna Decryptor: The NSA-derived ransom ware worm shutting down computers worldwide. In: Ars Technica UK . May 15, 2017, p. 1 , accessed on May 15, 2017 (English).

[9] Nicole Perlroth, Mark Scott, Sheera Frenkel: Cyber Attack Hits Ukraine Then spreads Internationally. In: The New York Times . Arthur Ochs Sulzberger Jr. , June 27, 2017, p. 1 , accessed June 27, 2017 (English).

[10] stamparm / EternalRocks. In: GitHub . Retrieved May 25, 2017 (English).