2020-07-07T07:37:00Z

How does EternalBlue work?


How can businesses ensure that they are protected from EternalBlue attacks?

Guest
77 Answers

author avatar
Consultant

You can use Palo Alto Cortex XDR networks to protect against this type of attack at the endpoint level.

2020-07-09T22:05:40Z
author avatar
Top 5LeaderboardReseller

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.


Ref:


https://cve.mitre.org/cgi-bin/...


https://www.avast.com/c-eterna...

2020-07-09T16:30:03Z
author avatar
Top 10User

EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.


So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.


Microsofts Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilising the latest version.


Additionally, you should ensure that the following safeguards are in place:



  • Anti-virus software - AI product like SentinelOne is needed, traditional anti virus is just not up tot he job anymore

  • Secure offsite backup with “attack-loop” prevention

  • Filter for .exe attachments in emails

  • Encrypt sensitive data


PATCH PATCH PATCH - is the answer every time 

2020-07-09T13:15:17Z
author avatar
Top 5LeaderboardReseller

EternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.

2020-07-09T12:02:55Z
author avatar
Top 20Real User

The best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.

2020-07-09T10:01:54Z
author avatar
Top 5LeaderboardReseller

By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.


If, for some reason, that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.


Ensuring you have a capable EDR security solution should go without saying, but if your organization is still behind the curve on that one, remember that passive EDR solutions are already behind-the-times and active EDR is required.


Please contact me on cybersec@global.co.za for more information on SentinelOne and Cyber Protection Services

2020-07-10T12:50:31Z
author avatar
Top 5LeaderboardReseller

EternalBlue” exploit that targeted open server message block (SMB) ports and was used to great effect in the recent WannaCry ransomware attack.


Attacks leveraging the EternalBlue exploit generally follow this pattern:


  1. A vulnerable system with an open, unpatched port is identified.

  1. EternalBlue (or another exploit) is used to achieve remote code execution.

  1. The DoublePulsar backdoor is uploaded. This allows remote control of the infected system and the upload of an additional payload.

  1. An arbitrary payload is injected into the target system’s memory using the DoublePulsar backdoor. In the case of WannaCry, this payload was ransomware, but it could potentially be any payload, including malware that does a much more effective job at hiding on a system.

  1. In the case of WannaCry, the payload also contained code that attempted to spread additional infections with the EternalBlue/DoublePulsar attack chain. This effectively made WannaCry a worm, a kind of malware that could spread without any kind of user intervention.

Though Microsoft published a patch for a number of the exploits contained in the Shadow Broker’s dump, unpatched systems still remain vulnerable to this kind of attack. It is important to note that a potential attacker could use any payload in the attack chain described above.


Basic tool to protect from EternalBlue


1) Second generation AV 


2) Cloud Backup


3) Cloud Second generation VPN and Firewall


2020-07-10T06:46:57Z
Find out what your peers are saying about CrowdStrike, Cisco, SentinelOne and others in Endpoint Detection and Response (EDR). Updated: August 2020.
437,323 professionals have used our research since 2012.