The NSA Tool That Helps Hack the World

AN ELITE hacking team based in Russia, an infamous ransomware attack, an espionage group centered in Middle East, and endless amount of cryptojackers all have one thing in common. Though their methods and efforts may come in different forms, they all bank on a leaked NSA hacking tool, EternalBlue, to infiltrate target computers and spread malware across networks.

Leaked to the public not quite a year ago, EternalBlue in now another tool hackers have under their "utility belts".The Blaster (computer worm)wreaked havoc in 2003 on Widows XP and Windows 2000, the same modernized, Conficker Windows Worm infected millions of Windows Operating Systems in 2008. EternalBlue is certainly continuing that tradition of back door intruding on Windows—and from what we have already seen, it is not going anywhere. Security analysts only see use of EternalBlue diversifying as attackers develop newer and more clever ways to deploy its malware.

Adam Meyers, VP. of Intelligence at the security firm CrowdStrike, when speaking about EternalBlue said, "When you take something that’s weaponized and a fully developed concept and make it publicly available you’re going to have that level of uptake, a year later there are still organizations that are getting hit by EternalBlue and still organizations that haven’t patched it."

HOW IT WORKS
The tool exploits a vulnerability in the Windows Server Message Block, a protocol that allows devices on the Windows platform to communicate with one another and other devices for things such as file and print sharing. Attackers have found a way to manipulate flaws in how SMB handles certain packets to remotely execute any code of their own. Once a hacker gets access to the initial target device, they can quickly spread out across the entire network in no time.

VIKRAM THAKUR, CEO of SYMANTEC says, " It's incredible that a tool which was used by Intelligence Services is now publicly available and so widely used amongst malicious actors." Microsoft released its EternalBlue patches on March 14 of last year. But security update adoption is spotty,(always update your computer)especially on a larger scale...Corporate and Institutional Networks. You maybe even heard of an attack using EternelBlue. Within two months of its release, EternalBlue was the centerpiece of the worldwide WannaCry Ransomware Attacks. As WannaCry hit, Microsoft even took the "highly unusual step" of issuing patches for the still popular and much older but long-unsupported Windows XP and Windows Server 2003 operating systems.

In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected.

Eternal Blues
The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue's profile, many attackers had already realized the exploit's potential by then.

Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. "WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them," says Jérôme Segura, lead malware intelligence analyst at the security firm Malwarebytes. "There are definitely a lot of machines that are exposed in some capacity."

Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. "EternalBlue will be a go-to tool for attackers for years to come," says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. "Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed. There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms."

At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker's toolbox—much like the password extraction tool Mimikatz. But EternalBlue's widespread use is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people's crowbar. It is also frequently used by an array of nation state hackers, including those in Russia's Fancy Bear group, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks.

'EternalBlue will be a go-to tool for attackers for years to come.'
JAKE WILLIAMS, RENDITION INFOSEC
New examples of EternalBlue's use in the wild still crop up frequently. Recently, attackers used EternalBlue to install cryptocurrency-mining software on target computers and servers, refining the techniques to make the attacks more reliable and effective.

Vikram Thakur says "It's incredible that a tool which was used by an intelligence service is now publicly available and so widely used amongst malicious actors,""To a hacker it’s just a tool to make their lives easier in spreading across a network. plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three."

Entertaining read and a reminder to always keep your devices updated. ha