2020-07-07T07:37:00Z

How does EternalBlue work?

Rony_Sklar - PeerSpot reviewer
  • 5
  • 1188
PeerSpot user
7

7 Answers

it_user1146165 - PeerSpot reviewer
Real User
2020-07-09T22:05:40Z
Jul 9, 2020

You can use Palo Alto Cortex XDR networks to protect against this type of attack at the endpoint level.

Search for a product comparison in EDR (Endpoint Detection and Response)
DV
Vendor
Top 10
2020-07-09T16:30:03Z
Jul 9, 2020

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.


Ref:


https://cve.mitre.org/cgi-bin/...


https://www.avast.com/c-eterna...

Nikki Webb - PeerSpot reviewer
Consultant
Top 20
2020-07-09T13:15:17Z
Jul 9, 2020

EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.


So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.


Microsofts Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilising the latest version.


Additionally, you should ensure that the following safeguards are in place:



  • Anti-virus software - AI product like SentinelOne is needed, traditional anti virus is just not up tot he job anymore

  • Secure offsite backup with “attack-loop” prevention

  • Filter for .exe attachments in emails

  • Encrypt sensitive data


PATCH PATCH PATCH - is the answer every time 

TM
Real User
Top 10
2020-07-09T12:02:55Z
Jul 9, 2020

EternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.

MV
Real User
2020-07-09T10:01:54Z
Jul 9, 2020

The best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.

SP
Real User
Top 20
2020-07-10T12:50:31Z
Jul 10, 2020

By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.


If, for some reason, that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.


Ensuring you have a capable EDR security solution should go without saying, but if your organization is still behind the curve on that one, remember that passive EDR solutions are already behind-the-times and active EDR is required.


Please contact me on cybersec@global.co.za for more information on SentinelOne and Cyber Protection Services

Find out what your peers are saying about Microsoft, SentinelOne, CrowdStrike and others in EDR (Endpoint Detection and Response). Updated: November 2023.
746,723 professionals have used our research since 2012.
PM
Reseller
2020-07-10T06:46:57Z
Jul 10, 2020

EternalBlue” exploit that targeted open server message block (SMB) ports and was used to great effect in the recent WannaCry ransomware attack.


Attacks leveraging the EternalBlue exploit generally follow this pattern:


  1. A vulnerable system with an open, unpatched port is identified.

  1. EternalBlue (or another exploit) is used to achieve remote code execution.

  1. The DoublePulsar backdoor is uploaded. This allows remote control of the infected system and the upload of an additional payload.

  1. An arbitrary payload is injected into the target system’s memory using the DoublePulsar backdoor. In the case of WannaCry, this payload was ransomware, but it could potentially be any payload, including malware that does a much more effective job at hiding on a system.

  1. In the case of WannaCry, the payload also contained code that attempted to spread additional infections with the EternalBlue/DoublePulsar attack chain. This effectively made WannaCry a worm, a kind of malware that could spread without any kind of user intervention.

Though Microsoft published a patch for a number of the exploits contained in the Shadow Broker’s dump, unpatched systems still remain vulnerable to this kind of attack. It is important to note that a potential attacker could use any payload in the attack chain described above.


Basic tool to protect from EternalBlue


1) Second generation AV 


2) Cloud Backup


3) Cloud Second generation VPN and Firewall


EDR (Endpoint Detection and Response)
EDR, also referred to as Endpoint Detection and Response, is a security solution that works by using continuous real-time monitoring and collecting endpoint data that could indicate a threat.
Download EDR (Endpoint Detection and Response) ReportRead more

Related Q&As

EDR (Endpoint Detection and Response) experts

Adriamcam - PeerSpot reviewer
Diana Alvarado - PeerSpot reviewer
Jonathan Ramos G. - PeerSpot reviewer
AANKITGUPTAA - PeerSpot reviewer
Nagendra Nekkala - PeerSpot reviewer
Edwin Solano Salmeron - PeerSpot reviewer
Nadeem Syed - PeerSpot reviewer
Hazel Zuñiga Rojas - PeerSpot reviewer