How can businesses ensure that they are protected from EternalBlue attacks? Is this a job for EDR software?
You can use Palo Alto Cortex XDR networks to protect against this type of attack at the endpoint level.
EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.
EternalBlue exploits a vulnerability in outdated versions of Microsoft Server Message Block.
So the only known mechanism to protect against EternalBlue is to download the latest Windows software update and install the patch.
Microsofts Support Forum has a full step-by-step guide to walk you through this process and ensure that your business is utilising the latest version.
Additionally, you should ensure that the following safeguards are in place:
PATCH PATCH PATCH - is the answer every time
EternalBlue exploits officially named MS17-010 by Microsoft is a vulnerability that affects outdated versions of Microsoft Server Message Block (SMB). The quickest mechanism to protect against EternalBlue is through system PATCHING, i.e. download the latest version of Windows software update and install the patch.
The best part of AI products like Sentinel one is they are monitoring for this type of exploit. It's not just anti virus software. There is also a SOC that reacts when a machine is compromised. The hacker would use the exploit to get onto the machine this would alert the SOC. As soon as the hacker executes the cypto code the connection is severed with the hacker, the code is frozen and reversed. The machine would be kept offline until the security is checked. You would then unfreeze the machine. All this is automatic. As support you would get 10 to 15 emails explaining what was done. You would log into the portal to verify and unfreeze the machine.
By far the most important thing to do to prevent attacks utilizing Eternalblue is to make sure that you’ve updated any older versions of Windows to apply the security patch MS17-10.
If, for some reason, that’s not possible, other mitigations include disabling SMBv1 and not exposing any vulnerable machines to internet access.
Ensuring you have a capable EDR security solution should go without saying, but if your organization is still behind the curve on that one, remember that passive EDR solutions are already behind-the-times and active EDR is required.
Please contact me on email@example.com for more information on SentinelOne and Cyber Protection Services
“EternalBlue” exploit that targeted open server message block (SMB) ports and was used to great effect in the recent WannaCry ransomware attack.
Attacks leveraging the EternalBlue exploit generally follow this pattern:
Though Microsoft published a patch for a number of the exploits contained in the Shadow Broker’s dump, unpatched systems still remain vulnerable to this kind of attack. It is important to note that a potential attacker could use any payload in the attack chain described above.
Basic tool to protect from EternalBlue
1) Second generation AV
2) Cloud Backup
3) Cloud Second generation VPN and Firewall