The EternalBlue exploit is a serious exploit leaked by the ShadowBrokers which uses a vulnerability in the popular Server-Message-Block (SMB) version 1 mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network. It also provides an authenticated inter-process communication mechanism.Most usage of SMB involves computers running Microsoft Windows.
The EternalBlue exploit allows anyone on the Internet to attack open SMB-servers and run arbritrary code of choice. This compromises the complete machine and the data which is stored on it, it also allows complete control over the victims machine and network. An example of this is the WannaCry-ransomware attack which infected over 20.000 machines worldwide by spreading through vulnerable SMB-servers.
We have tested some of our own services from attacker's view. We attacked ourselves from outside. Without using any privileged information of credentials we were able to infect and completely control the machine, programs and communication.
As long as the vulnerable version of SMB is in use it can be abused. Patch by Microsoft has been released and now it has to be deployed. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.
CVE-2017-0144 is the official reference to this bug. CVE (Common Vulnerabilities and Exposures) is the Standard for Information Security Vulnerability Names maintained by MITRE.
The exploit is called EternalBlue because this is the internal name used by the National Security Agency before it was leaked by the ShadowBrokers-group
Bugs in single software of library come and go and are fixed by new versions. However this bug has been kept private by the National Security Agency in order to use for surveillance. onsidering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.
You are likely to be affected either directly or indirectly. Microsoft Windows is one of the most popular operating systems. Your computer, your company's computer, or even government computers might be using vulnerable SMB-servers.
Status of different versions:
Exploitation of this bug does not leave any trace of anything abnormal happening to the logs.
Intrusion detection and prevention systems (IDS/IPS) rules to detect the use of affected ports such as 445 for SMB have been developed.
EternalBlue has been used in the wild by the WannaCry-ransomware and the Adylkuzz-malware
While it is currently unknown who found the bug behind the EternalBlue exploit, it is sure that it has been used by the National Security Agency according to the ShadowBrokers-group