Security Experts:

NSA's EternalBlue Exploit Fully Ported to Metasploit

The National Security Agency (NSA)-linked EternalBlue exploit that became well known after being used in a recent global ransomware campaign has been ported to the popular Metasploit penetration testing Framework.

Along with DoublePulsar, EternalBlue is one of the latest exploits publicly released by the hackers calling themselves “The Shadow Brokers” and is said to have been used by the NSA-linked Equation Group to launch cyber-attacks. When EternalBlue was made public, however, the flaw had been already addressed by Microsoft in their March security patches.

Abusing a vulnerability in Windows’ Server Message Block (SMB) on port 445, EternalBlue allowed the WannaCry ransomware to spread like a worm and hit over 200,000 machines within a few days only. Before WannaCry, however, a crypto-currency mining botnet dubbed Adylkuzz had been using the same exploit to compromise devices.

Researchers currently estimate there to be roughly one million computers Internet-acessible systems vulnerable to EternalBlue, but chances are that many more existed only a couple of days ago. Not only did Microsoft issue an emergency patch to protect older systems over the weekend, but the Adylkuzz botnet also blocks access to SMB after infection, to prevent other malware from exploiting the vulnerability.

Because malicious actors are already using EternalBlue in live attacks, researchers decided to add the exploit to the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The framework is a sub-project of the penetration testing project Metasploit, which is a collaboration of the open source community and Rapid7.

The vulnerability exploited by EternalBlue is in SMBv1, but the exploit uses SMBv2 for the shellcode, one of the researchers behind the port, who goes by the online handle of zerosum0x0, explains. The penetration tester also notes that the code is still a little rough, but that more work will be done to it.

“The genie is already out of the bottle with EternalBlue. Let's keep in mind it's probably easier to rebundle the EternalBlue.exe than it is to pull in Ruby and Metasploit. Also, the original exploit still targets more versions. Just patch your systems people, it really isn't that hard. White hats need this exploit (instead of sketchy NSA malware) to show its impact to clients,” the researcher says.

The researchers also notes that FuzzBunch (NSA’s exploitation framework similar to Metasploit) makes the attack point and click, and that cybercriminals already have worms abusing it. The addition of EternalBlue to Metasploit should prove of great help to the infosec community, zerosum0x0 explains.

“I look at it this way, attackers and defenders are in an asymmetric war. If study is not done to the tools that are available to attackers, it is impossible to defend against them,” the researcher says.

Catalin Cosoi, Chief Security Strategist at Bitdefender, already expressed fears that EternalBlue-powered ransomware is bound to become the norm. Because many organizations failed to patch their systems in a timely manner, “it was only a matter of time until a cybercriminal group would weaponize the leaked vulnerability and strike at unpatched Windows systems,” he said.

“Computers in public institutions, hospitals and other care facilities are usually rarely updated. If they are not hit by ransomware now, these computers are vulnerable for state sponsored attacks for as long as they remain unpatched. Ransomware is the best case scenario now, because it’s visible. But complex threats can be built on it, to stay persistent and infiltrate organizations for a very long time,” Cosoi added.

One major difference between the Metasploit port of EternalBlue and the recent WannaCry and Adylkuzz attacks is the use of DoublePulsar. Instead of the NSA backdoor, the open source project stages Meterpreter userland payloads directly from the kernel through a queued APC. A shellcode that uses a similar technique as DoublePulsar's DLL injection is used, but is much smaller in size (up to 1000 bytes, depending on options enabled, compared to the 5000 bytes the NSA code has).

“This exploit also demonstrates what is important in the exploit for IDS/IPS/firewall rule makers. By finding out everything that can be nulled out, it evades many rules which were not fully considered, however those vendors can now add proper rules before an "0-day" worm version of it comes out,” zerosum0x0 points out.

Related: Industry Reactions to WannaCry Ransomware Attacks

Related: Vulnerable Services Emulator Released for Metasploit

view counter