SMB EternalBlue and DoublePulsar Exploit

The ShadowBrokers APT (Advanced Persistent Threat) group are well known for auctioning off stolen dumps of exploits, implants and tools reportedly obtained from the NSA. The most recent dump includes an exploit known as EternalBlue.

EternalBlue is an exploit designed to attack SMB (Server Message Block) file and print sharing services on the affected windows versions.

The tool can be used to exploit a publically accessible SMB service, providing a delivery mechanism for an attack using DoublePulsar – a backdoor also included in the ShadowBrokers dump.

The EternalBlue vulnerability was patched by Microsoft in March 2017 as part of MS17-010 which many believe was made possible by the NSA pre-warning Microsoft of the vulnerability.

The Attack enables the self-propagation of malware through NetBIOS and SMB. The malware targets the following specific MS17-010 vulnerabilities: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147 and CVE-2017-0148.

We have a PowerShell script here that can check your PC for the patches it will check for all Microsoft KB patches associated to MS17-010.

Remediation

Ensure all systems are protected with the latest AV definitions

• If your network becomes infected immediately report it to your AV provider for investigation and patching
• Ensure your AV software is kept updated with the very latest security definitions, to detect current and evolving strains of malware which leverages this vulnerablity.
• Confirm with your AV provider that they have rolled out virus definitions which are supported by your organisation’s operating systems to protect you from the spread of this malware (especially if your organisation is running out of support operating systems).
• Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) and manually run scans on critical areas such as servers and shared network file storage.

SMB Vulnerability Remediation

• Block SMB related ports (UDP 137, 138  and TCP 137, 139, 445) at your organisation’s external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment
• Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010.  Microsoft has additionally recommended updating with all security patches released within the last 60 days – internet and N3 facing systems should be prioritised.  Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. For further information see Microsoft Customer guidance for WannaCry attacks
• Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems.
• If it is not possible to apply this patch then block SMB related ports (UDP 137, 138 and TCP 139, 445) across your organisation’s network or disable SMB
• Use a Port scanner to confirm UDP 137, 138  and TCP 139, 445 are locked down
• If your organisation has SMB port 445 exposed on any system then review if this is operationally necessary (including the use of NetBIOS ports UDP 137 & 138 and NetBIOS over TCP/IP TCP Ports 137 & 139) as SMB and NetBIOS are both legacy protocols that      may no longer be required within your environment.
• If  you are using SMBv1 in your environment (which is now 30 years old) and lacks security features of later version migrate to a more secure SMB version as described in the Microsoft Blog – Stop using SMB1