Putting the Eternal in EternalBlue: Mapping the Use of the Infamous Exploit

WannaCry is a familiar name to security professionals, enterprises and even regular internet users—the massive 2017 ransomware outbreak made headlines and cost several multinationals millions of dollars in repair and recovery. Two years later, enterprises are still being targeted by WannaCry. The Trend Micro™ Smart Protection Network™ shows it is still the most detected ransomware of 2019. In fact, the total detections for WannaCry total more than all other ransomware families combined.

WannaCry still accounted for the majority of ransomware detections: Monthly comparison between detections of WannaCry and combined detections of the other ransomware families in the first half of 2019

The moving force behind the spread of WannaCry is EternalBlue (patched by Microsoft in MS17-010), which is an exploit leaked by the cybercriminal group ShadowBrokers and widely reported to be stolen from the National Security Agency (NSA). EternalBlue actually involves CVE-2017-0143 to 48, a family of critical vulnerabilities related to the Microsoft SMBv1 server protocol used in certain Windows versions. It allows an attacker to execute arbitrary code on a victim system by sending tailored messages to the SMBv1 server. Because the Microsoft SMB vulnerabilities affect many different systems across industries—from healthcare machinery to office printers, storage devices and more—cybercriminals quickly adopted EternalBlue. And because many enterprises have trouble instituting patches and remain vulnerable, these criminals are still using EternalBlue.

EternalBlue has been steadily in use since 2017. Just a few weeks after the leak, there were already a variety of malware using the exploit—apart from WannaCry, there was the fileless ransomware UIWIX, mining malware Adylkuzz, and the SMB worm EternalRocks. In 2018, we saw even more ransomware adopt it; and in 2019 it is part of the toolbox of several mining malware. Some of the malware using EternalBlue are old, known threats that have adopted new tools and capabilities.

We tracked the notable malware that use EternalBlue though our Smart Protection Network and publicly available indicators of compromise to provide a clear view of how it is still used against vulnerable systems today.

EternalBlue EternalBlueMay 20172017:Aftershocks2018:A YearLater2019:Two YearsLaterEternalRocksWannaCryAdylkuzzUIWIX NotPetyaJun. 2017RetefeSept. 2017SmominruAug. 2017GamefishAug. 2017SatanAprilTrickBotMarchRedis- WannaMineMarchGluptebaJulyLudicrouzMarchYatronAprilBlackSquidJunePCASTLEJuneVoolsAugustMyKingsAugust Even more malware start using EternalBlue Despite the typically short lifespan of exploits, EternalBlue is still actively usedOlder malware take up EternalBlue One month after EternalBlue was leaked by the Shadow brokers group, multiple ransomware and mining malware using the exploit were detected within weeks of each other.

Notable malware tracked from May 2017 to September 2019

EternalBlue activity over the years

As we can see, EternalBlue is still quite active even two years after a patch was released. We looked at the activity of malware using EternalBlue from 2017 to September 2019 from our Smart Protection Network, we can see how specific samples of malware that use EternalBlue and vulnerabilities covered by MS17-010 have been active from 2017. And we also see that even in 2019, WannaCry has the most detections of the malware using EternalBlue. The numbers for WannaCry are almost quadruple the detections for all the other ransomware combined.

SPN detection numbers of specific malware samples known to use EternalBlue May 2017- September 2019

Monthly detections of specific malware using EternalBlue from January to September 2019

Top five malware using EternalBlue in 2019 based on detections from SPN

As a tool, EternalBlue helps hackers broadly compromise numerous victims, which is why ransomware and miners take on the exploit. Ransomware distributors used to prefer quantity over quality when it came to victims, although now their targeting tactics might be changing. WannaCry aside, in 2019, most of the malware using EternalBlue are cryptocurrency mining malware–more compromised devices means more computing power for mining.

The easiest step enterprises can take to protect themselves from EternalBlue is to patch their systems. Microsoft released a patch for this vulnerability in March 2017, mere weeks after the leak of the exploit. However, patching can be difficult for enterprises–there may be disruptions to operations and the process may be lengthy for large or multinational groups. But this is a necessary step, especially because EternalBlue is still very actively being utilized by cybercriminal groups.

For comprehensive protection against EternalBlue, enterprises can deploy security solutions that detect and prevent malware using the exploit. A multilayered approach to security is important — securing everything from the gateway and endpoints to networks and servers. Trend Micro solutions powered by XGenTM security, such as Trend MicroTM Security and Trend Micro Network Defense, can detect related malicious files and URLs and protect users’ systems. Trend Micro Smart Protection Suites and Trend Micro Worry-FreeTM Business Security, which have behavior monitoring capabilities, can additionally protect from these types of threats by detecting malicious files, as well as blocking all related malicious URLs.

Specifically regarding EternalBlue, Trend Micro Deep Security and Vulnerability Protection are protected by the following IPS rules:

  • IPS Rules 1008224, 1008228, 1008225, 1008227 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities

Trend Micro Deep Discovery Inspector customers are protected with the following rule:

  • DDI Rule 2383: CVE-2017-0144 - Remote Code Execution - SMB (Request)

Trend Micro TippingPoint customers with the following filters have updated protection:

  • Filters 5614, 27433, 27711, 27935, 27928 - Includes coverage for MS17-010 and some specific protection against Windows SMB remote code execution vulnerabilities and attacks
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.