NSA Malware EternalBlue Port into Microsoft Windows 10

A Malware called “EternalBlue”  Vulnerability Successfully port the exploit to Microsoft Windows 10 by the Security Researchers which has been only affected earlier with Microsoft Windows XP (Server 2003) and Microsoft Windows 7 (Server 2008 R2) Along with Wanna cry Ransomware.

EternalBlue Malware infecting Windows based  Server Message Block (SMB) protocol Developed By National Security (NSA) and believes that it has been released by Shadow Brokers hackers Group in April 2017 and it has been used for Wanna cry Cyber Attack.

SMB version 1 (SMBv1) Server in various versions of Microsoft Windows accepts specially crafted packets from remote attackers, is the Reason for This vulnerability existed with windows os which leads to perform Remoter Code Execution which was mainly targeted only Windows 7 and XP.

Also Read: Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar

EternalBlue Target Specific Version of Windows 10

Researchers Discovered this Exploit in Microsoft Windows 10 Redstone 1 (August 2016) and specifically Target  Microsoft Windows 10 x64 Version 1511  and The build number is Microsoft Windows 10.0.10586.

According to the technical Writeup Released by Researchers, preventPort to virtually all vulnerable Microsoft Windows versions that use the NT kernel is possible, apart from the key defenses recently made available in the bleeding-edge versions of Microsoft Windows 10.

Redstone 1 (August 2016) and Redstone 2 (April 2017) introduce mitigations such as the Page Table Entry and HAL Heap randomizations, which will help protect users against future exploits of this class.

Inbuilt Windows Firewalpreventsthe SMB port from being open by default.However, with default settings for both enterprise domain and private home networks, the firewall allows the port to be accessed. The IPC$ share also disallows anonymous logins.

Also Read: New SMB Network Worm “MicroBotMassiveNet” Using 7 NSA Hacking Tools, Wanna cry using only Two

Core area of Eternalblue Vulnerability in Win 10

According to  Researchers, Reverse Engineering determined that code paths for SMB traffic had been changed, resulting in error messages for certain invalid operations being changed.

Essentially, the patch inadvertently added an information disclosure that allows a remote, uncredentialled attacker to determine if the patch has been installed.
“One example of a new code path can be observed by connecting to the Inter-Process Communications (IPC$) tree and attempting an SMB NT Trans2 transaction on FID 0”

Prior to the patch, machines will return the STATUS_INSUFF_SERVER_RESOURCES error code. On a patched machine, additional authentication checks were added, meaning STATUS_INVALID_HANDLE or STATUS_ACCESS_DENIED will be given, depending on the version of Microsoft Windows being tested.

Metasploit Modules for Eternalblue

Rapid7 has been realized the Eternalblue Vulnerability scanning in Metasploit Exploit Module.

This will help us scan the Eternal Blue Vulnerability in Windows platform which makes to mitigate the Vulnerable version of windows.

According to Rapid 7, the module was developed to enable security professionals to test their organization’s vulnerability and susceptibility to attack via EternalBlue.

As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run.

Read the Technical Writeup HERE

Also Read: New CIA Cyberweapon Malware “Pandemic” installed in Victims Machine and Replaced Target files where remote users use SMB to Download