SMB EternalBlue and DoublePulsar Exploit

EternalBlue is an exploit designed to attack SMB (Server Message Block) file and print sharing services on the affected windows versions.

Threat ID:: CC-1353
Category:
Threat Severity:: High
Threat Vector:: Backdoor
Published:: 25 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

EternalBlue is an exploit designed to attack SMB (Server Message Block) file and print sharing services on the affected windows versions.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows: XP, Vista, 7, 8, 8.1 and 10
Windows Server, 2003, 2008, 2008 R2, 2012, 2012 R2 and 2016

Threat details

The ShadowBrokers APT (Advanced Persistent Threat) group are well known for auctioning off stolen dumps of exploits, implants and tools reportedly obtained from the NSA. The most recent dump includes an exploit known as EternalBlue.\n\nEternalBlue is an exploit designed to attack SMB (Server Message Block) file and print sharing services on the affected windows versions.\n\nThe tool can be used to exploit a publically accessible SMB service, providing a delivery mechanism for an attack using DoublePulsar - a backdoor also included in the ShadowBrokers dump.\n\nThe EternalBlue vulnerability was patched by Microsoft in March 2017 as part of MS17-010 which many believe was made possible by the NSA pre-warning Microsoft of the vulnerability.\n\nThe Attack enables the self-propagation of malware through NetBIOS and SMB. The malware targets the following specific MS17-010 vulnerabilities: CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147 and CVE-2017-0148.

Remediation steps

Type	Step
	Ensure all systems are protected with the latest AV definitions If your network becomes infected immediately report it to your AV provider for investigation and patching Ensure your AV software is kept updated with the very latest security definitions, to detect current and evolving strains of malware which leverages this vulnerability. Confirm with your AV provider that they have rolled out virus definitions which are supported by your organisation's operating systems to protect you from the spread of this malware (especially if your organisation is running out of support operating systems). Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) and manually run scans on critical areas such as servers and shared network file storage. SMB Vulnerability Remediation Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. For further information see Microsoft Customer guidance for WannaCry attacks Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems. If it is not possible to apply this patch then block SMB related ports (UDP 137, 138 and TCP 139, 445) across your organisation's network or disable SMB Use a Port scanner to confirm UDP 137, 138 and TCP 139, 445 are locked down If your organisation has SMB port 445 exposed on any system then review if this is operationally necessary (including the use of NetBIOS ports UDP 137 & 138 and NetBIOS over TCP/IP TCP Ports 137 & 139) as SMB and NetBIOS are both legacy protocols that may no longer be required within your environment. If you are using SMBv1 in your environment (which is now 30 years old) and lacks security features of later version migrate to a more secure SMB version as described in the Microsoft Blog - Stop using SMB1 Advice to NHS staff NHS Staff are advised to ensure their home computers have Windows automatic updates enabled and AV software installed which is automatically updated with the latest definitions. This will help protect their personal computers and the wider internet community at large.

Type

Step

Ensure all systems are protected with the latest AV definitions

If your network becomes infected immediately report it to your AV provider for investigation and patching
Ensure your AV software is kept updated with the very latest security definitions, to detect current and evolving strains of malware which leverages this vulnerability.
Confirm with your AV provider that they have rolled out virus definitions which are supported by your organisation's operating systems to protect you from the spread of this malware (especially if your organisation is running out of support operating systems).
Ensure your AV software is properly configured and automatically scans all files and file operations (including file reads, writes and re-names) and manually run scans on critical areas such as servers and shared network file storage.

SMB Vulnerability Remediation

Block SMB related ports (UDP 137, 138 and TCP 137, 139, 445) at your organisation's external firewall https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment
Ensure all affected platforms are updated in line with the Microsoft security bulletin MS17-010. Microsoft has additionally recommended updating with all security patches released within the last 60 days - internet and N3 facing systems should be prioritised. Because of the high severity of this vulnerability Microsoft has taken the highly unusual step of releasing a patch for out of support operating systems including Windows XP, Windows 8, and Windows Server 2003. For further information see Microsoft Customer guidance for WannaCry attacks
Use a vulnerability scanner (such as Nessus, OpenVas or Microsoft Baseline Security Analyser) to identify any unpatched systems.
If it is not possible to apply this patch then block SMB related ports (UDP 137, 138 and TCP 139, 445) across your organisation's network or disable SMB
Use a Port scanner to confirm UDP 137, 138 and TCP 139, 445 are locked down
If your organisation has SMB port 445 exposed on any system then review if this is operationally necessary (including the use of NetBIOS ports UDP 137 & 138 and NetBIOS over TCP/IP TCP Ports 137 & 139) as SMB and NetBIOS are both legacy protocols that may no longer be required within your environment.
If you are using SMBv1 in your environment (which is now 30 years old) and lacks security features of later version migrate to a more secure SMB version as described in the Microsoft Blog - Stop using SMB1

Advice to NHS staff

NHS Staff are advised to ensure their home computers have Windows automatic updates enabled and AV software installed which is automatically updated with the latest definitions. This will help protect their personal computers and the wider internet community at large.

CVE Vulnerabilities

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

Last edited: 21 December 2021 12:41 pm