Cyber Security

EternalBlue – Not Just A Cool Name

 August 10, 2020

By  Anton Kiorolgo

Shadow Brokers sounds like the name of a heavy metal band or cyberpunk video game, however, it is the name of a group of cybercriminals – cybercriminals who have released multiple sets of hacks and information developed by the NSA (National Security Agency) onto the web, one of the most famous being EternalBlue.

EternalBlue is known for:

  • Extracting user password on network user accounts and websites.
  • Installing cryptocurrency mining software on target devices.

EternalBlue isn’t only an exploit, it is an entire group of vulnerabilities (accidentally) built into the Microsoft Windows operating system. (CVE-2017-0143 through CVE-2017-0148.) Some others are known as DarkPulsar and FuzzBunch, for example.

How Does EternalBlue Work?

The tool utilizes a vulnerability in the Windows SMB, Server Message Block, (Also known as Common Internet File System (CIFS)) which is a transport protocol that enables Windows machines to speak between each other for the purpose of executing remote services and sending data to printers.

EternalBlue makes it possible for these traveling packages of information to be opened, changed, and sent on their way. This makes it possible for an attacker to execute any form of code that they desire. This is attributed to EternalBlue’s ability to exploit Microsoft’s SMB v1.0. – part of the Active Directory. The advantage of this being that interprocess communication share (IPC$) allows for a null session, meaning that the connection may still execute anonymously. The issue is that null sessions are allowed by default. The combination of these two allow for commands to be sent through with no regulation.

EternalBlue, DarkPulsar, and FuzzBunch are compatible with any versions of Windows before Windows 8, which includes Windows 7 and Windows XP.

To make things worse, EternalBlue and other formats are easy-to-use carrying systems for malware such as WannaCry, Trickbot, and WannaMine.

Shadow Brokers?

EternalBlue also is compatible with other Shadow Brokers releases, such as the kernel backdoor exploit known as DarkPulsar, which tunnels itself into the target PC’s core directory where it can still undetected, collecting information, or loading in malware applications. There is also a cherry on top of the computer hacking sundae, in the form of an exploit named FuzzBunch – essentially a step-by-step one-stop-shop hacking platform, combining several Windows exploits onto one platform, with it being described as “god mode for Microsoft computers.”

Is There A Fix?

The MS17-100 security patch closed the SMB loophole. However, security experts are still concerned. The security patch has been widely applied to personal computers, however, devices such as internet-connected servers are often neglected in terms of patches, leaving them still vulnerable to eternal blue attacks.

Should the proper patches be applied – EternalBlue will not be an issue.

The programming loopholes that created EternalBlue’s foundations were originally discovered within the Windows operating system by the Equation Group, an interior hacking group within the NSA. The Equation Group held onto the secret, developing what would become EternalBlue. In August 2016, the Shadow Brokers stole it.

Only after the theft of EternalBlue did the NSA notify Microsoft.

Shadow Brokers uploaded EternalBlue onto the internet on April 14, 2017.

Security patches came too late. EternalBlue had already been released.

Security expert Matthew Hickey gave a grave quote on the existence of EternalBlue. “EternalBlue is is quite possibly the most damaging thing I’ve seen in the last several years…This puts a powerful nation state-level attack tool in the hands of anyone who wants to download it to start targeting servers.”

Want to join in the conversation? Talk with us on social media!

Facebook: https://www.facebook.com/secfirstit/

LinkedIn: https://www.linkedin.com/company/securityfirstit

Hashtags: #vacationsafety #vacation #MSPs #MSPSecurity #workingfromvacation #internetsecurity #ITSecurity

WannaCry? Predicting the Future:

May 12, 2017 marked the first worldwide WannaCry attack. Over 200,000 individuals utilizing unpatched equipment were affected, totaling to incidents in over 150 countries. EternalBlue was utilized to spread the infection without detection. EternalBlue simply located a public-facing SMB port, established a connection, and was then able to move freely.

WannaCry attacked the National Health Service in the U.K. as part of one of the most famous cyberattacks in the past decade. Services were universally halted or disrupted, including surgeries and important appointments. At the same time, WannaCry took on and damaged systems at FedEx, Renault, European service companies in the gas and telecoms industries, and additional hospital organizations in Indonesia, among others.

That first wave of WannaCry attacks cost a collective eight billion dollars to repair.

Years later, the affected organizations are still struggling with the after-effects, finding lost data or making payments on fines and lost income.

The risk search engine Shodan has indicated that there are over one million machines still running on unpatched software, making them susceptible to an EternalBlue attack.

Before, ransomware attacks were limited to single employees within a business, but the scope of ransomware attacks have grown due to EternalBlue, allowing malware to silently spread across entire networks all in one go. The scariest part being that it only takes one execution to bring down the entire network – the double click of a single wayward file can cost millions.

The Original:

  • Not Petya

Not Petya presents itself as a file encrypting ransomware virus, however, files are not decrypted after payment – leaving the victim’s files unusable. It is believed that this malware is of Russian national origin, and was used against government entities in the Ukraine, taking down the country’s digital infrastructure for a few days – including the country’s hospital, public service, and banking systems.

  • Retefe

Retefe isn’t the name of a rejected character from an animated movie about lions – it is a banking trojan targeting European and Japanese markets through spam email campaigns. The spam emails are not new; however, it is now utilizing EternalBlue to spread through networks, creating a botnet.

  • WannaMine

This mining software utilizes EternalBlue to mine for Monero, a cryptocurrency popular with black markets, as it is privacy-focused and widely adopted as a payment method. The victim’s computer will slow down as CPU power is taken up by the computations being run by the mining software – the software then spreads through the network, creating a mining botnet.

The Latest Timeline:


  • EternalRocks: EternalRocks malware was in development but dropped before first deployment – luckily. EternalRocks was designed to lie dormant for 24 hours before activating, making premature sensing by scanning software unlikely. Post deployment, it would be too late – having infected an entire network before being caught, using EternalBlue to spread.
  • Adylkuzz: This mining malware uses EternalBlue to move among networked computers.
  • UIWIX: Like WannaCry, UIWIX utilizes EternalBlue to spread through networks. UIWIX utilizes two separate encryption algorithms, making it difficult to combat.
  • Gamefish: Targeted exclusively at the WiFi networks of major hotel chains in Europe, Gamefish used EternalBlue to spread. It has tentative traces to APT28, or Russia’s Fancy Bear/Sofacy/Pawn Storm.
  • Smominru: This Monero-mining malware intelligently utilizes older hardware and devices to create a botnet, rather than newer devices which may catch it quickly.


  • TrickBot: Trickbot malware, utilizing EternalBlue, spreads through networks, infecting any machines it can reach laterally.
  • Satan: Satan malware, classified as ransomware, began spreading using the EternalBlue exploit in 2018.
  • Glupteba: Originally used as a platform for malicious advertising, this malware has been refitted for more profitable cryptocurrency mining, using EternalBlue to gain access to new computers through networks.


  • Ludicrouz: This botnet utilizes EternalBlue to spread through networks, forming a larger botnet network as it spreads.
  • Vools: Vools is a carrying system, utilizing EternalBlue to bring malware onto networks.
  • PCASTLE: This China-focused exploit mining malware uses EternalBlue to move among networked computers.
  • Yatron: Utilizing EternalBlue, this ransomware spreads amongst targeted networks designated by the software’s renter. Yes – Yatron is a rented malware service – the renter directing attacks where they wish – and Yatron does the rest.
  • BlackSquid: This mining malware uses EternalBlue to move among networked computers.

When State Secrets Aren’t Secrets Anymore

Hacking exploits have the possibility of being exposed, as they exist in the virtual space – the problem is when they leave the hands of the agents who created them. Exploits are built within state agencies to be easy to use, as a wide swath of agents will need to learn and use them.

Having trouble finding trustworthy IT support?

Please contact us to schedule a consultation.

Subscribe to our newsletter now!