The NSA’s EternalBlue exploit has been ported to Windows 10 by white hats, meaning that every unpatched version of the Microsoft operating system back to Windows XP—and likely earlier—can be affected by one of the most powerful attacks ever made public.
Researchers at RiskSense, among the first to analyze EternalBlue, its DoublePulsar backdoor payload, and the NSA’s Fuzzbunch platform (think: Metasploit), said they would not release the source code for the Windows 10 port for some time, if ever. The proof of concept has been in the works since the ShadowBrokers’ April leak of Equation Group offensive hacking tools targeting Windows XP and Windows 7, as well as the development of a Metasploit module based on EternalBlue released two days after the WannaCry attacks. The best defense against EternalBlue, researchers maintain, is to apply the MS17-010 update provided in March by Microsoft.
The researchers did today publish a report (PDF download) explaining what was necessary to bring the NSA exploit to Windows 10 and examining the mitigations implemented by Microsoft that can keep these attacks in check moving forward.
“We’ve omitted certain details of the exploit chain that would only be useful to attackers and not so much for building defenses,” said senior research analyst Sean Dillon. “The research is for the white-hat information security industry in order to increase the understanding and awareness of these exploits so that new techniques can be developed that prevent this and future attacks. This helps defenders better understand the exploit chain so that they can build defenses for the exploit rather than the payload.”
The available Metasploit module, which is completely separate from the new Windows 10 port, is a stripped down version of EternalBlue that reduced the amount of network traffic involved, and as a result, many of the intrusion detection system rules created since the leak and recommended by security companies and the U.S. government could be bypassed. It also removes the DoublePulsar backdoor, which Dillon said many security companies paid too much unnecessary attention to. DoublePulsar is a kernel-level exploit dropped by all of the exploits in the Fuzzbunch platform.
“The DoublePulsar backdoor is kind of a red herring for researchers and defenders to focus on,” Dillon said. “We demonstrated that by creating a new payload that can load malware directly without having to first install the DoublePulsar backdoor. So people looking to defend against these attacks in the future should not focus solely on DoublePulsar. Focus on what parts of the exploit we can detect and block.”
The new port targets Windows 10 x64 version 1511, which was released in November and was code-named Threshold 2, still supported in the Windows Current Branch for Business. The researchers were able to bypass mitigations introduced in Windows 10 that are not present in Windows XP, 7 or 8 and defeat EternalBlue bypasses for DEP and ASLR.
“To port to Windows 10, we had to create a new bypass for DEP,” Dillon said. The RiskSense report goes into painstaking detail about the new attack, including a new payload replacing DoublePulsar, which Dillon said is cryptographically insecure and allows anyone to load secondary malware, which is what happened with WannaCry. RiskSense’s new payload is an Asynchronous Procedure Call (APC) that allows user-mode payloads to be executed without the backdoor.
“An APC can ‘borrow’ a process thread that is in an idle Alertable state, and while it relies on structures whose offsets change between versions of Microsoft Windows, it is one of the most reliable and easiest ways to exit kernel mode and enter user mode,” RiskSense said in its report.
The ShadowBrokers’ leaks have been snapshots of the NSA’s offensive capabilities, and rarely an image of their current arsenal. It’s likely that by now the NSA has a Windows 10 version of EternalBlue, but until today, such an option hasn’t been available to defenders. In the meantime, EternalBlue remains one of the most complex attacks made public, one that worried NSA insiders should it ever be stolen and/or leaked; the NSA is believed to have alerted Microsoft about the impending ShadowBrokers’ leak giving the company time to build, test and deploy MS17-010 one month before the April leak.
“There are really only a handful of people who could have written the original EternalBlue exploit, but now that it’s out there and you can study the original exploit and the techniques used, it opens the door for many more amateur-type hackers to understand what’s going on,” Dillon said. “It’s really easy to use a buffer overflow to cause a crash. It’s harder to get code execution. So, whoever wrote the original exploits did a lot of experimentation to find the best path to turn that crash into code execution. They’ve done all the hard work, so now it’s about what’s changed between different versions of Windows to fix it up.”
Dillon said EternalBlue’s capability to provide attackers with an instant remote unauthenticated Windows code execution attack is the best type of exploit at a hacker’s disposal.
“They definitely broke a lot of new ground with the exploit. When we added the targets of the original exploit to Metasploit, there was a lot of code that needed to be added to Metasploit to get it up to par with being able to support a remote kernel exploit that targets x64,” Dillon said, adding that the original exploit targets x86 also, calling that feat “almost miraculous.
“You’re talking about a heap-spray attack on the Windows kernel. Heap spray attacks are probably one of the most esoteric types of exploitation and this is for Windows, which does not have source code available,” Dillon said. “Performing a similar heap spray on Linux is difficult, but easier than this. A lot of work went into this.”