Windows 10 Mitigations Make Future EternalBlue Attacks Difficult

Now that researchers have built a port of EternalBlue to Windows 10, they’ve probably only now caught up to what the NSA has had for a long while.

The emergence of a port of the EternalBlue exploit to Windows 10 signals that white-hat researchers have likely done what the NSA has already long ago accomplished.

The leaked version of the powerful Windows SMB attack shared by the ShadowBrokers in April was built only to attack Windows XP and Windows 7 machines. The mysterious serial leakers of Equation Group offensive hacking tools may not have been able to get their hands on the intelligence agency’s latest wares, but it likely exists.

RiskSense senior security analyst Sean Dillon, one of the architects of the Windows 10 port (PDF download) of EternelBlue, said that the available code had undergone numerous revisions and improvements, indicating a constant development cycle. And given the effectiveness in gaining unauthenticated remote access on just about any Windows machine worldwide, this is an area where a spy agency would continue to invest.

“It’s hard to tell when the ShadowBrokers actually got what they got,” Dillon said. The publicly known version of EternalBlue came from a 2013 disk, according to the documentation from the ShadowBrokers leak, when Windows 10 was probably still on the drawing board. “I imagine that whoever made this exploit has ported it to Windows 10 at this point.”

The port, announced yesterday by researchers at RiskSense, is able to bypass some of the protections available in one particular branch of Windows 10 available today called the Current Branch for Business.

Microsoft currently supports three release branches of Windows 10, including the Windows Insider Branch, Current Branch and the Current Branch for Business. Insider is a beta version and as features graduate from there, they move into the Current Branch. The Current Branch for Business is generally four months in arrears of the Current Branch in terms of features and critical updates. There is also a Long-Term Servicing Branch that maintains support policies in effect prior to Windows 10 and is generally recommended only for special purpose machines that don’t require new features or security updates.

The most recent Windows Creators Update, codenamed Redstone 2, was released in April and it includes a number of memory-based attack mitigations that stop EternalBlue in its tracks. It builds upon Redstone 1, which was released in August 2016, which is likely what most home versions of Windows 10 are running. No known workarounds to those mitigations exist, meaning that any researcher who develops one could be in line for a $100,000 bounty from Microsoft’s Mitigation Bypass and Bounty for Defense.

“Redstone 2 added more defenses than Redstone 1, and that’s going to make future attacks of this class much more difficult,” Dillon said.

Dillon did caution that Windows 10 enterprise machines joined to a domain are probably running on the Current Branch for Business, vulnerable to the RiskSense port.

“If you have a Windows 10 machine that’s been joined to a domain, it’s probably on the Current Branch for Business which is missing the mitigations that don’t have known workarounds,” Dillon said. “So all we’ve done is applied some workarounds that have been published in the past and fixed all of the offsets and structure changes that happened in order to exploit Windows 10,” Dillon said. “Just to show that it was possible.”

Dillon reiterated that defenders should study EternalBlue and build detection rules for the exploit itself and not focus on the DoublePulsar kernel-level backdoor, which is cryptographically unsound and can be easily detected as a payload.

“With DoublePulsar, the industry was asleep at the wheel,” Dillon said, calling it a “red herring” for researchers. “We’re hoping this time that people look at this and have a full understanding of this exploit in order to build defenses not only for this exploit but come up with creative ideas for other generic exploits of this type.”

Suggested articles