Eternalblue

Vulnerability updated 10 days ago (2024-10-08T07:01:12.011Z)
Download STIX
Preview STIX
EternalBlue is a software vulnerability that exists due to a flaw in the design or implementation of the Windows Server Message Block (SMB). This vulnerability, officially known as CVE-2017-0144, was made public after the Shadow Brokers group leaked an exploit developed by the U.S. National Security Agency. The exploit allowed for code execution on the server, making it a significant security risk. EternalBlue was later infamously used as the enabler for the widespread WannaCry ransomware attack. The CISA assessment team identified several unpatched systems vulnerable to exploits, including instances of CVE-2019-0708 (known as "BlueKeep") and EternalBlue. While attempts to compromise systems using BlueKeep were unsuccessful, the team managed to exploit the EternalBlue vulnerability on a server. By executing the EternalBlue exploit, they established a shell on the server with local SYSTEM privileges. This allowed them to potentially control the server, demonstrating the severe impact of this vulnerability if left unaddressed. In response to these findings, it's crucial for organizations to regularly update their systems and patch vulnerabilities like EternalBlue. Tools such as GoldenHowl can assist in identifying open ports and checking whether a system is vulnerable to specific malware, including EternalBlue. It's also important to note that other similar exploits exist, suggested by naming conventions like EternalRomance and the likes of EpMo and EpMe. These potential threats underline the importance of continuous vigilance and proactive cybersecurity measures.
Description last updated: 2024-10-08T06:15:58.154Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
CVE-2017-0144 is a possible alias for Eternalblue.
5
Ms17-010 is a possible alias for Eternalblue. MS17-010, also known as EternalBlue, EternalSynergy, or EternalRomance, is a significant remote code execution vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol. This flaw in software design and implementation was exploited by various malware strains, most notably the WannaCry r
5
T1210 is a possible alias for Eternalblue.
2
Stripedfly is a possible alias for Eternalblue. StripedFly is a malicious threat actor that has been active since at least April 9, 2016, as indicated by the earliest known version of StripedFly incorporating the EternalBlue exploit. The authors behind StripedFly show parallels with the EternalBlue exploit, which is notorious for its use in wides
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Windows
Vulnerability
Exploits
Malware
Worm
Ransomware
Lateral Move...
Apt
Remote Code ...
Backdoor
Dropper
T1210
RCE (Remote ...
Payload
Reconnaissance
Botnet
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The WannaCry Malware is associated with Eternalblue. WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encryptingExploited
8
The NotPetya Malware is associated with Eternalblue. NotPetya is a malicious software (malware) that caused extensive damage worldwide in 2017. It was initially perceived as ransomware, similar to other notorious variants such as WannaCry, Petya, TeslaCrypt, DarkSide, and REvil. However, unlike typical ransomware, NotPetya was primarily destructive raExploited
3
The Lucifer Malware is associated with Eternalblue. Lucifer is a powerful and relatively new malware variant that combines cryptojacking and DDoS (Distributed Denial of Service) attack capabilities. This malicious software targets Windows platforms, exploiting older vulnerabilities to spread and perform harmful activities. Lucifer is particularly notUnspecified
2
The petya Malware is associated with Eternalblue. Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and DaExploited
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Shadow Brokers Threat Actor is associated with Eternalblue. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National SeUnspecified
5
The Equation Group Threat Actor is associated with Eternalblue. The Equation Group is a threat actor, believed to have ties to the United States, that has been involved in numerous cyber espionage operations. The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that was leaked by another group knUnspecified
3
The Expetr Threat Actor is associated with Eternalblue. ExPetr, also known as PetrWrap, Petya, or NotPetya, is a threat actor that emerged in the cybersecurity landscape on April 15, 2017, with its first ransomware attack infused with EternalBlue. The code used by ExPetr was borrowed from another malicious software called Win32/Diskcoder.Petya ransomwareUnspecified
2
The Wannacryptor Threat Actor is associated with Eternalblue. WannaCryptor, also known as WannaCry or Wanna Decryptor, is a threat actor that has been active since at least 2009. This group, which is aligned with North Korea, has been responsible for several high-profile cyber incidents. Notable among these are the Sony Pictures Entertainment hack in 2014, cybUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalromance Vulnerability is associated with Eternalblue. EternalRomance is a software vulnerability, specifically an exploit for the Server Message Block version 1 (SMBv1) protocol, which was leaked by the group known as the "ShadowBrokers." It affects Windows XP, Windows Server 2003, and Windows Vista systems. This flaw allows attackers to execute arbitrUnspecified
3
Source Document References
Information about the Eternalblue Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
10 days ago
BankInfoSecurity
a month ago
ESET
a month ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago
Securityaffairs
7 months ago