Eternalblue

Vulnerability updated a month ago (2024-11-29T13:50:02.954Z)
Download STIX
Preview STIX
EternalBlue is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Server Message Block (SMB) protocol. This vulnerability, officially known as CVE-2017-0144, allows for the execution of arbitrary code on affected systems. It became publicly known after a group called the Shadow Brokers leaked an exploit developed by the U.S. National Security Agency (NSA). The exploit has remained relevant due to its ability to propagate via SMB and infect systems that have not been patched against it. This vulnerability was notably used as an enabler in the WannaCry ransomware attack. The Cybersecurity and Infrastructure Security Agency (CISA) assessment team identified several unpatched systems vulnerable to EternalBlue and another vulnerability known as BlueKeep (CVE-2019-0708). The team attempted to compromise these systems using both vulnerabilities. While they were unsuccessful with BlueKeep, they were able to exploit EternalBlue on a server, establishing a shell with local SYSTEM privileges. This successful exploitation demonstrates the continued risk posed by EternalBlue, especially on unpatched systems. Various malware strains, such as GoldenHowl, have incorporated the EternalBlue exploit into their arsenal. GoldenHowl can scan remote systems for open ports and determine if the target is vulnerable to the EternalBlue malware. Despite the availability of patches for this vulnerability, many systems remain unpatched and susceptible to EternalBlue-based attacks. Therefore, EternalBlue continues to be a significant cybersecurity concern, necessitating vigilant patch management and system monitoring.
Description last updated: 2024-11-21T10:47:00.343Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Ms17-010 is a possible alias for Eternalblue. MS17-010, also known as "EternalBlue," "EternalSynergy," or "Eternal Romance," is a significant vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol that allows for remote code execution. It was first addressed by Microsoft through the release of security bulletin MS17-010 on March
6
CVE-2017-0144 is a possible alias for Eternalblue.
5
T1210 is a possible alias for Eternalblue.
2
Stripedfly is a possible alias for Eternalblue. StripedFly is a malicious threat actor that has been active since at least April 9, 2016, as indicated by the earliest known version of StripedFly incorporating the EternalBlue exploit. The authors behind StripedFly show parallels with the EternalBlue exploit, which is notorious for its use in wides
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Vulnerability
Windows
Exploits
Malware
Worm
Ransomware
Lateral Move...
Apt
Remote Code ...
Backdoor
Dropper
T1210
RCE (Remote ...
Payload
Reconnaissance
Botnet
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The WannaCry Malware is associated with Eternalblue. WannaCry is a notorious malware that gained global attention in 2017 when it was responsible for the biggest ransomware attack to date. The malware, designed to exploit and damage computer systems, infects systems through suspicious downloads, emails, or websites. Once inside a system, WannaCry can Exploited
8
The NotPetya Malware is associated with Eternalblue. NotPetya is a destructive malware that posed as ransomware, causing significant global damage in 2017. Despite its appearance as ransomware, NotPetya was not designed to extort money but rather to destroy data and disrupt operations, particularly targeting Ukraine's infrastructure. NotPetya was attrExploited
3
The Lucifer Malware is associated with Eternalblue. Lucifer is a powerful and relatively new malware variant that combines cryptojacking and DDoS (Distributed Denial of Service) attack capabilities. This malicious software targets Windows platforms, exploiting older vulnerabilities to spread and perform harmful activities. Lucifer is particularly notUnspecified
2
The petya Malware is associated with Eternalblue. Petya is a type of malware, specifically ransomware, that infected Windows-based systems primarily through phishing emails. It was notorious for its ability to disrupt operations and hold data hostage for ransom. Petya, along with other types of ransomware like WannaCry, NotPetya, TeslaCrypt, and DaExploited
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Shadow Brokers Threat Actor is associated with Eternalblue. The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National SeUnspecified
5
The Equation Group Threat Actor is associated with Eternalblue. The Equation Group is a threat actor, believed to have ties to the United States, that has been involved in numerous cyber espionage operations. The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that was leaked by another group knUnspecified
3
The Expetr Threat Actor is associated with Eternalblue. ExPetr, also known as PetrWrap, Petya, or NotPetya, is a threat actor that emerged in the cybersecurity landscape on April 15, 2017, with its first ransomware attack infused with EternalBlue. The code used by ExPetr was borrowed from another malicious software called Win32/Diskcoder.Petya ransomwareUnspecified
2
The Wannacryptor Threat Actor is associated with Eternalblue. WannaCryptor, also known as WannaCry or Wanna Decryptor, is a threat actor that has been active since at least 2009. This group, which is aligned with North Korea, has been responsible for several high-profile cyber incidents. Notable among these are the Sony Pictures Entertainment hack in 2014, cybUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalromance Vulnerability is associated with Eternalblue. EternalRomance is a software vulnerability, specifically an exploit for the Server Message Block version 1 (SMBv1) protocol, which was leaked by the group known as the "ShadowBrokers." It affects Windows XP, Windows Server 2003, and Windows Vista systems. This flaw allows attackers to execute arbitrUnspecified
3
Source Document References
Information about the Eternalblue Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CISA
4 months ago
DARKReading
2 months ago
ESET
3 months ago
BankInfoSecurity
3 months ago
ESET
3 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
8 months ago
Securityaffairs
9 months ago
Securityaffairs
9 months ago