Ms17-010

Vulnerability Profile Updated 2 months ago
Download STIX
Preview STIX
MS17-010, also known as EternalBlue, EternalSynergy, or EternalRomance, is a significant remote code execution vulnerability in Microsoft's Server Message Block 1.0 (SMBv1) protocol. This flaw in software design and implementation was exploited by various malware strains, most notably the WannaCry ransomware, which propagated itself by exploiting this specific vulnerability. The exploit allowed malicious actors to execute arbitrary code on the target system, thereby gaining control over it. The systems particularly susceptible to MS17-010 included Windows XP with Service Pack 2 and 3, Windows 7 64 bit with Service Pack 1, and Windows Server 2008 with Service Pack 1. Microsoft released security bulletin MS17-010 on March 14, 2017, introducing a patch to address the EternalBlue exploit. However, despite the availability of the patch, numerous systems worldwide remained unpatched and vulnerable, leading to widespread infections. The WannaCry ransomware, for example, used this vulnerability as its primary method of propagation. Once inside a network, the worm-like ransomware would attempt to connect to other hosts via port 445, and if successful, exploit the MS17-010 vulnerability to infect those systems as well. In testing scenarios, if a host was found to be vulnerable to MS17-010, the worm would wait for three seconds and then check if it was already infected with DOUBLEPULSAR, another exploit developed by the Shadow Brokers group. For the worm to replicate itself, it required an active DOUBLEPULSAR backdoor to be installed on the host. The presence of such sophisticated exploits underscores the importance of timely system updates and patches to mitigate the risk of such vulnerabilities.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Eternalblue
5
EternalBlue is a significant software vulnerability that exists in the design or implementation of certain systems. This flaw has been exploited by various cyber threats, with one notable instance being its use as an enabler for the widespread WannaCry ransomware attack. The exploit allows attackers
Eternalsynergy
1
EternalSynergy is a software vulnerability, also known as Shadow Broker, MS17-010, ETERNALBLUE, or ETERNAL ROMANCE. This flaw exists in the design and implementation of Microsoft's Server Message Block 1.0 (SMBv1) protocol and allows for remote code execution. It poses significant security risks, as
Eternal Romance
1
None
Eternalromance
1
EternalRomance is a software vulnerability, specifically an exploit for the Server Message Block version 1 (SMBv1) protocol, which was leaked by the group known as the "ShadowBrokers." It affects Windows XP, Windows Server 2003, and Windows Vista systems. This flaw allows attackers to execute arbitr
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Exploit
Vulnerability
Worm
Remote Code ...
Exploits
Ransomware
Malware
Lateral Move...
Microsoft
Ics
RCE (Remote ...
Backdoor
Dropper
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WannaCryUnspecified
4
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
NotPetyaUnspecified
1
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
TrickBotUnspecified
1
TrickBot is a notorious form of malware that infiltrates systems to exploit and damage them, often through suspicious downloads, emails, or websites. Once it has breached a system, TrickBot can steal personal information, disrupt operations, and even hold data hostage for ransom. It has been linked
WcryTargets
1
WCry, also known as WannaCry or WanaCryptor, is a self-propagating ransomware that was one of the most disruptive cyber attacks in history. This malware was a product of a North Korean cyber operation aimed at financial gain. The ransomware spreads through internal networks and over the public inter
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WannadecryptorUnspecified
1
None
WanacryptorTargets
1
None
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2009-3103Unspecified
1
None
CVE-2017-0143Unspecified
1
None
CVE-2017-0144Unspecified
1
None
Source Document References
Information about the Ms17-010 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
StripedFly: Perennially flying under the radar
Krypos Logic
a year ago
WannaCry: Two Weeks and 16 Million Averted Ransoms Later
MITRE
a year ago
WannaCry Malware Profile | Mandiant
CERT-EU
a year ago
What Is an Exploit? Definition, Types, and Prevention Measures
BAE Systems
a year ago
WanaCrypt0r Ransomworm
MITRE
a year ago
WCry (WannaCry) Ransomware Analysis
CERT-EU
10 months ago
Qualys Top 20 Exploited Vulnerabilities | Qualys Security Blog
MITRE
a year ago
Implications of IT Ransomware for ICS Environments | Dragos
GovCERT CH
a year ago
Notes About The NotPetya Ransomware
MITRE
a year ago
Emissary Panda Attacks Middle East Government SharePoint Servers
GovCERT CH
a year ago
Severe Ransomware Attacks Against Swiss SMEs
MITRE
a year ago
Bad Rabbit: Not‑Petya is back with improved ransomware | WeLiveSecurity
MITRE
a year ago
New Ransomware Variant "Nyetya" Compromises Systems Worldwide
MITRE
a year ago
Petya Ransomware | CISA
CERT-EU
9 months ago
StripedFly: Perennially flying under the radar – GIXtools
MITRE
a year ago
A Technical Analysis of WannaCry Ransomware | LogRhythm
CERT-EU
9 months ago
NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations | CISA
MITRE
a year ago
Indicators Associated With WannaCry Ransomware | CISA
GovCERT CH
a year ago
WannaCry? It is not worth it!
SecurityIntelligence.com
a year ago
Beware of What Is Lurking in the Shadows of Your IT