Project Final Report

Eternal Blue is a vulnerability which can lead to data breach in systems and machines running on Microsoft windows which haven’t been patched against the vulnerability. A vulnerability is a flaw in a computer system that weakness the overall security of the device/system (Ding, et al., 2019). Once the vulnerability has been exploited, the hacker can steal information leading to data breach.

Eternal Blue is an exploit that targets the SMBv01 protocol used by Windows computers. The attack uses heap spraying and buffers overrun techniques to get into systems and devices running on windows operating systems. More notably, this vulnerability was used in 2017’s WannaCry, a ransomware which encrypted victim’s files and sort ransom to decrypt the files. After launching the attack, it would spread to other computers, sending malformed data which would be handled by the SMB protocol, wherein the exploit can be found.

The eternalblue exploit can be traced to the U.S. National Security Agency (NSA) after a hack by hacking group called the Shadow Brokers, who in 2017 hacked an NSA trove of cyber weapons.

Many researchers have broadly examined each contributor’s role in the construction and

spread of the virus that contributed to such a destructive cyberattack. A wide net of blame can

be cast on Microsoft’s unsecure protocol, Russia’s use of the malware, and the business I.T.

professionals within organizations that failed to apply the available patch to all of their

compromised systems, but when analyzing the role of the NSA, journalists mainly focus on what factors contributed to the data breach and what measures could be taken to prevent future leaks. They conclude that the NSA’s failure to retain its secrets, including its hacking tools, is the area of root concern where the organization must be held accountable.

Greenberg details the hypocrisy in how the United States redirects the blame on previous

administrations and other foreign nation-state actors, as with attributing the WannaCry

ransomware attack to North Korea, without looking introspectively. He calls attention to the workplace procedures that allowed two NSA staffers to carry home large collections of highly classified hacking tools. Antivirus software developed by Kapersky, a Russian security firm, was reportedly used on one of the staffers’ personal computers, meaning the malware crafted by the NSA was uploaded to the corporation’s servers and remained there for some unknown duration of time. The reporter also mentions the vagueness in wording and the lack of transparency in the implementation of the White House’s Vulnerabilities and Equities Process, a document meant to guide which vulnerabilities are reported to the associated vendors and which are kept secret to gather foreign intelligence (Greenberg, 2017).

Shane, Perlroth, and Sanger’s reporting covers the NSA as a victim within this network,

robbed entirely of any sense of morale, with the Shadow Brokers as the perpetrators responsible. This framing is apparent while referring to the case as “one of the worst security debacles ever to befall American intelligence” and far exceeding the damage caused by Edward Snowden. They look at how members of the NSA’s internal hacking group, Tailored Access Operations (T.A.O), have been impacted by the revelations, with some members leaving the organization and others having to cancel trips abroad out of fear. The reporting then continues to describe a hostile workplace now plagued by polygraphs and suspensions with difficulty retaining talent. The journalists also cover additional victims of the Shadow Broker’s actions that led to the disruption of business internationally including the millions of computers locked by ransomware, companies that experienced complete data loss, and hospitals in Indonesia, Britain, and even Pennsylvania that were forced to reject patients (Shane et al., 2017).

Data and information are critical assets of any organization or company. Data and information breach could easily bring a thriving company to its needs. A data breach is an occurrence where an unauthorized entity is able to access information from an organization, system or an individual. The data breach happens when the access happens whether the information is used wrongfully or not. EternalBlue is a vulnerability which can lead to data breach in systems and machines running on Microsoft windows which haven’t been patched against the vulnerability. They can inject a various called “RAT “, which allows the hacker to have a fully control of the victim’s device. It can Even spread and expand into all the devices that is attached in the same network.

A vulnerability is a flaw in a computer system that weakness the overall security of the device/system (Ding, et al., 2019). Once the vulnerability has been exploited, the hacker can steal information leading to data breach.

The project seeks to increase awareness amongst users on this exploit – eternalblue and recommend measures on how they can protect their data and information from data breach through eternalblue. A detailed description of how the vulnerability can be exposed will be done with remedies on how to counter and protect devices and systems.

At the end of the project, the researcher will give a detailed documentation on eternalblue vulnerability. Such documentation will include what the eternalblue vulnerability is, its origin, vectors and ways of protecting devices and machines. The documentation will give readers deeper information on eternalblue and guide them on prevention measures against this vulnerability being exposed by hackers.

The eternalblue vulnerability is found in the versions of Microsoft windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2, Windows RT 8.1, Windows 10, Windows XP and Windows Server 2016. To protect devices and systems running on these operating systems against the eternalblue vulnerability, one needs to;

i. Install to the devices/systems Microsoft’s patch for the Eternalblue vulnerability.

ii. Install and always update anti-virus software on devices/systems.

iii. Review and manage the use of privileged accounts. A best practice is to implement the principle of least privilege.

iv. Educate your staff so they can scrutinize links and attachments found in unsolicited emails.

v. Limit access to critical functions or files to only those who absolutely need it.

vi. Automatically install patches to the operating system and web browser.

vii. Test backups to ensure they work correctly.

Upon successful completion of the project, readers will have great understanding of eternalblue and how to prevent their devices and systems against this vulnerability. This will greatly enhance data security at organizational or individual level. Through implementing the recommendations towards preventing exploitation of eternalblue, users of the vulnerable Microsoft products will be secured against any attack vectors who can exploit the vulnerability.

Additionally, the measures recommended will go a long way in preventing other forms of attacks which hackers may launch against system or devices. This will may include denial of services, phishing or malware attacks. Most of the system requirements to prevent eternalblue not only prevent that specific vulnerability but other exploits which hackers may use to gain unauthorized access to systems and devices.

Despite the positive impact brought about by the solution, it may lead to increased expenditure. Organizations and individuals will need to invest on anti-virus software while also constantly reviewing user privileges especially for large organizations.

Page 2 of 10

Ding, A., De Jesus, G., & Janssen, M. (2019). Ethical hacking for boosting IoT vulnerability management: a first look into bug bounty programs and responsible disclosure. Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing - ICTRS '19

Warren, Tom (April 15, 2017). Microsoft has already patched the NSA's leaked Windows hacks. The Verge.