ULTIME NEWS: Gyala riconosciuta Sample Vendor nel documento “Emerging Tech: AI in CPS Security” di Gartner Leggi

EternalBlue

The exploit that revealed global digital fragility

Let’s start from the beginning, what is EternalBlue?

EternalBlue (despite the evocative name of a fantastic sea to visit) is actually the longest lasting exploit of all time. It is a Microsoft exploit originally developed by the National Security Agency (NSA) as an intelligence tool, which allowed remote access to data contained in devices that used Microsoft. In 2017 the hacker group Shadow Brokers stole it from the NSA, giving rise to a series of (devastating) attacks that we know by another name.

How does it work?

The EternalBlue cyber kill chain – when exploited by hackers for negative purposes – follows a surgical strategy:

  1. Reconnaissance: Automated scanning of vulnerable network
  2. Intrusion: Exploit SMB for authentication-less access
  3. Spread: Autonomous replication of malware
  4. Infiltration: Installation of malicious payload
  5. Destruction: Encryption or system corruption

WannaCry (2017) the first

On 12 May 2017, the WannaCry ransomware demonstrated EternalBlue’s destructive potential.
In just 24 hours, over 200,000 systems in 150 countries were attacked, causing economic damage estimated at around USD 4 billion.

The attacks were indiscriminate, but the UK was hit hardest: British hospitals had to suspend surgeries, telecommunications companies had their services disrupted and critical infrastructure was paralyzed.
In the rest of the world other attacks, among which we remember, for example but were many more, those perpetrated at Nissan and Renault in France, FedEx
in the USA, Hitachi and the railway line in Japan and again the Russian Railroad and the bank VTB. Despite the widespread spread of the attack, from the hackers’ point of view was a failure, because the ransom (to be paid in bitcoin) recorded very low values.

NotPetya: The evolution of the threat

A few months after WannaCry (May 2017), NotPetya demonstrated an advanced level of sophistication. Initially disguised as ransomware, it turned out to be a powerful tool that hit international companies like Maersk and FedEx, causing more than $10 billion in damage. However, NotPetya-in addition to its economic impact-soon showed its true intention: the spread of disruptions.

The attack was always based on the Eternalblue exploit, which allowed NotPeya to penetrate the network and spread through the interconnected systems, paralyzing them.

Indexsinas

Always exploiting the vulnerability EternalBlue, we can mention in 2019 the worm Indexsinas with the characteristic – inherent in worms – of self-propagating. The attack hit health, education, telecommunications and hospitality. But even here, the ultimate goal was not ransom.
Rather it was to allow hackers to use the attacked machines for mining for cryptomining operations (preventing anyone from accessing their wallet statistics).

Is EternalBlue really still dangerous?

EternalBlue still remains a significant threat, but with reduced risks: Microsoft released security patches as early as March 2017, but outdated systems remain vulnerable, for example:

  • Legacy versions of Windows (Windows XP, Windows 7)
  • Systems in companies or infrastructures with obsolete updates
  • IoT or embedded devices with outdated operating systems

What can we do to block these attacks and prevent their damage

Our cyber security solution AGGER It detects and reacts by natively defending the operating systems Win XP e Win 7. This is also why defending legacy systems with Agger can add that layer of cybersecurity that many companies still lack.