Hypervisor Introspection defeated Eternalblue a priori

Last Friday (April 14, 2017), just before Easter, an egg was laid by The Shadow Brokers, a group that hopped into the spotlight in mid-2016. This time, the group dropped an especially colorful release, in the form of Eternalblue.

Eternalblue is part of an exploit tool release called Lost in Translation, (allegedly) part of a wider NSA leak. The exact source of Eternalblue is debatable, and the history is not for this post to explore. The ramifications of Eternalblue are straightforward, and explained below.

Aimed at engaging a wide audience, Eternalblue and the wrapping exploit package includes what could be the most damaging zero-day exploit dropped by the group to date.

Here are the interesting bits:

• Code name "Eternalblue”
  • A zero-day (AKA – new normal) exploit of a remote code execution vulnerability in the Windows SMB server
• Fuzzbunch (https://github.com/fuzzbunch/fuzzbunch)
  • An exploit framework similar to Metasploit Rapid7

The SMB (service, not to be confused with a market segment) vulnerability exploited by Eternalblue is applicable to a wide range of Windows operating systems, including 2008, 2008 R2, 7, 7 SP1, both x86 and x64 architectures.

Simply put, most every enterprise was vulnerable for an as-yet undetermined period of time.

To be fair and clear:

• Microsoft reacted quickly, publishing the MS17-010 security bulletin and the necessary patches a month before the leak (March 14, 2017).
• Soon after the leak was made public, Microsoft published an additional blog post to further alleviate customer concerns. The post advised everyone to apply the patches on their servers to hammer home the elemental point of patching, post-haste.

The problem is, nobody knows exactly when the vulnerability was discovered, when the exploit was built, or how many organizations may have been breached using it (or, now that it’s in the wider wild…). Of course, the creators know, but they aren’t likely to provide details. However, it may be possible to characterize the window of opportunity for exploit by analyzing the change records of the svrnet.sys driver published by Microsoft, though that is beyond the scope of this post. Here is an example of available hotfixes related to Windows 2008 R2.

As we are wont to do, Bitdefender found the package and exercised it against some of our kit.

From our researchers:

• We installed the exploit and tools in a test VM, and directed the exploit at a couple of Windows 2008 R2 running in our lab (without the latest patches, default install settings).
• Running the exploit against the unprotected system demonstrated just how damaging the exploit is. Fuzzbunch remotely executed Eternalblue against the vulnerable server and installed a backdoor onto the system; needless to say, we're dealing with a ring-0 exploit and the remote attacker accessing the backdoor gains instant NT AUTHORITY\SYSTEM privileges.

Another system is protected using Bitdefender Hypervisor Introspection, and the result is:

• When the exploit was executed against the server protected by our Hypervisor Introspection, the kernel space memory protection kicked it and prevented the exploitation attempt. Bitdefender Hypervisor Instrospection prevented the exploit.

We have published a demo recording of the lab scenario below:

An important aspect of Hypervisor Introspection is that it resolves the isolation versus context dilemma of security. Since the protection operates using the Direct Inspect APIs that is part of Citrix XenServer, it is isolated from the protected workloads –Windows virtual machines in this case – by the underlying Intel hardware.

To us at Bitdefender, it’s straightforward: introspection of virtual machine memory from the hypervisor will detect memory-based attacks like Eternalblue. There is no way around it – the hypervisor sees all.

Zero-day exploits that leverage unknown vulnerabilities, such as Eternalblue, can be stopped.