Last Friday (April 14, 2017), just before Easter, an egg was laid by The Shadow Brokers, a group that hopped into the spotlight in mid-2016. This time, the group dropped an especially colorful release, in the form of Eternalblue.
Eternalblue is part of an exploit tool release called Lost in Translation, (allegedly) part of a wider NSA leak. The exact source of Eternalblue is debatable, and the history is not for this post to explore. The ramifications of Eternalblue are straightforward, and explained below.
Aimed at engaging a wide audience, Eternalblue and the wrapping exploit package includes what could be the most damaging zero-day exploit dropped by the group to date.
Here are the interesting bits:
The SMB (service, not to be confused with a market segment) vulnerability exploited by Eternalblue is applicable to a wide range of Windows operating systems, including 2008, 2008 R2, 7, 7 SP1, both x86 and x64 architectures.
Simply put, most every enterprise was vulnerable for an as-yet undetermined period of time.
To be fair and clear:
The problem is, nobody knows exactly when the vulnerability was discovered, when the exploit was built, or how many organizations may have been breached using it (or, now that it’s in the wider wild…). Of course, the creators know, but they aren’t likely to provide details. However, it may be possible to characterize the window of opportunity for exploit by analyzing the change records of the svrnet.sys driver published by Microsoft, though that is beyond the scope of this post. Here is an example of available hotfixes related to Windows 2008 R2.
As we are wont to do, Bitdefender found the package and exercised it against some of our kit.
From our researchers:
Another system is protected using Bitdefender Hypervisor Introspection, and the result is:
We have published a demo recording of the lab scenario below:
An important aspect of Hypervisor Introspection is that it resolves the isolation versus context dilemma of security. Since the protection operates using the Direct Inspect APIs that is part of Citrix XenServer, it is isolated from the protected workloads –Windows virtual machines in this case – by the underlying Intel hardware.
To us at Bitdefender, it’s straightforward: introspection of virtual machine memory from the hypervisor will detect memory-based attacks like Eternalblue. There is no way around it – the hypervisor sees all.
Zero-day exploits that leverage unknown vulnerabilities, such as Eternalblue, can be stopped.
Andrei Florescu is Director of Product Management, Datacenter at Bitdefender. He guides enterprise-focused product management activity while maintaining involvement in large customer deployments and strategic alliances. Before moving into his current role, Andrei held a variety of customer-facing technology positions. He has numerous industry certifications focused on security, virtualization, and cloud, and is an Electronics Engineer, having earned his degree at University “Politehnica” of Bucharest. He is based in the Dallas/Fort Worth area.View all posts
Don’t miss out on exclusive content and exciting announcements!