EternalBlue, which is an ancient set of hacks — ancient: going back three years — is still applicable, especially in regard to some of the technology and vulnerabilities that we are seeing today. EternalBlue is a software that the NSA developed to hack Windows machines. The goal was to break into a computer (without telling the owner “someone’s there”) — and then run a software of choice. Windows contains more than two millions lines of code, so nobody, even at Microsoft, really knows what it’s all doing, and vulnerabilities are found every day. EternalBlue hacks targeted some of those vulnerabilities.
Running Windows makes you vulnerable by default. Linux, Mac, Android, iPhone — they’re all vulnerable because we’ve reached the state of complexity in the operating systems that we choose to run that it’s just a matter of time before new ways are found to break into these systems. Online trickery happens, and people download malware thinking they’re getting a good piece of software. For example, there was once a program called Whack-a-Mole. It was known to have a Trojan in it, so if hackers were able to convince you “hey, this is the coolest game in town,” then your machine would be infected. When hackers are trying to break into a machine, whether through a means like Whack-a-Mole or through an EternalBlue hack, they’re trying to do it surreptitiously, invisibly. They don’t want you to know because, if you knew, you might do something like reboot. This led the hackers to ratchet up what we call the “persistence” of malware, so that maybe it could survive a reboot.
If you’ve ever had a browser toolbar appear in Internet Explorer, or Chrome or Firefox or Edge, or any other browser, that toolbar probably has the rights to see wherever you’re surfing and modify the webpages that you get back, and can even interact with you. A toolbar is a very visual indicator that “you’ve been hacked.” Is that toolbar interested in stealing your passwords and learning your PayPal login and modifying what you visit and how you see it? Maybe, maybe not. But it’s an indication that you’re running untrusted software. Going out to the web and downloading a piece of software because it looks interesting is almost a guaranteed way to get hacked.
Malware programmers write apps, publish them and they get downloaded, and in the background there’s a malware stealing passwords, modifying webpages, looking at your identity — those are all activities I would consider hacks — and that’s what EternalBlue is. In short, it leverages a vulnerability that the NSA found in the Microsoft SMB protocol. They found that if they hurled a packet that was the right size in the right shape, it would shove a square peg into a round hole, and the round hole wouldn’t know what to do, and so it would execute a buffer overflow attack. Windows wasn’t expecting a square peg in a round hole, so it would trip, fall down, and execute code of the attacker’s choice. EternalBlue hacks took advantage of a “round” Server Message Block (SMB) hole, and as that SMB failed, it could run a Trojan, or blue screen a computer, or download a piece of malware.
Less than thirty days after EternalBlue got into the hands of cybercriminals, a nasty bug called WannaCry was released to the world. It made you want to cry because it was ransomware. It used EternalBlue as the delivery exploit, so as soon as WannaCry got a foothold inside a corporate network, it would jump from machine to machine to machine and ransom. By the next year, EternalBlue hacks had cost companies and industries billions of dollars, and 65 countries have fallen to EternalBlue’s vulnerability and have been ransomed or hacked in some fashion. Why? Because even after Microsoft released a patch, millions of computers were unprotected because people didn’t patch.
Patching… and more than patching
Cybercriminals are continually waiting for time, opportunity, and tools to be able to successfully hack into your system. To prevent it, we do a number of things. We patch our machines, we turn on our firewalls, and we don’t let people be local administrators. We make sure our antivirus is current. But we need more than antivirus because hackers now have toolkits to program custom malware. They don’t have to know about EternalBlue hacks if they have a malware toolkit. These toolkits change malware by a byte or two bytes, which changes the signature of the program. As a result, the antivirus software, which is looking for signatures, can’t detect the malware. This designer malware is specifically written for a particular company. The malware is one-of-a-kind and still does the same EternalBlue exploit. Because of this dark web exchange of malware toolkits and designer ransomware, more robust cybersecurity measures, like endpoint security, are needed to keep our businesses safe.
IF Only Tech Time
Fridays – Noon (MT)
Answers to all things about IT
IF you did miss IT… did you miss IT!? No worries!
Watch a tech talk here!