The recent massive WannaCry cyber attack damaged most machines running Windows 7. While Windows XP was largely spared due to a bug in the ransomware code, Windows 10 had more advanced defences and could therefore not be infected.
However, researchers found that the EternalBlue remote kernel exploit used in WannaCry could be used to infect unpatched Windows 10 machines with malware by bypassing detection rules recommended by governments and antivirus vendors, says RiskSense senior security researcher Sean Dillon. They stripped the original leaked version of EternalBlue down to its essential components and deemed parts of the data unnecessary for exploitation. The good brainy guys did port the exploit created by NSA to Windows 10 and created a Metasploit module based on the hack.
Their refined module features reduced network traffic and the removal of the DoublePulsar back door, which they felt were distracting security researchers.
WannaCry targeted a Server Message Block (SMB) critical vulnerability that Microsoft patched with MS17-010 on March 14, 2017, but a different version of EternalBlue could infect Windows 10.
This version of EternalBlue, an exploit initially released by Shadow Brokers earlier this year, does not use the DoublePulsar payload common among other exploits leaked by the hacker group. DoublePulsar was the main implant used in WannaCry and a key focus for defenders.
“The DoublePulsar backdoor is kind of a red herring for researchers and defenders to focus on,” said Dillon. “We demonstrated that by creating a new payload that can load malware directly without having to first install the DoublePulsar backdoor. So people looking to defend against these attacks in the future should not focus solely on DoublePulsar. Focus on what parts of the exploit we can detect and block.”
EternalBlue gives instant un-credentialed remote access to Windows machines without the MS17-010 patch update. The slimmed-down EternalBlue can be ported to unpatched versions of Windows 10 and deliver stealthier payloads. An advanced malware would be able to target any Windows machine, broadening the spread of an attack like WannaCry, Dillon explains. Unpatched Windows 10 machines are at risk, despite the fact that Microsoft’s newest OS receives exploit mitigations that earlier versions don’t.
They published the results of their research but said they made it difficult for black hat hackers to follow in their footsteps. “We’ve omitted certain details of the exploit chain that would only be useful to attackers and not so much for building defences,” Dillon noted. “The research is for the white-hat information security industry in order to increase the understanding and awareness of these exploits so that new techniques can be developed that prevent this and future attacks. This helps defenders better understand the exploit chain so that they can build defences for the exploit rather than the payload.”
Other types of malware, like banking spyware and bitcoin miners, could more easily fly under the radar, says Dillion. Such malware can infect organisations and governments but they won’t know until years. Lying dormant, the attackers could steal intellectual property or cause damage to these networks.
Dillion advises that businesses should update to Windows 10 but put in place the necessary firewalls, setting up VPN access for users who need internal access and an in-depth inventory that can identify software and devices in networks, as well as knowing when patches are released.