pixel_dreams - Fotolia

Researchers port EternalBlue exploit to Windows 10

The EternalBlue exploit behind the WannaCry ransomware attacks has been successfully ported to an older version of Windows 10, but newer versions of the OS are protected.

Security researchers found a way to bypass various Microsoft security features and build a proof-of-concept version of the EternalBlue exploit that could infect devices with earlier versions of Windows 10.

Researchers for risk management vendor RiskSense said the proof of concept required "an additional data execution prevention bypass not needed in the original exploit" to get the EternalBlue exploit working on Windows 10 devices. However, RiskSense did not disclose certain details of the exploit that it felt would only be of use for malicious actors and not cybersecurity professionals.

The proof-of-concept EternalBlue exploit for Windows 10 only targeted version 1511 -- aka Threshold 2 -- released in November 2015. And Sean Dillon, senior security analyst for RiskSense in Albuquerque, N.M., said Microsoft has worked "to the best of their ability to try to protect customers."

"The Redstone 1 update, which is what Server 2016 releases with, has mitigations that so far have no publicly known way to defeat. The Redstone 2 update, which was unfortunately released shortly after MS17-010, builds on these mitigations. Microsoft has a bug bounty program with a current $100,000 prize for any researcher who can defeat certain exploit mitigations," Dillon told SearchSecurity. "Redstone 1 was August 2016. Redstone 2 is April 2017. However, Windows 10 versioning is weird, and any machine could be on version 1511 or prior. The important thing to do is get the MS17-010 patch."

Travis Smith, senior security research engineer at Tripwire Inc., based in Portland, Ore., said consumers should be safe because of Windows 10's automatic updates, but enterprise users need to be sure to patch.

Windows 10 versioning is weird, and any machine could be on version 1511 or prior. The important thing to do is get the MS17-010 patch.
Sean Dillonsenior security analyst for RiskSense

"The port of EternalBlue to Windows 10 is fairly complex, having to bypass quite a few protections built into the operating system. It's important to understand, though, that while this proof of concept has been identified to exploit Windows 10, the MS17-010 patch still resolves the vulnerability," Smith told SearchSecurity. "This exploit only pertains to those who are unable to patch their Windows 10 machines in a reasonable amount of time."

Dillon also noted that using this EternalBlue exploit on Windows 10 would require a very advanced threat actor.

"It still requires expert-level Windows kernel knowledge to port the exploit to Windows 10. I would expect all of the major intelligence communities of the world -- who now have this exploit, thanks to the Shadow Brokers leak -- have already done so or are close to finishing by now," Dillon said. "For now, such attacks would likely come out of the more advanced threat actors, such as large cybercriminal enterprises and intelligence agencies. We expect, as time goes on, the bar will be lowered by black hat collaboration and other factors."

EternalBlue exploit and SMBv1

Mounir Hahad, senior director at Cyphort Inc., based in Santa Clara, Calif., agreed the task would be difficult for average hackers, but not impossible, and there was one clear lesson to be learned.

"I don't think replicating the work of RiskSense is at the level of mundane criminal organizations, but unfortunately, it only takes one to succeed and sell the exploit to others," Hahad told SearchSecurity. "It is clear to anyone who is responsible for IT security that Microsoft patches must be installed and that SMBv1 must be disabled. We did not need a proof of concept to convince us."

Dillon said Server Message Block (SMB) version 1 is still useful "to allow interoperability with older Windows systems and other implementations of the SMB protocol -- such as Samba, which can be used on non-Windows machines" -- but should be considered a critical risk to enterprises where it is not essential.

Before the EternalBlue exploit was released by the Shadow Brokers, both US-CERT and Microsoft advised users to disable SMBv1 when possible, and experts said it is even more important now.

Nick Bilogorskiy, senior director of threat operations at Cyphort, said Microsoft "leaves the option to disable SMBv1 to the user, unless they need it."

"In general, I recommend disabling it to reduce the attack surface. SMBv1 is lacking key protections against security downgrade attacks and man-in-the-middle attacks," Bilogorskiy told SearchSecurity. "The preferred way to disable it is to make a registry change to Group Policy Object."

Smith said older versions of protocols like SMBv1 are included and enabled by default "for the sole purpose of maintaining backward compatibility," rather than security.

"From a user experience perspective, having a computer work out of the box is more ideal than having to change complex system settings, which most users don't typically understand," Smith said. "Unfortunately, security and usability are often at ends with each other. Leaving insecure protocols enabled and open to the world is not advisable in most cases; however, mitigating factors can be put in place to prevent an attacker from owning the systems."

Next Steps

Learn how to fortify your defenses with Windows 10.

Find out why the vulnerability remediation of WannaCry raised concerns.

Get info on how Windows 10 mitigates the risk of unpatched zero-days.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing