{
	"id": "02d43856-6fd9-4026-9fc0-e5a08bfc1ca9",
	"created_at": "2026-04-15T02:23:21.910928Z",
	"updated_at": "2026-04-18T02:21:30.878709Z",
	"deleted_at": null,
	"sha1_hash": "f37b6b5800ac665e31169a637f53ed54b48315da",
	"title": "Unraveling EternalBlue: inside the WannaCry’s enabler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65045,
	"plain_text": "Unraveling EternalBlue: inside the WannaCry’s enabler\r\nBy Cybernews Team\r\nPublished: 2023-09-01 · Archived: 2026-04-15 02:09:37 UTC\r\nWannaCry and NotPetya, probably two most damaging cyberattacks in recent history, were both only made\r\npossible because of EternalBlue. Here is how the NSA-developed cyber monster works, and how you should\r\ndefend against it.\r\nWhat is the EternalBlue vulnerability?\r\nEternalBlue is a Windows exploit created by the US National Security Agency (NSA) and used in the 2017\r\nWannaCry ransomware attack.\r\nEternalBlue exploits a vulnerability in the Microsoft implementation of the Server Message Block (SMB)\r\nProtocol. This dupes a Windows machine that has not been patched against the vulnerability into allowing\r\nillegitimate data packets into the legitimate network. These data packets can contain malware such as a trojan,\r\nransomware, or similar dangerous program.\r\nThe SMB Protocol is a standard, system that creates a connection between client and server by sending responses\r\nand requests. When printing a document, a person may use their computer, the client, to send a request to a\r\ncolleague’s computer, the server, with a request to print the document. The client and server communicate over the\r\nSMB Protocol.\r\nThe NSA did not alert Microsoft about EternalBlue’s existence for a period of five years, until a breach of the\r\nNSA compelled the agency to do so. Microsoft blames the agency for EternalBlue’s existence and its fallout, even\r\nthough EternalBlue is based on what was then a Windows vulnerability. The NSA has declined to speak in detail\r\nabout the hack or EternalBlue.\r\nEternalBlue\r\nBy Avast/Cybernews\r\nHow would EternalBlue look in a real attack scenario?\r\nImagine a large organization with a network infrastructure comprising multiple interconnected systems, including\r\nservers, workstations, and IoT devices. Within this network, there is a vulnerable Windows system that has not\r\nbeen patched with the necessary security updates to protect against EternalBlue.\r\nA bad actor, seeking to exploit the vulnerability, initiates an attack by sending a specially crafted network packet\r\nto the vulnerable system. This packet contains the exploit code that takes advantage of the EternalBlue\r\nvulnerability, allowing the attacker to gain unauthorized access and execute arbitrary code on the compromised\r\nsystem.\r\nhttps://cybernews.com/security/eternalblue-vulnerability-exploit-explained/\r\nPage 1 of 6\n\nRecon process\r\nIn the first stage of a cyberattack, a bad actor may employ various methods to identify systems vulnerable to the\r\nEternalBlue vulnerability. Here are a few techniques they might use:\r\nScanning for Open Ports: The bad actor could use port scanning tools like Nmap to identify systems with\r\nopen ports, such as SMB (Server Message Block) ports (e.g., port 445). By scanning a range of IP\r\naddresses, they can identify potential targets that have SMB services exposed to the internet.\r\nThe image below shows successful finding of EternalBlue vulnerability using nmap\r\nDiscovering EternalBlue\r\nCybernews screenshot\r\nExploit Frameworks: There are well-known exploit frameworks like Metasploit that contain modules\r\nspecifically designed to exploit the EternalBlue vulnerability. These frameworks provide a wide range of\r\ntools and exploits for attackers to leverage, including EternalBlue. By using such frameworks, the attacker\r\ncan automate the process of identifying vulnerable systems and launching attacks.\r\nThe image below shows prebuilt EternalBlue exploits\r\nEternalBlue exploits\r\nCybernews screenshot\r\nShodan and Similar Tools: Shodan is a search engine that scans and indexes internet-connected devices,\r\nincluding vulnerable systems. By using specific search queries, an attacker can identify systems that are\r\npotentially susceptible to EternalBlue. Similar tools or databases listing vulnerable systems can also aid in\r\nidentifying targets.\r\nTargeted Phishing and Social Engineering: In some cases, attackers may employ targeted phishing\r\nemails or social engineering techniques to gain initial access to a system within the target network. Once\r\nthey’ve compromised a user's device, they can then perform internal network reconnaissance to find\r\nvulnerable systems and exploit EternalBlue.\r\nIt's important to note that discovering vulnerable systems is only the first step for bad actors. Once they identify a\r\nvulnerable system, they proceed to exploit the vulnerability, gain access, and then move laterally within the\r\nnetwork to escalate privileges and achieve their objectives\r\nExploit execution\r\nOnce the target system is identified, the attacker launches an exploit against the vulnerable system. One of the\r\nmost popular exploitation tools is Metasploit Framework.\r\nWhat is Metasploit Framework?\r\nhttps://cybernews.com/security/eternalblue-vulnerability-exploit-explained/\r\nPage 2 of 6\n\nThe Metasploit Framework is a Ruby-based, modular penetration testing platform that enables you to write, test,\r\nand execute exploit code. The Metasploit Framework contains a suite of tools that you can use to test security\r\nvulnerabilities, enumerate networks, execute attacks, and evade detection. At its core, the Metasploit Framework\r\nis a collection of commonly used tools that provide a complete environment for penetration testing and exploit\r\ndevelopment.\r\nMetasploit Framework has anEternalBlue exploit, which can be used directly to exploit vulnerable system\r\nEternalBlue exploit\r\nCybernews screenshot\r\nThe image below shows successful exploitation of the EternalBlue vulnerability\r\nSuccessful EternalBlue exploitation\r\nCybernews screenshot\r\nEternalBlue takes advantage of three different bugs. The first is a mathematical error when the protocol tries to\r\ncast an OS/2 FileExtended Attribute (FEA) list structure to an NT FEA structure in order to determine how much\r\nmemory to allocate. A miscalculation creates an integer overflow that causes less memory to be allocated than\r\nexpected, which in turns leads to a buffer overflow.\r\nWith more data than expected being written, the extra data can overflow into adjacent memory space triggering\r\nthe buffer overflow. This is achieved thanks to the second bug, which results from a difference in the SMB\r\nprotocol’s definition of two related sub commands: SMB_COM_TRANSACTION2 and\r\nSMB_COM_NT_TRANSACT.\r\nBoth have a _SECONDARY command that is used when there is too much data to include in a single packet. The\r\ncrucial difference between TRANSACTION2 and NT_TRANSACT is that the latter calls for a data packet twice\r\nthe size of the former. This is significant because an error in validation occurs if the client sends a crafted message\r\nusing the NT_TRANSACT sub-command immediately before the TRANSACTION2 one.\r\nWhile the protocol recognizes that two separate sub-commands have been received, it assigns the type and size of\r\nboth packets (and allocates memory accordingly) based only on the type of the last one received. Since the last\r\none is smaller, the first packet will occupy more space than it is allocated.\r\nOnce the attackers achieve this initial overflow, they can take advantage of a third bug in SMBv1 which allows\r\nheap spraying, a technique which results in the allocation of a chunk of memory at a given address. From here, the\r\nattacker can write and execute shellcode to take control of the system.\r\nUpon successfully compromising the initial system, the attacker begins their reconnaissance phase. They explore\r\nthe network, scanning for other vulnerable systems or potential targets. Using tools like Nmap or Metasploit, the\r\nattacker identifies additional systems with unpatched vulnerabilities, possibly even finding weak or default\r\ncredentials that grant further access.\r\nEternalBlue privilege escalation\r\nhttps://cybernews.com/security/eternalblue-vulnerability-exploit-explained/\r\nPage 3 of 6\n\nCybernews screenshot\r\nEternalBlue privilege escalation 2\r\nCybernews screenshot\r\nThe image below shows successful privilege escalation\r\nEternalBlue privilege escalation 3\r\nThe lateral movement phase\r\nWith a growing foothold within the organization's network, the attacker starts to escalate privileges and move\r\nlaterally, traversing from one compromised system to another. They may use techniques like Pass-the-Hash or\r\nPass-the-Ticket to escalate privileges and impersonate legitimate users, enabling them to access more sensitive\r\nresources and expand their control over the network.\r\nDuring this lateral movement, the attacker may deploy various tools and malware to further their objectives. For\r\nexample, they might use keyloggers or credential-stealing malware to harvest login credentials of high-privileged\r\nusers, allowing them to gain even greater control over critical systems and sensitive data.\r\nIn some instances, the attacker might choose to deploy ransomware across the network, encrypting important files\r\nand bringing operations to a halt. They then demand a ransom in exchange for the decryption keys, causing\r\nfinancial losses and potential reputational damage to the organization.\r\nThroughout this entire process, the attacker may operate stealthily, attempting to evade detection by leveraging\r\nanti-forensic techniques and obfuscating their activities. They might use encryption and tunneling techniques to\r\nhide their network traffic and maintain persistence within the compromised systems to ensure long-term access.\r\nDoes EternalBlue still exist?\r\nYes, there are 4332 servers or Operating systems exposed on the internet with EternalBlue vulnerability.\r\nThe Top 10 countries that have systems with EternalBlue vulnerability:\r\nTop 10 countries with EternalBlue vulnerability\r\nTop Operating systems vulnerable to EternalBlue:\r\nWindows 7 Professional 7600\r\nWindows 8.1 Pro 9600\r\nWindows Server 2021 R2 Standard\r\nOperating systems vulnerable to EternalBlue\r\nHow to defend against EternalBlue?\r\nTo protect against the EternalBlue vulnerability, it’s crucial to implement the following measures:\r\nhttps://cybernews.com/security/eternalblue-vulnerability-exploit-explained/\r\nPage 4 of 6\n\nPatching and Updates: Apply security patches and updates promptly. Microsoft released patches for the\r\nEternalBlue vulnerability in March 2017. Ensure that all affected systems, including servers and\r\nworkstations, have the necessary updates installed. Additionally, keep all software, operating systems, and\r\nnetwork devices up to date with the latest security patches.\r\nDisable SMBv1: Since EternalBlue targets the SMBv1 protocol, consider disabling or blocking SMBv1\r\nacross your network, especially if it is not required. SMBv2 or SMBv3 should be used as more secure\r\nalternatives.\r\nNetwork Segmentation: Implement network segmentation to isolate critical systems and restrict access\r\nbetween different parts of the network. This reduces the lateral movement potential of attackers and\r\ncontains the impact of any successful exploitation.\r\nFirewalls and Intrusion Detection Systems: Configure firewalls to block suspicious network traffic and\r\nrestrict unnecessary access to SMB services. Intrusion Detection Systems (IDS) and Intrusion Prevention\r\nSystems (IPS) can help detect and block exploit attempts targeting the EternalBlue vulnerability.\r\nAccess Controls and Privilege Management: Enforce strong access controls and least privilege\r\nprinciples. Limit user privileges to only what is necessary for their roles, and regularly review and revoke\r\nunnecessary privileges. This reduces the potential impact of an attacker who successfully exploits the\r\nvulnerability.\r\nSecurity Awareness and User Education: Train users to recognize and report phishing emails and\r\nsuspicious attachments. Promote security awareness and educate users about the risks of clicking on\r\nunknown links or opening attachments from untrusted sources, as these can be entry points for attacks.\r\nEndpoint Protection: Deploy and maintain reliable antivirus and anti-malware solutions on all systems.\r\nEnsure that these security tools are regularly updated with the latest threat definitions to detect and block\r\nknown malware that may utilize EternalBlue or similar vulnerabilities.\r\nNetwork Monitoring and Incident Response: Implement robust network monitoring and logging\r\ncapabilities to detect and respond to any potential exploitation attempts or suspicious activity. Have an\r\nincident response plan in place to quickly respond and mitigate the impact if an exploitation occurs.\r\nSummary\r\nEternalBlue has been widely exploited by bad actors for various malicious activities, including ransomware\r\nattacks, botnet creation, credential theft, and lateral movement within networks. Its exploitation can have serious\r\nconsequences, resulting in data breaches, financial losses, operational disruption, and reputation damage to\r\norganizations.\r\nThe flaw affects a wide range of Windows operating systems, including older versions like Windows XP and\r\nWindows Server 2003, which were still in use by many organizations at the time of its discovery. The widespread\r\npresence increased the potential attack surface and made it a critical concern for security professionals.\r\nEternalBlue gained notable attention through its involvement in prominent cyber attacks. The WannaCry\r\nransomware outbreak in 2017 infected hundreds of thousands of systems worldwide, causing widespread\r\ndisruption in various sectors such as healthcare, government, and financial services. The NotPetya malware,\r\nanother highly impactful cyber attack, also leveraged EternalBlue for propagation.\r\nhttps://cybernews.com/security/eternalblue-vulnerability-exploit-explained/\r\nPage 5 of 6\n\nEternalBlue has a worm-like capability, allowing it to propagate within networks without user interaction. This\r\nself-spreading feature facilitated the rapid propagation of malware, enabling attackers to compromise vulnerable\r\nsystems quickly and effectively.\r\nSource: https://cybernews.com/security/eternalblue-vulnerability-exploit-explained/\r\nhttps://cybernews.com/security/eternalblue-vulnerability-exploit-explained/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cybernews.com/security/eternalblue-vulnerability-exploit-explained/"
	],
	"report_names": [
		"eternalblue-vulnerability-exploit-explained"
	],
	"threat_actors": [],
	"ts_created_at": 1776219801,
	"ts_updated_at": 1776478890,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f37b6b5800ac665e31169a637f53ed54b48315da.pdf",
		"text": "https://archive.orkl.eu/f37b6b5800ac665e31169a637f53ed54b48315da.txt",
		"img": "https://archive.orkl.eu/f37b6b5800ac665e31169a637f53ed54b48315da.jpg"
	}
}