EternalBlue
| Eternal - Anonymous | |
|---|---|
| Technical name | L** Trojan:Win32/EternalBlue (Microsoft)
|
| Type | Exploit |
| Authors | Equation Group |
| Technical details | |
| Platform | Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2012, Windows Server 2016 |
EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a zero-day vulnerability in Microsoft Windows software that allowed users to gain access to any number of computers connected to a network. The NSA was aware of this vulnerability but did not disclose it to Microsoft for several years, as it intended to use the exploit as part of its offensive cyber operations. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft might have been informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then released publicly on April 14, 2017.
On May 12, 2017, a computer worm in the form of ransomware, nicknamed WannaCry, used the EternalBlue exploit to attack computers using Windows that had not received the latest system updates removing the vulnerability.: 1 On June 27, 2017, the exploit was again used to help carry out the 2017 NotPetya cyberattack on more vulnerable computers.
The exploit was also reported to have been used since March 2016 by the Chinese hacking group Buckeye (APT3), after they likely found and re-purposed the software,: 1 as well as reported to have been used as part of the Retefe banking trojan since at least September 5, 2017.