lolloj - Fotolia
Exploits of Microsoft’s server message block (SMB) protocol have been an “unmitigated success” for malware writers, according to researchers at security firm Cylance.
In April 2017, the Shadow Brokers hacking group leaked an arsenal of tools it claimed to have stolen from the US National Security Agency (NSA).
The first of these tools to gain prominence was EternalBlue, an SMB protocol exploit that was a key component of the WannaCry global ransomware attacks in May 2017.
ExternalBlue and other leaked SMB exploits – EternalRomance, EternalSynergy and EternalChampion – then appeared in attacks that followed, such as Petya/NotPetya, bitcoin miner Adylkuzz and the EternalRocks worm.
They have also been incorporated into penetration testing tools such as Metasploit, which are commonly abused by cyber criminals to develop and test malware.
In a newly released report, security researchers at Kaspersky Lab say these exploits became a game-changer in the cyber threat landscape in the second quarter of 2017.
The company claims to have blocked more than five million attacks from April to June using these exploits to take advantage of unpatched software.
According to Cylance, the SMB exploits have proved to be the most useful because they allow arbitrary remote code execution on a victim machine.
“This, by extension, could allow an attacker visibility into potentially sensitive information about the machine itself, its users or its surrounding network environment,” they wrote in a blog post. “That is bad for the user and the Holy Grail for any attacker.”
Since the leak, malware has been reported to spread in worm-like fashion either by embedding their own implementation of the exploits or simply packaging the tools as embedded resources.
“Unfortunately, there is nearly no skill required to leverage these tools and gain unauthorised access to vulnerable systems,” the researchers said.
The researchers provide a detailed analysis of each of the exploits, the shellcode they use and the DoublePulsar backdoor installed by each in an effort to help organisations determine the extent to which they are vulnerable and help inform their decisions on mitigating these vulnerabilities.
The researchers warn that EternalBlue allows the attacker to execute remote code on Windows 7 machines using SMBv2.1 to perform heap-spraying and trigger shellcode, but point out that because of changes from Windows 8, it will work only on Windows 7 or earlier versions.
EternalRomance exploits the process of handling SMBv1 transactions, which allows it to target Windows 7, XP and Vista, as well as Windows Server 2003 and 2008.
EternalSynergy uses a “packet-type confusion vulnerability”, while EternalChampion takes advantage of a race condition in transaction handling, which allows data to be added to a complete transaction that is already scheduled for execution.
Currently, all implementations of the SMB exploits are using the DoublePulsar backdoor, which comprises multiple stages of shellcode, which are detailed in the blog post.
Cylance advises organisations to install the patch MS17-010: Security update for Windows SMB Server: March 14, 2017.
“To spot the potential exploitation check, look for any PeekNamedPipe transactions containing an IPC$ TreeID Path where FID is set to 0x0000,” the Cylance researchers said.
“Any machine returning STATUS_INSUFF_SERVER_RESOURCES (0xC0000205) is vulnerable.”
According to their analysis, all four SMB exploits are “very well crafted, providing comprehensive coverage of Windows platforms and a common backdoor interface”.
They added: “The DoublePulsar backdoor has also been well designed, developed and tested, proving to be extremely reliable in the wild.”
The researchers noted that the modular composition of the exploits, ease of use, reliable/robust nature and near guaranteed success due to the high exposure of unpatched vulnerable systems has led to malware authors using the exploits in their code, resulting in several widespread global outbreaks.
Following the WannaCry and Petya/NotPetya malware campaigns, Microsoft has released software updates for previously unsupported/end-of-life versions of its Windows operating system.
“However, even with increased awareness and the availability of patches, the vulnerabilities are unlikely to disappear soon, and will no doubt be employed successfully by future malware, as well as being a treasured weapon in any pen-tester’s arsenal for many years to come,” the researchers warned.