This week's release of Metasploit includes a scanner and exploit module for the EternalBlue vulnerability, which made headlines a couple of weeks ago when hacking group, the Shadow Brokers, disclosed a trove of alleged NSA exploits. Included among them, EternalBlue, exploits MS17-010, a Windows SMB vulnerability. This week, EternalBlue has been big news again due to attackers using it to devastating effect in a highly widespread ransomware attack, WannaCry. Unless you've been vacationing on a remote island, you probably already know about this; however, if you have somehow managed to miss it, check out Rapid7's resources on it, including guidance on how to scan for MS17-010 with Rapid7 InsightVM or Rapid7 Nexpose.

The Metasploit module - developed by contributors zerosum0x0 and JennaMagius - is designed specifically to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. It does not include ransomware like WannaCry does and it won't be worming its merry way around the internet.

Metasploit is built on the premise that security professionals need to have the same tools that attackers do in order to understand what they're up against and how best to defend themselves. The community believes in this, and we have always supported it. This philosophy drove the amazing Metasploit contributor community to take on the challenge of reverse engineering and recreating the EternalBlue exploit as quickly and reliably as possible, so they could arm defenders with the info they need. We want to say a big thanks to JennaMagius and zerosum0x0 for their work on this.

From a vulnerability management perspective, there are a lot things that security practitioners can do to understand their exposure, however, with Metasploit you can go beyond theoretical risk and show the impact of compromise. Access to systems is more concrete evidence of the problem. Metasploit effectively allows security practitioners to test their own systems and dispel the hype and speculation of headlines with facts.

From a penetration testing perspective, research shows that over two thirds of engagements had exploitable vulnerabilities leading to compromise. Metasploit modules such as EternalBlue enable security practitioners to communicate the real impact of not patching to the business.

UPDATE – May 19, 2017: Security researcher, Krypt3ia, wrote a blog post highlighting a possible connection between the process that zerosum0x0 and JennaMagius went through in reversing the EternalBlue exploit, and the WannaCry attack.

Zerosum0x0 and JennaMagius both work at as security researchers at RiskSense, a provider of pro-active cyber risk management solutions. In response to Krypt3ia's blog, RiskSense provided this clarification of the situation:

The module was developed to enable security professionals to test their organization's vulnerability and susceptibility to attack via EternalBlue. As part of their research, the researchers created a recording of the network traffic that occurs when the Fuzzbunch EternalBlue exploit is run. The purpose of this recording was to help educate other security professionals, and get feedback as they worked through the process. This kind of approach is fairly common in both the security researcher and open source contributor communities, where transparent collaboration enables individuals to pool their expertise and achieve greater results. It's possible that data from this analysis was copied and rewritten by individuals with malicious intent; we cannot confirm if this is the case or not. Unfortunately, this is a risk that is taken whenever technical information and techniques are shared publicly. None-the-less, we believe the educational and collaborative benefits generally outweigh the risk. To our knowledge, no code from the Metasploit module was ever used in the WannaCry attacks, and once Krypt3ia's blog pointed out the possibility that some of the information may have been used by the attackers, we removed the recording from the Github repository to ensure no other bad actors would be able to do likewise to create variants of the malware.

Here's a summary of context and the technical details:

    • Recording the replay and playing it back works against freshly booted boxes because the Tree Connect AndX response will assign TreeID 2048 on the first few connections, after which it will move on to other tree IDs. This is the same for the user login request. The replay would then fail because the rest of the replay is using "2048" for the tree and user IDs, and the server has no idea what the client is talking about.
    • Zerosum0x0x's research supplemented these findings by outlining that __USERID__PLACEHOLDER__ and __TREEID__PLACEHOLDER__ strings were also present in the malware.

Replaying ANY recording of EternalBlue will produce the same result, so the attackers may have chosen to use that particular recording to throw investigators off track. It is important to note that to our knowledge no code from the Metasploit module was ever used in the WannaCry attacks.

To be successful, the attackers independently implemented sending the network traffic in C; constructed additional code to interact with DoublePulsar (which is a significantly harder undertaking than just replaying the recorded traffic), implemented the rest of their malware (maybe before or after), and then released it on the world.

Again, Rapid7 wants to reiterate how much we appreciate community participants such as zerosum0x0 and JennaMagius, who contribute their time and expertise to better arm organizations to defend themselves against cyberattackers.