SMB Exploited: WannaCry Use of “EternalBlue”

26 May 2017

Server Message Block (SMB) is the transport protocol used by Windows machines for a wide variety of purposes such as file sharing, printer sharing, and access to remote Windows services. SMB operates over TCP ports 139 and 445. In April 2017, Shadow Brokers released an SMB vulnerability named “EternalBlue,” which was part of the Microsoft security bulletin MS17-010.

The recent WannaCry ransomware takes advantage of this vulnerability to compromise Windows machines, load malware, and propagate to other machines in a network. The attack uses SMB version 1 and TCP port 445 to propagate.

Context

SMB provides support for what are known as SMB Transactions. Using SMB Transactions enables atomic read and write to be performed between an SMB client and server. If the message request is greater than the SMB MaxBufferSize, the remaining messages are sent as Secondary Trans2 requests. This vulnerability affects the srv2.sys kernel driver and is triggered by malformed Secondary Trans2 requests.

Read full news article on FireEye Blog

Date:

26 May 2017

Categorie(s):

NEWS

Tag(s):

Blogs, Malware, Security, SMB, WannaCry, WannaCry Ransomware

Clonezilla Live Is Now Patched Against the XZ Backdoor, Powered by Linux 6.718 April 2024
Zoom offers AI-based updates to its Workplace collaboration space18 April 2024
‘MadMxShell’ leverages Google Ads to deploy malware via Windows backdoor18 April 2024
Zoom launches Workplace, an AI-enabled collaboration space18 April 2024
LastPass users targeted in phishing attacks good enough to trick even the savvy18 April 2024