Windows 10 Version 1511 Now Has WannaCry PoC EternalBlue Exploit

Windows 10 eternalblue

All through the WannaCry ransomware attacks, Microsoft kept telling users that Windows 10 was safe from being targeted. Now, however, security researchers from RiskSense have ported a proof of concept EternalBlue exploit to the older version of Windows 10 – version 1511 – that was released in November 2015.

According to Sean Dillon, senior analyst at RiskSense, the exploit required the use of “an additional Data Execution Prevention bypass not needed in the original exploit.”

The proof of concept exploit is not being disclosed in full, since RealSense feels that it may be used by malicious actors.

Dillon also added that using the EternalBlue exploit on Windows 10 required a very high skill level:

“It still requires expert-level Windows kernel knowledge to port the exploit to Windows 10. I would expect all of the major intelligence communities of the world — who now have this exploit, thanks to the Shadow Brokers leak — have already done so or are close to finishing by now,” Dillon said. “For now, such attacks would likely come out of the more advanced threat actors, such as large cybercriminal enterprises and intelligence agencies. We expect, as time goes on, the bar will be lowered by black hat collaboration and other factors.”

According to Travis Smith, senior security research engineer at Tripwire Inc., based in Portland, Ore.,:

The port of EternalBlue to Windows 10 is fairly complex, having to bypass quite a few protections built into the operating system. It’s important to understand, though, that while this proof of concept has been identified to exploit Windows 10, the MS17-010 patch still resolves the vulnerability. This exploit only pertains to those who are unable to patch their Windows 10 machines in a reasonable amount of time.”

Two things emerge from the revelation of the EternalBlue exploit.

First, the MS17-010 patch seems to be a critical remediation for Windows 10 1511 environments, as much as it is on older Windows versions.

Second, in the enterprise environment, Server Message Block Version 1 needs to be disabled where it is not required for interoperability with older Windows systems and other implementations of the SMB protocol.

To be fair to Microsoft, it did advise users to disable SMBv1 when possible, even before the EternalBlue exploit was released by the Shadow Brokers.

Although newer versions of Windows 10, such as Windows 10 versions 1607 (Anniversary Update) and 1704 (Creators Update), are protected, enterprises are advised to patch their systems for the exploit. Although RiskSense’s PoC exploit would require advanced threat actors, all it requires is for one group or individual to succeed, and then sell that exploit to practically anyone – anonymously on the Dark Web, if required.

We’re not out of the woods yet, apparently, and enterprise users of Windows need to be a lot more vigilant about their IT systems.

A final word of advice from Nick Bilogorskiy, senior director of threat operations at Cyphort:

“(Microsoft) leaves the option to disable SMBv1 to the user, unless they need it.

“In general, I recommend disabling it to reduce the attack surface. SMBv1 is lacking key protections against security downgrade attacks and man-in-the-middle attacks. The preferred way to disable it is to make a registry change to Group Policy Object.”

Source: Search Security