Exploiting The Eternal Blue Vulnerability (CVE-2017-0144) For SMB In An Essay.

Your boss has recently learned that SMB is being targeted by the EternalBlue exploit and is concerned about the company’s Windows file servers as they have SMB externally facing for customers and internet users. He has supplied you with a simplified company network diagram (below) and asked you, the network security student, to write a research paper addressing the following concerns:

1.Why does the CVE-2017-0144 vulnerability occur (cover all 3 components)

2.How is CVE-2017-0144 leveraged to perform the EternalBlue exploit

3.Using a risk matrix, what risk does the EternalBlue exploit pose to Files’R’Us?

4.Provide a Proof of Concept (PoC) EternalBlue exploitation against one of Files’R’Us machines and, using your shell, print the flag on the tafe user’s Desktop.

5.Immediate remediation actions (Files’R’Us has not been owned by Ransomware. Do not include scanning for Ransomware)

6.Prevention measures that can be taken to reduce/eliminate future events (Files’R’Us has not been owned by Ransomware. Do not include scanning for Ransomware).
 

Overview of 'R' Us organization

This project is exploits the leveraging the vulnerability CVE-2017-0144 and it had the name as Eternal Blue. The 'R' Us is a small company and it earns the profits from hosting files for clients with 30 employees. It offers the hosting solutions across the all the file transfer protocols such as WebDev,  SCP,  FTP, SMP and HTTP. The solutions of hosting are used to allow an any customer to upload files and any internet user to download files using other available file transfer protocols. Recently, the organization employed the undergraduate to provide the responsibilities include the managing the customer service and file servers through the file transfers and its configuration. It uses the normal file transfer protocols such as SMB and user forced to use RDP. The RDP is used to speed up the DMZ process. User also notices organization vulnerability patch management process. This project is used to SMB is being targeted by the Eternal Blue exploit. It also addresses the CVE-2017-0411 vulnerability and it perform the exploit Eternal blue. It also addresses the risk matrix and provide the proof of concept against the File 'R' Us machines. It also immediate the remediation actions and provide the prevention measures that can be reduce and eliminate the future events.

The Critical issues in CVE-2017-0144 is exploit the vulnerability in SMB to spread over LAN. It impacting the various institutions including the hospitals and it causing the disruption of provided services. The attackers are massively spread the malware to exploit the CVE-2017-2014 vulnerability in SMB. To reduce these issues to uses the ESET security solutions with up to date version of detection engine because it able to detect and stop this malware. It protects the remote exploitation of the vulnerability at the network level using the network protection module. The CVE-2014-0014 also has windows SME remote code execution vulnerability issues and it is allows the remote attackers to execute the arbitrary code through the crafted packets. It also has the Eternal Blue SMB remote windows kernel pool corruption is used to buffer the overflow remove operation to authenticate to perform the exploit. It causes the system instability and crashed such as reboot and BSOD (Comer, 2015). 

The open source software is providing the windows file sharing access to non-windows machine using the CIFS and SMB protocol and it recently disclosed a similar remote code execution vulnerability to WannaCry that allows users to authorized access through the SMB protocol. It working the exploit the leveraging the CVE-2017-0014 for Metasploit. Metasploit includes an exploit and scanner module for the eternal blue vulnerability. It currently delivering a crypto mining protocol and targeting the raspberry Pi's that have the default credentials. It exploiting the recent disclose from the CVE-2017-0014. It infects the network devices with port 22 because attackers are aggressively scanning the internet looking for vulnerable devices with port 445 exposed (Peterson & Davie, 2012). It also infecting the various machines during the campaign was due to users neglecting to install security updates in a timely fashion. It creates the unfortunate exploitation of marketing the vulnerability CVE-2017-0014 was dubbed the wannacry. It also exploits the empower the cyber criminals.  It exploits the network framework and payload used in the campaign. The best prevention for attacks is generally has the maintenance and patching. It focuses on the risk analysis and security research for network and application-based vulnerabilities. It focuses on Denial of services attacks includes the analysis of botnets and malware. It helps to Radware develop the signatures and mitigation attacks proactively for an organization ("EternalBlue: Metasploit Module for MS17-010", 2018). 

Critical issues in CVE-2017-0144 vulnerability

The Eternal Blue exploit the vulnerability on windows environment and it is a remote code execution vulnerability that takes place over SMB. The organizations behind on the patch management will continue to be exposed to the risk of the malware and others the leveraging the eternal blue vulnerability ("Risk Assessment | Ready.gov", 2018). To reduce the risk on the eternal blue by using the below steps.

1. Use supported operating systems

Ensure all the operating systems being ran by the organizations are receiving the ongoing the security patched from the vendor.

2. Host based firewalls

Consider the applying the firewall rules at the window host level that is used to prevent the unnecessary system to system communication

3. Properly manage backups

The backups are properly not stored within a network that might be susceptible to infected by a worm (White, 2018).

4. Patch management

The patch program is used to ensure the all windows systems are receiving the security patches. It is used to fixing the eternal blue vulnerability.

5. Network Segmentation

The network segmentation is used to applying the routing and firewall rules that create the security zones in user network.

The Eternal blue proof of concept in uncontrolled environment and without prior authorization may be illegal ("10 Major Security Threats in Cloud Computing | TCS Cyber Security Community", 2018). It making the several leaks that contained the some of the hacking tools and it affected were the firewall, Microsoft and antivirus products. It has five Filtration,

• Equation Group cyber weapons Auction
• Trick or Treat
• Black Friday and cyber Monday sale
• Don't forget your base
• Lost in Translation

These are containing the exploits targeting Microsoft windows. The relationship between the most of the vulnerability found that are ued to attack the windows vulnerability. It leaks the network infrastructure and it focused on the windows system. The vulnerabilities are point to the server message block service and Net Bios protocol. It is used to exchange the protocol that allows ti applications to write and Read the files and requires services from the server programs on Microsoft network. Generally, these vulnerabilities have the big impact that was exploited massively and it patched the vulnerabilities ("How To Delete SMB: CVE-2017-0144 Virus Completely From Windows PC? - PC Malware Security", 2018). 

Immediate Remediation actions to takes the eternal vulnerabilities to ransom ware variant that targets the unpatched windows operating systems and it infected the users experience file encryption ("Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN", 2018). It ensures the systems are patched and up to date. Generally, Eternal blue needs the immediate actions because it has been infected. The immediate actions are listed in below ("SMB Vulnerabilities – WannaCry, Adylkuzz and SambaCry", 2018).

• Threat Intelligence
• Communicate
• Patch or Inoculate OS
• Incident Response
• Communicate
• Locate backups and restore the date
• Takes a proactive approach to identified the vulnerability
• Consider the disabling unused legacy protocol
• Formalize the incident response procedures

Prevention measures against the vulnerability

The Eternal blue has the horrific trojan virus that must be removed immediately from the windows systems. So, perform the several malicious activities in victimized computer remotely. The threats are creating the several critical issues in their windows system including the data loss, application malfunction, very slow system performance, hard drive and more. To prevent the vulnerability by using the critical system protection to restrict the software installation and executable modification and it used to protect the windows-based system ("Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability | Symantec", 2018). It used the windows prevention policy strategy including whitelisting, hardening and basic. It used to prevent the windows-based systems from the attacks. It encrypting the ransomware may laterally spread from a compromised system. 

Conclusion 

The 'R' Us organization is provides and exploits the leverage the vulnerability of CVE-2017-00114. It also known as Eternal blue. The 'R' Us is a small company and it earns the profits from hosting files. It offers the hosting solutions across the all the file transfer protocols such as WebDev,  SCP,  FTP, SMP and HTTP. The solutions of hosting are used to allow an any customer to upload files and any internet user to download files using other available file transfer protocols. This project is to analysis the SMB to perform the exploit eternal blue. The SMB is a transport protocol used by windows machines and it has various purposed such as printer sharing, file sharing and access to remote window services. The shadow brokers are released an SMB vulnerability named Eternal blue. It takes the advantages of this vulnerability to compromise the windows machines, propagate and load malware to other machines in a network.  It also discussed and analyzed the Critical issues on Eternal blue. This project also discussed the proof of concept, immediate actions and risk assessment based on Eternal blue. 

References

10 Major Security Threats in Cloud Computing | TCS Cyber Security Community. (2018). Securitycommunity.tcs.com. Retrieved 16 April 2018, from https://securitycommunity.tcs.com/infosecsoapbox/articles/2017/02/14/10-major-security-threats-cloud-computing

Comer, D. (2015). Computer networks and internets. Harlow, England: Pearson Education.

EternalBlue: Metasploit Module for MS17-010. (2018). Rapid7 Blog. Retrieved 18 April 2018, from https://blog.rapid7.com/2017/05/19/metasploit-the-power-of-the-community-and-eternalblue/

How To Delete SMB: CVE-2017-0144 Virus Completely From Windows PC? - PC Malware Security. (2018). PC Malware Security. Retrieved 18 April 2018, from https://www.pcmalwaresecurity.com/trojan/delete-smb-cve-2017-0144-virus-completely-windows-pc/

Microsoft Windows SMB Server CVE-2017-0144 Remote Code Execution Vulnerability | Symantec. (2018). Symantec.com. Retrieved 18 April 2018, from https://www.symantec.com/security_response/vulnerability.jsp?bid=96704

Peterson, L., & Davie, B. (2012). Computer networks. Burlington: Morgan Kaufmann / Elsevier.

Risk Assessment | Ready.gov. (2018). Ready.gov. Retrieved 16 April 2018, from https://www.ready.gov/risk-assessment

SMB Vulnerabilities – WannaCry, Adylkuzz and SambaCry. (2018). Radware Blog. Retrieved 18 April 2018, from https://blog.radware.com/security/2017/06/smb-vulnerabilities-wannacry-adylkuzz-sambacry/

Vulnerability CVE-2017-0144 in SMB exploited by WannaCryptor ransomware to spread over LAN. (2018). Support.eset.com. Retrieved 18 April 2018, from https://support.eset.com/ca6443/?locale=en_US&viewlocale=en_US

White, C. (2018). Wannacry Ransomware & Mitigation Steps. risk3sixty LLC. Retrieved 18 April 2018, from https://www.risk3sixty.com/2017/05/13/alert-wannacry-ransomware