EternalBlue^[5] is a computerexploit software developed by the U.S.National Security Agency (NSA).^[6] It is based on azero-day vulnerability inMicrosoft Windows software that allowed users to gain access to any number of computers connected to anetwork. The NSA was aware of this vulnerability but did not disclose it to Microsoft for several years, as it intended to use the exploit as part of its offensive cyber operations. In 2017, the NSA discovered that the software was stolen by a group of hackers known as theShadow Brokers. Microsoft might have been informed of this and released security updates in March 2017patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then released publicly on April 14, 2017.^[5]

On May 12, 2017, acomputer worm in the form ofransomware, nicknamedWannaCry, used the EternalBlue exploit to attack computers using Windows that had not received the latest system updates removing the vulnerability.^{[5][7][8][9][10][11]: 1} On June 27, 2017, the exploit was again used to help carry out the2017 NotPetya cyberattack on more vulnerable computers.^[12]

The exploit was also reported to have been used since March 2016 by the Chinese hacking groupBuckeye (APT3), after they likely found and re-purposed the software,^[11]: 1 as well as reported to have been used as part of the Retefe bankingtrojan since at least September 5, 2017.^[13]

EternalBlue exploits a vulnerability inMicrosoft's implementation of theServer Message Block (SMB) protocol. This vulnerability is denoted by entryCVE-2017-0144^[14][15] in theCommon Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions ofMicrosoft Windows mishandles specially crafted packets from remote attackers, allowing them to remotely execute code on the target computer.^[16]

The NSA did not alert Microsoft about the vulnerabilities, and held on to it for more than five years before the breach forced its hand. The agency then warned Microsoft after learning about EternalBlue's possible theft, allowing the company to prepare a software patch issued in March 2017,^[17] after delaying its regular release of securitypatches in February 2017.^[18] OnTuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,^[19] which detailed the flaw and announced thatpatches had been released for all Windows versions that were currently supported at that time, these beingWindows Vista,Windows 7,Windows 8.1,Windows 10,Windows Server 2008,Windows Server 2008 R2,Windows Server 2012,Windows Server 2012 R2, andWindows Server 2016.^[20][21]

The Shadow Brokers publicly released the EternalBlue exploit code on April 14, 2017, along with several other hacking tools from the NSA.^[5]

Many Windows users had not installed the Microsoft patches when, on May 12, 2017, theWannaCry ransomware attack started to use the EternalBlue vulnerability to spread itself.^[22][23] The next day (May 13, 2017), Microsoft released emergency security patches for the unsupportedWindows XP,Windows 8, andWindows Server 2003.^[24][25]

In February 2018, EternalBlue wasported to all Windows operating systems sinceWindows 2000 byRiskSense security researcher Sean Dillon.EternalChampion andEternalRomance, two other exploits originally developed by the NSA and leaked byThe Shadow Brokers, were also ported at the same event. They were made available asopen sourcedMetasploit modules.^[26]

At the end of 2018, millions of systems were still vulnerable to EternalBlue. This has led to millions of dollars in damages due primarily to ransomware worms. Following the massive impact ofWannaCry, bothNotPetya andBadRabbit caused over $1 billion worth of damages in over 65 countries, using EternalBlue as either an initial compromise vector or as a method of lateral movement.^[27]

In May 2019, the city ofBaltimore struggled with acyberattack by digital extortionists; the attack froze thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. Nicole Perlroth, writing forThe New York Times, initially attributed this attack to EternalBlue;^[28] in a memoir published in February 2021, Perlroth clarified that EternalBlue had not been responsible for the Baltimore cyberattack, while criticizing others for pointing out "the technical detail that in this particular case, the ransomware attack had not spread with EternalBlue".^[29]

Since 2012, four Baltimore City chief information officers have been fired or have resigned; two left while under investigation.^[30] Some security researchers said that the responsibility for the Baltimore breach lay with the city for not updating their computers. Security consultant Rob Graham wrote in a tweet: "If an organization has substantial numbers of Windows machines that have gone 2 years without patches, then that’s squarely the fault of the organization, not EternalBlue."^[31]

First appearing in February 2017, EternalBlue updated and, in May 2017, looked different from previous versions, according to aKaspersky forum. It affected the internal computer system of theMinistry of Internal Affairs of Russia and computers in several regions of Russia including Tatarstan, simultaneously. Theransomeware WCry virus (also known as WannaCry or WannaCryptor) encrypts the user's files, changes their extension (presumably to . WNCRY) and asks the affected computer's administrator to buy a special decryptor usingbitcoins otherwise the infected computer's files will be deleted. Worldwide, more than 36 thousand computers were infected, most of them in Russia, Ukraine and Taiwan according to Jakub Kroustek of theantivirus software firmAvast.^[32][33]

After the WannaCry attack, Microsoft took "first responsibility to address these issues", but criticized government agencies like the NSA andCIA for stockpiling vulnerabilities rather than disclosing them, writing that "an equivalent scenario with conventional weapons would be theU.S. military having some of itsTomahawk missiles stolen".^[34] The stockpiling strategy prevented Microsoft from knowing of (and subsequently patching) this bug, and presumably other hidden bugs.^[34][35] However several commentators, including Alex Abdo ofColumbia University's Knight First Amendment Institute, have criticised Microsoft for shifting the blame to the NSA, arguing that it should be held responsible for releasing a defective product in the same way a car manufacturer might be.^[36] The company was faulted for initially restricting the release of its EternalBlue patch to recent Windows users and customers of its $1,000 per device Extended Support contracts, a move that left organisations such the UK's NHS vulnerable to the WannaCry attack. A month after the patch was first released, Microsoft took the rare step of making it available for free to users of all vulnerable Windows editions dating back to Windows XP.^[37]

EternalRocks orMicroBotMassiveNet is acomputer worm that infects Microsoft Windows. It uses seven exploits developed by the NSA.^[38] Comparatively, the WannaCryransomware program that infected 230,000 computers in May 2017 only uses two NSA exploits. As a result, researchers believe EternalRocks to be significantly more dangerous.^[39] The worm was discovered via ahoneypot.^[40]

EternalRocks first installsTor, a private network that conceals Internet activity, to access its hidden servers. After a brief 24 hour "incubation period",^[38] the server then responds to the malware request by downloading and self-replicating on the "host" machine.

The malware even names itself WannaCry to avoid detection from security researchers. Unlike WannaCry, EternalRocks does not possess akill switch and is not ransomware.^[38]

• BlueKeep (security vulnerability) – A similar vulnerability
• List of NSA controversies
• Petya (malware)

• Grossman, Nadav (September 29, 2017)."EternalBlue – Everything There Is To Know".

• Microsoft Security Bulletin MS17-010
• Microsoft Update Catalog entries for EternalBlue patches
• CVE-2017-0144 Entry in CVE catalog

• Computer security exploits
• National Security Agency
• Windows communication and services

• CS1 maint: multiple names: authors list
• CS1 Russian-language sources (ru)
• Articles with short description
• Short description matches Wikidata
• Use mdy dates from May 2017