What is SMB vulnerability and how it was exploited to launch the WannaCry ransomware attack?

  • The United States National Security Agency developed an exploit kit dubbed ‘EternalBlue’ to exploit the SMBv1 vulnerability.
  • In May 2017, the WannaCry ransomware attack infected over 200,000 Windows systems by exploiting the SMBv1 vulnerability via the EternalBlue exploit kit.

What is SMB?

Server Message Block (SMB) is a file sharing protocol that allows Windows systems connected to the same network or domain to share files. SMB also enables computers to share printers and serial ports from other computers within the same network.

Vulnerability in SMB version 1.0

In 2017, the WannaCry ransomware attack exploited a vulnerability in SMB version 1.0 to install malware on vulnerable clients and propagate it across networks.

  • SMB v1 vulnerability could allow a remote attacker to take control of an affected system.
  • However, Microsoft released a patch to address the vulnerability.

EternalBlue exploits the SMB vulnerability

The U.S. National Security Agency discovered the vulnerability in the Windows implementation of the SMB protocol. However, instead of reporting the vulnerability to Microsoft, it developed an exploit kit dubbed ‘EternalBlue’ to exploit the vulnerability.

The EternalBlue exploit kit was however stolen by the Shadow Brokers hacking group who later leaked the exploit kit on April 08, 2017.

WannaCry attack

  • In May 2017, the WannaCry ransomware attack targeted Windows systems by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
  • The attack campaign infected Windows systems with WannaCry ransomware which propagated through the EternalBlue exploit kit exploiting the SMBv1 vulnerability.
  • WannaCry ransomware was spreading like a computer worm, laterally across computers by exploiting the Windows SMB vulnerability.
  • Almost 200,000 computers across 150 countries were found to be infected in the attack.
According to recent research, nearly 1.7 million internet-connected endpoints are still vulnerable to the SMB exploit.