NSA Used EternalBlue Exploit For Five Years Before It Was Leaked

The NSA has been using the EternalBlue exploit for their own purposes for five years before disclosing the vulnerability to Microsoft, which is at the heart of WannaCry. The main reason the exploit was disclosed can be attributed to the fact that public exposure of the exploit could have very serious and widespread consequences due to the vast number of vulnerable devices that are exploitable in the wild (which is exactly what happened when it was repackaged with self-propagating ransomware code)

Some NSA officials, as reported by The Washington Post, discussed how dangerous the exploit was, deliberating on whether to disclose the issue to Microsoft. The amount of intelligence haul from use of the exploit was described by a former NSA employee as “unreal”.

“It was like fishing with dynamite,” said a second.

Brad Smith, Microsoft’s President, compared the NSA’s failure to keep the code secured to “the U.S. military having some of its Tomahawk missiles stolen

This is not an isolated incident as the agency suffered massive data exfiltration in 2013 when contractor Edward Snowden leaked massive amounts of secret documents.

A timeline analysis on how we got to the WannaCry ransomware situation we’re currently facing is summarized below:

  1. About 5 years ago: NSA develops initial exploit for zero-day vulnerability dubbed “EternalBlue

During the early iterations of EternalBlue, it was prone to making systems crash, so it’s nicknamed EternalBlueScreen, dubbed after the infamous Blue Screen of Death (BSoD) that Windows systems display when they encounter a fatal system error. NSA makes upgrades to “EternalBlue” to mitigate BSoD issues with time.

  1. Spring 2014: Obama administration kicks off a new process to vet vulnerability among the FBI, the NSA, the CIA, and the Department of Homeland Security
  2. August 2016: ShadowBrokers dump a set of exploits, of which EternalBlue was a part of.

Note: These hacking tools are identical to those breached by former NSA Contractor Harold T. Martin III, according to former officials.

  1. October 2016: Harold Martin is arrested after the FBI found massive amounts of classified data collections from various agencies.
  2. Between October – January 2016: NSA discloses vulnerability to Microsoft
  3. January 2016: ShadowBrokers announce the auction of dozens of NSA tools
  4. February 2016: Microsoft abruptly cancels February’s scheduled patch release over “last minute issues
  5. March 2017: Microsoft releases security bulletin MS17-010 which addresses SMB vulnerability used by WannaCry Ransomware
  6. May 2016: WannaCry gets deployed and causes massive havoc worldwide

The question we should be asking is: What if the Shadow Brokers had released this exploit back in 2014? An NSA employee described it as follows:

“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”

If that was the positioin of the DoD as described above, how much more devastating would the leakage of this exploit have been to the rest of the world (financial, critical nationwide infrastructure, medical facilities, service industries, etc.) if it was leaked earlier?


The Washington Post  |  ArsTechnica  |  Softpedia


WannaCry Ransomware Causes Havoc Worldwide

The WannaCry ransomware, also known as wncry, has been attributed to the recent U.K.’s National Security Agency (NSA) cyberattack. It has infected the systems of at least 16 U.K. trusts and is spreading worldwide. Reports from Spain’s computer response team CCN-CERT reported that telecommunications firm Telefonica was hit as well.

What is Ransomware?

Ransomware is a type of malicious software that can prevent you from using your PC normally. Ransomware can stop certain applications from running (e.g. Web browser), encrypt files on your system and demand that you pay a “ransom” to gain access to your files. However, there is no guarantee that paying the fine will you access back to your files.

WannaCry Ransomware

The ransomware encrypts files on the infected host and changes the extensions to .wnry, .wcry, .wncry and .wncrypt. The lockscreen payment instructions are for the user to send  around $300 worth of bitcoin to an anonymous address.


The attack appears to be using a Windows Server Message Block (SMB) exploit using EternalBlue / DoublePulsar. Microsoft released a patch for this in March for the following affected operating systems: Windows Vista, 7, 8, 10 and versions of the Windows Server software.

The source of infection has yet to be determined, but it is most likely that it spread via phishing email. Below is an excerpt from a threat analysis done by MalwareBytes:

“ …the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).

The WinMain of this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique… Therefore, nothing will happen on any new systems that runs the executable.”

Due to the proliferation and criticality of this attack, Microsoft has availed security updates for unsupported systems that did not receive March’s security update. They had this to say regarding unsupported operating systems in the wake of the WannaCry ransomware attacks:

“We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download…”

You can read Microsoft’s Customer Guidance for WannaCrypt Attacks here.

Check out the following Indicators of Compromise (IOCs):

IP Address / Ports



MD-5 Hashes


SHA-1 Hashes


SHA-256 Hashes


At the time of this post, it seems there has been a slow-down in the continued amount of infections worldwide (live tracking) after security researchers registered the domain that WannaCry attempts to connect to during the initial execution stages.


  1. Patch your systems
  2. Back up your data regularly and ensure you keep off-site copies
  3. Be cautious about unsolicited emails and attachments


The Register  |  Wired  |  Naked Security  |  Network World  |  BlueLiv

Handbrake App for Mac Hacked to Spread Spyware!

Handbrake, the popular multi-platform Mac video transcoder, has been infected with a Remote Access Trojan (RAT) that steals login credentials from OSX KeyChain, Apple’s password management system, and browser-stored passwords.

The Trojan is a new variant of the Russian-attributed OSX.Proton. Its capabilities include keylogging, screenshot captures, and webcam control. Apart from stealing data from infected devices, it can also allow attackers to connect remotely via VNC or SSH.

For those who downloaded the app between 2nd May 2017 and 6th May 2017, they should verify that their devices are not infected with Malware (Now would be a good time to get anti-malware software, lol).

The app download file – HandBrake-1.0.7.dmg – hosted on the secondary download mirror (download.handbrake.fr) was replaced by a malicious version that doesn’t match the  SHA-1 / SHA-256 hashes on the official Handbrake website or GitHub Wiki. The security warning from Handbrake urges customers to verify the file hashes before running it.

The download mirror has been shut down for further investigation. However, the primary download mirror and the website were unaffected.


If you suspect you have been infected, the first thing to look for is an “activity_agent” process running in the OSX Activity Monitor application; a sure indication of infection. If your applications built-in updater is earlier than version 1.0, you should verify that your system has not been infected as the older releases do not use DSA Signature verification. How, you ask?…

First, check for SHA-1 / SHA-256 hashes for the download file as follows:

  1. Open a terminal
  2. Change directory to where you downloaded Handbrake
  3. Run the following command to verify both SHA-1 and SHA-256 hashes:
shasum -a 1 HandBrake-* && shasum -a 256 HandBrake-*

Note: The following checksums are verified to be infected:

SHA-1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA-256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

Secondly, run the following command to verify the GPG Public Key:

gpg --verify filename.xyx.sig

where filename is the sig file for the downloaded HandBrake binary. The ID should be “HandBrake Team“.

GPG signatures are available here.

Removal procedures are as follows (run on Terminal):

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app

If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder.

Remove any “Handbrake.app” installs you may have.

Be sure to change all the passwords that may be in your OSX KeyChain or any browser-stored passwords to be on the safe side.

There is still no word on how the attackers were able to compromise the secondary download mirror as yet. However, Apple has updated XProtect in order to enable detection of the Trojan.

Interestingly enough, the main author of Handbrake is also the author of the Transmission BitTorrent client for Mac. The download mirror for this app was hacked in March 2016 as well. This time, the client was replaced with a version that contained the KeRanger ransomware. To make things better, the same download mirror was hacked again, this time with the Keydnap infostealer.

The HandBrake Team is independent of the Transmission Developers,” HandBrake said in its advisory. “The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers. We do not share our virtual machines with the Transmission project.

In the meantime, take a look at the VirusTotal analysis and a comprehensive malware analysis of the new OSX/Proton variant here!


Threat Post  |  Bleeping Computer  |  The Register  |  ZDNet  |  Handbrake Forum