When the Shadow Brokers group leaked several NSA exploits in April, Microsoft assured users that Windows 10 PCs had already been patched. They were correct, and remain so, but that doesn’t mean there aren’t still computers on the OS at risk.
The Ethical hacking team at RiskSense have adapted the NSAs EternalBlue exploit so that it can compromise Microsoft’s latest OS. The new variant streamlines the exploit’s code and reduces its footprint.
It also removes the DoublePulsar payload from the mix. This second NSA tool was used by malware like WannaCry to deliver malformed packets and gain an initial foothold on the system. Instead, RiskSense has developed a stealthier, custom deployment method that lends itself better to modern OSes.
In many ways, it’s a chastisement. Security companies have been focusing on detecting DoublePulsar to signal an EternalBlue compromise, when attackers don’t necessarily need it.
“By removing superfluous fragments in network packets, our research makes it possible to detect all potential future variants of the exploit before a stripped-down version is used in the wild,” said the company. “We also substantiated the premise that the original exploit’s DOUBLEPULSAR payload is a red herring for defenders to focus on, as stealthier payload mechanism can be crafted.”
Latest Windows 10 Versions Not at Risk
However, it’s worth noting that despite the port to Windows 10, Microsoft’s statement stands. The latest versions of the OS are not vulnerable to the exploit. RiskSense’s modification only works on versions before the Anniversary Update.
Thankfully, the report also doesn’t mention technical details that would let attackers emulate the adoption. Instead, it provides tools to help companies better detect EternalBlue. Arguably, though, it’s only a matter of time before someone figures it out for themselves. It’s a stark reminder to keep your system up to date and employ good security practices.
You can make sure your system is secure by reading the MS17-010 security bulletin.