There were two Windows operating systems largely immune to the recent Wannacry cyber attack. The first, Windows XP, was largely spared due to a bug in the Wannacry code, and the second, Windows 10, had more advanced defences than Windows 7 and could therefore not be infected.
Enter stage left the White Hat Hackers from RiskSense, who did the work needed to port the EternalBlue exploit, the NSA-created hack at the root of Wannacry, to Windows 10, and created a Metasploit module based on the hack.
Their refined module features several improvements, with reduced network traffic and the removal of the DoublePulsar back door, which they felt were distracting security researchers unnecessarily.
“The DoublePulsar backdoor is kind of a red herring for researchers and defenders to focus on,” said senior research analyst Sean Dillon. “We demonstrated that by creating a new payload that can load malware directly without having to first install the DoublePulsar backdoor. So people looking to defend against these attacks in the future should not focus solely on DoublePulsar. Focus on what parts of the exploit we can detect and block.”
They published the results of their research but said they made it difficult for Black Hat hackers to follow in their footsteps.
“We’ve omitted certain details of the exploit chain that would only be useful to attackers and not so much for building defences,” Dillon noted. “The research is for the white-hat information security industry in order to increase the understanding and awareness of these exploits so that new techniques can be developed that prevent this and future attacks. This helps defenders better understand the exploit chain so that they can build defences for the exploit rather than the payload.”
To infect Windows 10 the hackers had to bypass Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) in Windows 10 and install a new Asynchronous Procedure Call (APC) payload that allows user-mode payloads to be executed without the backdoor.
The hackers were however full of admiration for the original NSA hackers who created EternalBlue.
“They definitely broke a lot of new ground with the exploit. When we added the targets of the original exploit to Metasploit, there was a lot of code that needed to be added to Metasploit to get it up to par with being able to support a remote kernel exploit that targets x64,” Dillon said, adding that the original exploit targets x86 also, calling that feat “almost miraculous.
“You’re talking about a heap-spray attack on the Windows kernel. Heap spray attacks are probably one of the most esoteric types of exploitation and this is for Windows, which does not have source code available,” Dillon said. “Performing a similar heap spray on Linux is difficult, but easier than this. A lot of work went into this.”
The good news is that fully patched Windows 10, with MS17-010 installed, is still fully protected, with the hack targeting Windows 10 x64 version 1511, which was released in November 2015 and was code-named Threshold 2. They note however that this version of the OS is still supported by Windows Current Branch for Business.
Today’s news underlines the sophistication of the attacks being made on Windows by government agencies, and once again the importance of remaining up to date to mitigate the risk as much as possible.
The full RiskSense report detailing the new hack can be read here (PDF.)