Anatomy of a Breach

Anatomy of a Breach: EternalBlue Released — The NSA Exploit That Would Power WannaCry and NotPetya

> series: anatomy_of_a_breach —— part: 100 —— exploit: eternalblue —— cve: 2017-0144 —— patch: ms17-010 —— countdown: 28_days_to_wannacry<span class="cursor-blink">_</span>_

Hedgehog Security 30 April 2017 14 min read
eternalblue shadow-brokers ms17-010 nsa smb wannacry-preview patching series
Breach #100

The NSA's exploit. Released on 14 April. The patch had been available since 14 March. WannaCry arrives in 28 days.

On 14 April 2017, the Shadow Brokers released their most consequential dump: a collection of NSA exploitation tools including EternalBlue — an exploit targeting a critical vulnerability (CVE-2017-0144) in Microsoft's Server Message Block (SMB) protocol, present in every version of Windows from XP to Server 2008 R2. EternalBlue enabled unauthenticated remote code execution on any vulnerable Windows system accessible via SMB — effectively a skeleton key for Windows networks.

Crucially, Microsoft had released security bulletin MS17-010 on 14 March 2017 — exactly one month before the Shadow Brokers release — patching the EternalBlue vulnerability. The timing strongly suggested that the NSA had warned Microsoft of the impending leak, giving the company time to develop and release a patch. But one month was not enough: millions of Windows systems worldwide — including vast numbers of NHS computers running Windows XP and Windows 7 — had not applied the patch. The fuse was lit. WannaCry would detonate it in 28 days.

The Countdown
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

14 March: patch released. 14 April: exploit released. 12 May: WannaCry.

EternalBlue Timeline — The 59-Day Catastrophe
── 14 March 2017 ──────────────────────────────────────────
Microsoft releases MS17-010 patching CVE-2017-0144
Patch available for Windows Vista through Server 2016
Windows XP NOT patched (end of life since 2014)

── 14 April 2017 ──────────────────────────────────────────
Shadow Brokers release EternalBlue + DoublePulsar
Every unpatched Windows system now exploitable
Cybercriminals begin integrating exploit immediately

── 12 May 2017 ────────────────────────────────────────────
WannaCry ransomware launches using EternalBlue
200,000+ computers infected in 150 countries
NHS England: 80 trusts affected, 13,500 appointments cancelled

── 27 June 2017 ───────────────────────────────────────────
NotPetya launches using EternalBlue
$10 billion+ in global damage
Maersk, Merck, FedEx, Reckitt Benckiser devastated
The Patching Gap

The patch existed for 59 days before WannaCry. Most had not applied it.

MS17-010 was available for 59 days before WannaCry struck — nearly two months. Yet millions of systems remained unpatched, including thousands within the NHS. The reasons were familiar: legacy systems running unsupported Windows XP, organisations with slow patching cycles, and the persistent gap between 'patch available' and 'patch applied' that has defined every patching-related breach in this series.

14 Days: The Cyber Essentials Standard
<a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates that critical patches are applied within 14 days. MS17-010 was released on 14 March; under Cyber Essentials, it should have been applied by 28 March — 45 days before WannaCry struck. Organisations compliant with Cyber Essentials were protected. Those that were not became WannaCry victims.
Windows XP: Unsupported but Everywhere
Windows XP reached end of life in April 2014 — three years before EternalBlue. Yet millions of systems, including NHS computers, were still running XP with no available security patches. Microsoft eventually released an emergency XP patch after WannaCry, but the lesson is clear: unsupported software must be retired. <a href="/cyber-essentials">Cyber Essentials</a> requires that unsupported software is removed from scope.
SMB Exposure
EternalBlue exploited SMB — a protocol that should never be exposed to the internet. Organisations with properly configured firewalls blocking SMB at the perimeter were protected even without the patch. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> verifies that unnecessary protocols are not exposed.
Monitoring for Exploitation
After 14 April, security researchers observed a rapid increase in internet scanning for SMB services — the precursor to exploitation. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation attempts against known vulnerabilities, providing early warning that an attack is imminent.
The Lesson

The patch was available. The organisations that applied it survived. The rest became WannaCry statistics.

EternalBlue is the single most important case study for why patching matters. The vulnerability was known. The patch was available. The exploit was public. And 59 days later, organisations that had not patched were devastated. Cyber Essentials Danzell's 14-day patching mandate, MFA auto-fail criterion, and requirement to remove unsupported software exist because of moments exactly like this one.

Our vulnerability scanning identifies missing patches. Infrastructure testing verifies that critical services are not exposed. SOC in a Box monitors for exploitation attempts. And UK Cyber Defence provides the incident response capability for when an exploit arrives before the patch.

Patch or Perish

59 days between the MS17-010 patch and WannaCry. Could you have patched in time?

<a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies what needs patching. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation. Because the next EternalBlue is not a question of if — it is a question of when.

Commission a Vulnerability Assessment Next: WannaCry
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 August 2016

Anatomy of a Breach: The Shadow Brokers — When the NSA's Own Cyber Weapons Were Stolen and Auctioned

Breach #092. In August 2016, a previously unknown group calling itself 'The Shadow Brokers' announced that it had stolen cyber weapons from the Equation Group — widely understood to be the NSA's Tailored Access Operations (TAO) unit. The group published a sample of the stolen tools and auctioned the remainder for one million Bitcoin. The leaked tools included sophisticated exploits for network equipment from Cisco, Juniper, and Fortinet. The full implications would not become clear until April 2017, when the Shadow Brokers released EternalBlue — the exploit that would power WannaCry and NotPetya.

shadow-brokers nsa
13 min read
Anatomy of a Breach 30 September 2020

Anatomy of a Breach: Düsseldorf University Hospital — The First Ransomware-Linked Death

Breach #141. In September 2020, Düsseldorf University Hospital in Germany was hit by ransomware that encrypted 30 servers and forced the hospital to deregister from emergency care. A woman requiring emergency treatment was diverted to a hospital 30 kilometres away and died during the delay. German police investigated the case as negligent homicide — the first known instance of a death directly linked to a ransomware attack. The ransomware exploited a known Citrix VPN vulnerability (CVE-2019-19781) that had been patched nine months earlier. The case that proved ransomware against healthcare can kill.

ransomware hospital
14 min read
Anatomy of a Breach 30 June 2019

Anatomy of a Breach: Baltimore — The Second US City Brought Down by Ransomware, Still Using EternalBlue

Breach #126. On 7 May 2019, the City of Baltimore was hit by RobbinHood ransomware — the second major US city after Atlanta to be devastated by ransomware. The attack encrypted city systems and demanded 13 Bitcoin (approximately $76,000). Baltimore refused to pay. The recovery cost exceeded $18 million. Investigators found that EternalBlue — the NSA exploit leaked in April 2017, patched in March 2017 — was used to spread the ransomware through Baltimore's network. Two years after WannaCry, two years after the MS17-010 patch, a major US city was still running unpatched systems vulnerable to EternalBlue.

ransomware baltimore
13 min read
All Posts Get in Touch