How Leaked NSA Spy Tool ‘EternalBlue’ Became a Hacker …

Category: NSA

An elite Russian hacking team, a historic ransomware attack, an espionage group in the Middle East, and countless small time cryptojackers all have one thing in common. Though their methods and objectives vary, they all lean on leaked NSA hacking tool EternalBlue to infiltrate target computers and spread malware across networks.

Leaked to the public not quite a year ago, EternalBlue has joined a long line of reliable hacker favorites. The Conficker Windows worm infected millions of computers in 2008, and the Welchia remote code execution worm wreaked havoc 2003. EternalBlue is certainly continuing that traditionand by all indications it's not going anywhere. If anything, security analysts only see use of the exploit diversifying as attackers develop new, clever applications, or simply discover how easy it is to deploy.

"When you take something thats weaponized and a fully developed concept and make it publicly available youre going to have that level of uptake," says Adam Meyers, vice president of intelligence at the security firm CrowdStrike. "A year later there are still organizations that are getting hit by EternalBluestill organizations that havent patched it."

EternalBlue is the name of both a software vulnerability in Microsoft's Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers. Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its originand even Microsoft has publicly attributed its existence to the NSA.

The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.

'It's incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors.'

Vikram Thakur, Symantec

Microsoft released its EternalBlue patches on March 14 of last year. But security update adoption is spotty, especially on corporate and institutional networks. Within two months, EternalBlue was the centerpiece of the worldwide WannaCry ransomware attacks that were ultimately traced to North Korean government hackers. As WannaCry hit, Microsoft even took the "highly unusual step" of issuing patches for the still popular, but long-unsupported Windows XP and Windows Server 2003 operating systems.

In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected.

The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue's profile, many attackers had already realized the exploit's potential by then.

Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. "WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them," says Jrme Segura, lead malware intelligence analyst at the security firm Malwarebytes. "There are definitely a lot of machines that are exposed in some capacity."

Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. "EternalBlue will be a go-to tool for attackers for years to come," says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. "Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed. There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms."

At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker's toolboxmuch like the password extraction tool Mimikatz. But EternalBlue's widespread use is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people's crowbar. It is also frequently used by an array of nation state hackers, including those in Russia's Fancy Bear group, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks.

'EternalBlue will be a go-to tool for attackers for years to come.'

Jake Williams, Rendition Infosec

New examples of EternalBlue's use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. "EternalBlue is ideal for many attackers because it leaves very few event logs," or digital traces, Rendition Infosec's Williams notes. "Third-party software is required to see the exploitation attempts."

And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms.

"It's incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors," says Vikram Thakur, technical director of Symantec's security response. "To [a hacker] its just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three."

It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for itand to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks.

Link:
How Leaked NSA Spy Tool 'EternalBlue' Became a Hacker ...

Crypto Executive Disputes Claims Anthropics Mythos Breached NSA Systems - Yahoo Tech - June 22nd, 2026 [June 22nd, 2026]
Crypto Executive Disputes Claims Anthropics Mythos Breached NSA Systems - BeInCrypto - June 22nd, 2026 [June 22nd, 2026]
Its more than Iran could have ever hoped for: Ex-US NSA John Bolton on US-Iran deal - Firstpost - June 22nd, 2026 [June 22nd, 2026]
Manipur slaps NSA on youth already held under UAPA. Why HC quashed both cases, ordered his release - ThePrint - June 22nd, 2026 [June 22nd, 2026]
Algorand Post-Quantum Security by 2027: 3 Years Ahead of NSA - The Cryptonomist - June 22nd, 2026 [June 22nd, 2026]
China foreign minister set to attend Brics NSA meet in Delhi next week - The Times of India - June 22nd, 2026 [June 22nd, 2026]
India to host BRICS NSA meet on June 2223: MEA - Awaz The Voice - June 22nd, 2026 [June 22nd, 2026]
IDR Final Rule updates NSA dispute resolution | United States | Global law firm - Norton Rose Fulbright - June 16th, 2026 [June 16th, 2026]
Where Is Edward Snowden Now? What to Know About the NSA Whistleblower's Life in Exile, 13 Years Later - People.com - June 16th, 2026 [June 16th, 2026]
Former NSA official: 'Timing couldn't have been worse' for FISA 702 to expire - WBFF - June 16th, 2026 [June 16th, 2026]
SHAREHOLDER ALERT: The M&A Class Action Firm Continues to Investigate the Merger--CZNL, NSA, CNBN, and ESQ - PR Newswire - June 16th, 2026 [June 16th, 2026]
Training, teamwork, and quick action save a life at NSA Philadelphia - MilitaryNews.com - June 12th, 2026 [June 12th, 2026]
NSA Insurance celebrates 100 years of selling a promise on the East End - The Suffolk Times - June 12th, 2026 [June 12th, 2026]
Ex Pakistan NSA Moeed Yusuf says fixing ties with India key to economic revival, regional trade ambitions - ThePrint - June 12th, 2026 [June 12th, 2026]
RSABI's Carol McLaren wins NSA Silver Salver for her work in the industry - The Scottish Farmer - June 12th, 2026 [June 12th, 2026]
Anthropic's Mythos model is reportedly powering NSA offensive cyber ops against China and Iran - the-decoder.com - June 7th, 2026 [June 7th, 2026]
NSA taps three officials for top cybersecurity positions - Nextgov/FCW - June 7th, 2026 [June 7th, 2026]
Anthropic is blacklisted by the Pentagon and being used by the NSA at the same time - TechSpot - June 7th, 2026 [June 7th, 2026]
NSA said to be readying Anthropics Mythos for use in cyber operations - TechCrunch - June 5th, 2026 [June 5th, 2026]
Former NSA John Bolton to plead guilty to retaining classified info - MS NOW - June 5th, 2026 [June 5th, 2026]
Trump executive order on AI gives central role to NSA - Breaking Defense - June 5th, 2026 [June 5th, 2026]
Anthropic Is Helping the NSA Hack China. It Also Wants Everyone to Pause AI - Yahoo - June 5th, 2026 [June 5th, 2026]
NSA using Claude Mythos for 'offensive cyber operations,' report claims says 'half-a-dozen' Anthropic engineers embedded inside the agency - Tom's... - June 5th, 2026 [June 5th, 2026]
NSA selects new leads for key cybersecurity posts - The Record from Recorded Future News - June 5th, 2026 [June 5th, 2026]
NSA Joins CISA and Partners to Release Guidance on Hardening Automatic Tank Gauge Systems - National Security Agency (NSA) (.gov) - June 5th, 2026 [June 5th, 2026]
FT: Anthropic staff helping the NSA use Mythos for offensive cyberattacks - Sherwood News - June 5th, 2026 [June 5th, 2026]
Anthropic Is Helping the NSA Hack China. It Also Wants Everyone to Pause AI - Decrypt - June 5th, 2026 [June 5th, 2026]
Anthropic Embeds Engineers at NSA to Deploy Mythos AI for Offensive Cyber Operations - MLQ.ai - June 5th, 2026 [June 5th, 2026]
The NSA has all the equipment and technology needed to track bandits but lacks the political will to do so -Stephen alleges Watch full interview:... - June 5th, 2026 [June 5th, 2026]
Anthropic aids NSA with Mythos to bolster offensive cyber operations - CHOSUNBIZ - Chosunbiz - June 5th, 2026 [June 5th, 2026]
NSA warns that cybercriminals are targeting this one critical component that the energy, chemical, food, agriculture, and transportation sectors rely... - June 5th, 2026 [June 5th, 2026]
Video | Ex-Trump NSA Adviser Pleads Guilty To Classified Info Leak | Zelenskyy Calls For Meet With Putin - NDTV - June 5th, 2026 [June 5th, 2026]
Former Trump NSA John Bolton to plead guilty over retaining classified documents: Report - WION - June 5th, 2026 [June 5th, 2026]
Anthropics Mythos being used by US NSA for cyber operations FT - Business Post - June 5th, 2026 [June 5th, 2026]
This day, that year: From Robert F. Kennedys assassination to Edward Snowdens NSA revelations how June 5 shaped the world - The Times of India - June 5th, 2026 [June 5th, 2026]
Strengthening the security architecture with NSA and HSA - The Guardian Nigeria News - June 5th, 2026 [June 5th, 2026]
Ex-US NSA Bolton to plead guilty over mishandling classified documents: Report - ANI News - June 5th, 2026 [June 5th, 2026]
The NSA, Mythos and the quiet emergence of AI cyber doctrine - csoonline.com - May 27th, 2026 [May 27th, 2026]
NSA warning on AI automation protocol raises fresh testing concerns for banks - QA Financial - May 27th, 2026 [May 27th, 2026]
Pentagon and NSA Form Joint AI Task Force to Deploy Frontier Hacking Models on Classified Networks - SOFX - May 27th, 2026 [May 27th, 2026]
Marco Rubio meets NSA Doval, discusses defence, security and strategic tech cooperation including TRUST in - The Economic Times - May 27th, 2026 [May 27th, 2026]
Two protesters detained under NSA to appear before advisory board in Lucknow today - The Times of India - May 27th, 2026 [May 27th, 2026]
General Paul M. Nakasone Director National Security Agency and staff carry a wreath to the Memorial Wall. - National Security Agency (NSA) (.gov) - May 20th, 2026 [May 20th, 2026]
NSA scandal: Court admits bank documents between Gifty Oware and ADB - Modern Ghana - May 20th, 2026 [May 20th, 2026]
Wiretapping trial: NSA, ICPC boss acknowledge conversation cited by in El-Rufai TV Interview - Business News Nigeria - May 20th, 2026 [May 20th, 2026]
NSA, ICPC El-Rufais Open Confession in Media Interview Witness Testifies - The Guardian Nigeria News - May 20th, 2026 [May 20th, 2026]
NSA issues strong warning to sports bodies over governance compliance - GhanaWeb - May 20th, 2026 [May 20th, 2026]
Witness: NSA confirmed wiretapped conversation referenced by el-Rufai was authentic - TheCable - May 20th, 2026 [May 20th, 2026]
NSA wiretapping: El Rufai returned to DSS custody, awaits bail - Pointblank News - May 20th, 2026 [May 20th, 2026]
Alleged Security Breach: NSA Confirmed Conversation Referenced By El-Rufai Was Authentic Witness - Channels Television - May 20th, 2026 [May 20th, 2026]
El-Rufai: NSA, ICPC chair confirmed tapped conversation Witness - Punch Newspapers - May 20th, 2026 [May 20th, 2026]
Imran Khan coup: 'US message to Pakistan was clear ...' says Tilak Devasher, frmr NSA board - The Economic Times - May 20th, 2026 [May 20th, 2026]
NSA Lady Saints two wins from claiming seventh consecutive V... - The Suffolk News-Herald - May 16th, 2026 [May 16th, 2026]
The imposition of NSA on Satyam Verma and Aakriti Chaudhary is a conspiracy to keep them in jail - Countercurrents - May 16th, 2026 [May 16th, 2026]
'No Sailor Lives Afloat' Initiative: NSA Naples Moves 54 Sailors from Shipboard Berthing to Shore - DVIDS - May 16th, 2026 [May 16th, 2026]
Workers protest: Day after invoking NSA, police say 1 cr transactions found in banks accounts of one accused | Hindustan Times - Hindustan Times - May 16th, 2026 [May 16th, 2026]
Press Club of India urges Uttar Pradesh govt. to withdraw NSA against journalist Satyam Verma - The Hindu - May 16th, 2026 [May 16th, 2026]
Uttar Pradesh police invoke NSA against two accused held during workers protest in Noida - The Hindu - May 16th, 2026 [May 16th, 2026]
Illegal Mining: FG Hands Over Foreign Terror Suspects To NSA - Channels Television - May 16th, 2026 [May 16th, 2026]
Noida Violence: NSA invoked against Satyam Verma and Aakriti Choudhary over alleged role in labour protest - Organiser - May 16th, 2026 [May 16th, 2026]
NSA invoked against two accused in Noida labour unrest case - Awaz The Voice - May 16th, 2026 [May 16th, 2026]
NSA invoked against two in April 13 workers stir in Noida - The New Indian Express - May 16th, 2026 [May 16th, 2026]
Homeland Security: Replace NSA Ribadu if you lack confidence in him ADC to Tinubu - Daily Post Nigeria - May 16th, 2026 [May 16th, 2026]
NSA sweeps Cape Henry for TCIS baseball and softball titles - The Suffolk News-Herald - May 9th, 2026 [May 9th, 2026]
News - NSA Naples Sailor Named Navy Military Fire Officer of the Year - DVIDS - May 9th, 2026 [May 9th, 2026]
Bergen's solo homerun lifts NSA into the TCIS Final - The Suffolk News-Herald - May 9th, 2026 [May 9th, 2026]
NSA members bring sheep farming into the classroom - Farmers Guardian - May 9th, 2026 [May 9th, 2026]
Amritpals mother confronts Mann: His NSA over, why arent you bringing him to Punjab? - The Indian Express - May 9th, 2026 [May 9th, 2026]
They Said They Were From NSA Ribadus Office, Seized My Husband In Abuja Hotel: Woman Cries Out Over Alleged Disappearance - Sahara Reporters - May 9th, 2026 [May 9th, 2026]
NSA Ajit Doval, Vietnam President discuss strengthening strategic partnership - The Sentinel - of this Land, for its People - May 9th, 2026 [May 9th, 2026]
Cyber Command, NSA chief warns foreign adversaries likely to target midterms - The Record from Recorded Future News - April 29th, 2026 [April 29th, 2026]
CISA flags data-theft bug in NSA-built OT networking tool - theregister.com - April 29th, 2026 [April 29th, 2026]
Decades-old pre-Stuxnet cyber sabotage tool breaks cover, NSA listed it as 'nothing to see here' fast16 targeted nuclear reactors, dam design, and... - April 29th, 2026 [April 29th, 2026]
The NSA Just Warned Everyone to Reboot Their Routers What to Do Right Now - National Cybersecurity Alliance - April 29th, 2026 [April 29th, 2026]
Former NSA Science Chief Warns Humanity May Be Missing Something 'Huge' About UFO Phenomena - International Business Times UK - April 29th, 2026 [April 29th, 2026]
Court rejects bid to halt trial of former NSA Deputy CEO - Ghanaian Times - April 29th, 2026 [April 29th, 2026]
The NSA: SLs missing link on the geopolitical stage - The Morning - April 29th, 2026 [April 29th, 2026]
Farmers seeking new pastures urged to try NSA's Graziers List - Craven Herald - April 29th, 2026 [April 29th, 2026]
Punjab Police takes Amritpal on 2-day remand following expiry of NSA detention - ThePrint - April 29th, 2026 [April 29th, 2026]
Report: NSA is currently using Anthropics unreleased Mythos model - Sherwood News - April 23rd, 2026 [April 23rd, 2026]

March 18th, 2019

No comments yet

Comments are closed.

Mediaboss Marketing

How Leaked NSA Spy Tool ‘EternalBlue’ Became a Hacker …

About

Pages

Categories

Media Sites

Recommended Sites

Archives