- Threat Summary
- Alert Logic Coverage
- Recommendations for Mitigation
EternalRomance is a tool released by the malicious actors ShadowBrokers. It exploits a flaw in SMB to upload a malicious shell, which the attacker can use to control the victim machine.
- An initial SMB session is set up between the Attacker and server, which can be unauthenticated depending on server configuration.
- SMB PIPE and RPC are set up between the attacker and server.
- The attacker and server exchange a Tree Connect AndX Request and Response.
- The attacker sends numerous crafted SMB Trans request packets to trigger the vulnerability.
- The attacker uses a Write AndX Request to write data to the specified PIPE to disclose information.
- The attacker sends a Trans secondary request to locate function tables and modules.
- The attacker installs the DoublePulsar shellcode on the system so that a reverse shell can be created.
No prior authentication is needed to create a successful exploit
EternalRomance is an SMB remote exploit released as part of a wider Equation Group toolset leak by the ShadowBrokers group. This exploit leverages a vulnerability in the SMB protocol by sending numerous SMB Transaction requests, which appears to be a heap spraying technique, to invoke a leaked transaction. The exploit tool uses these information disclosures to piece together the location of various function tables.
When the exploit tool has mapped out the location of the necessary tables and modules, it will attempt to install DoublePulsar shellcode on the system so that attacker can set up a reverse shell to execute arbitrary code on the system. This vulnerability affects the confidentiality, integrity and availability of the system.
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
EternalRomance can be patched by MS17-010.
If you are running a legacy system, such as Windows Server 2003, you can disable SMBV1 to mitigate the vulnerability or restrict SMB access to only trusted users.