This article aims at providing an in-depth analysis of 'EternalRomance', a distinguished component of the infamous hacking tools released by the Shadow Brokers and widely associated with the National Security Agency (NSA). The narrative focuses on unleashing a comprehensive understanding of this integral threat in the realm of cybersecurity.
Tracing back to April 2017, the cyber-world shook with the leak of EternalBlue, the notorious NSA hacking tool, by Shadow Brokers, which further led to the exposure of a set of exploits including EternalRomance. Unlike EternalBlue, EternalRomance goes unnoticed in the mainstream media, yet with its distinctive capabilities of executing malicious codes remotely on Windows Server, it has significantly impacted the cybersecurity landscape.
Unlike EternalBlue that targets the Server Message Block (SMB) protocol specifically Microsoft's implementation of SMBv1, EternalRomance exploits a race condition present in Transaction requests of the SMB protocol SMBv1, allowing it to compromise the memory and gain unauthorized access. The primary advantage of EternalRomance over its counterparts is its capability to operate with only SYSTEM-level privileges on most versions of Windows and doesn't require support from kernel-level executable codes.
EternalRomance functions by sending malformed packets to a vulnerable SMBv1 server. The initial part of the exploitation informs the server about the transaction presenting two records. The server interprets each record as an independent logical transaction. However, EternalRomance modifies both records to point towards the same region in memory. Furthermore, exploitation provokes a race condition between the two. While the original record is processed, the other modifies the original data in memory, causing a type confusion. This process leads to arbitrary code execution.
Usually, a transaction made through SMBv1 protocol contains one setup count but the malformed packet in EternalRomance contains two setup counts resulting in a double fetch situation. Notably, due to the presence of SMB_COM_TRANSACTION_SECONDARY, the server examines only the last transaction; thereby, the original transaction's setup count is overwritten by the malicious setup’s count. This scenario results in the execution of the shellcode leading to system compromise.
Preventing the execution and impact of EternalRomance exploit involves the application of timely system patches and avoiding outdated, end-of-life software. Microsoft has released the MS17-010 security update that should be promptly cast-off upon all windows systems. Maintaining an up-to-date system with consistent monitoring can offer significant resistance towards such exploit kits. Additionally,
NotPetya and Bad Rabbit are popular examples of attacks that utilized EternalRomance for its devastating effect. NotPetya, significantly used this exploit to move laterally within networks once initial access was gained. Bad Rabbit, a notorious ransomware strain, also incorporated EternalRomance for its propagation.
The influence of EternalRomance on the cyber ecosystem can never be underestimated. Despite being inherently linked with another NSA tool, EternalBlue, it has etched out its niche due to its distinctive capabilities of exploiting client-side applications and enabling remote code execution. The advent of EternalRomance has imparted valuable lessons regarding the critical importance of keeping systems up-to-date with security patches and maintaining vigilance against potential cyber threats.
In conclusion, EternalRomance emerged as a stark reminder of the advanced persistent threats that pervade the cyber realm. It marks a significant juncture in our understanding of cybersecurity threats, exhibiting the potential of exploits to strategically manipulate targeted systems. The key takeaway is the absolute necessity of maintaining secure and updated systems to mitigate such threats. While EternalRomance unveils the inexplicable potentialities of cyber threats, it also underscores the need for adopting robust strategies in an ever-evolving cyber-threat landscape.
SubRosa is a cybersecurity solutions provider specializing in cyber assessments and risk and compliance.
