Zero-Day Exploitscritical

EternalBlue: NSA's Stolen Weapon Powers WannaCry, NotPetya, and Years of Attacks

The Shadow Brokers leak of NSA offensive tools released EternalBlue — an SMBv1 exploit — to the public. Within weeks it powered WannaCry and NotPetya, and it remains one of the most actively exploited vulnerabilities years later.

NSA / Shadow Brokers / Global Windows·2017·2 min read

Background

EternalBlue (CVE-2017-0144) was a zero-day exploit developed by the NSA's TAO (Tailored Access Operations) group targeting a buffer overflow in Windows' SMBv1 file sharing protocol. The NSA had used it for years as an offensive capability. In August 2016, a mysterious group calling themselves the Shadow Brokers began releasing NSA hacking tools.

The Attack

The Shadow Brokers released EternalBlue publicly on April 14, 2017 — three weeks after Microsoft had issued a patch (MS17-010) for the vulnerability. However, millions of Windows machines had not applied the patch. EternalBlue allows remote code execution on unpatched Windows machines via the SMB port (445) with no authentication required. Within three weeks of the public release, WannaCry ransomware used it to spread to 230,000 machines in 150 countries. Three weeks later, NotPetya used it for destructive deployment. Baltimore City was still being attacked with EternalBlue in 2019.

Response

Microsoft released MS17-010 on March 14, 2017 — unusually, also releasing patches for Windows XP, Vista, and Server 2003 which were end-of-life. CISA issued emergency directives. Organisations scrambled to patch. The NSA acknowledged developing EternalBlue after the Shadow Brokers release. Senator Warner called on NSA to disclose vulnerabilities it finds rather than stockpiling them.

Outcome

EternalBlue powered the two most destructive cyber attacks in history (WannaCry and NotPetya) and countless subsequent campaigns. It remains actively exploited. The Shadow Brokers episode triggered a national debate about whether intelligence agencies should disclose vulnerabilities to vendors rather than stockpiling them as offensive weapons.

Key Takeaways

  1. Applying patches within days — not weeks — is critical; major exploits are often released faster than typical enterprise patch cycles
  2. Disable SMBv1 on all Windows systems immediately — it has no security value and enormous attack surface
  3. Intelligence agencies stockpiling offensive exploits creates systemic risk if those tools are stolen or leaked
  4. The Vulnerabilities Equities Process (VEP) determines when NSA-discovered bugs are disclosed — public transparency about this process matters

How to Prevent This

All guides
intermediate

Disable legacy protocols that no longer require patches — because they never get them

SMBv1 — the protocol exploited by EternalBlue, WannaCry, and NotPetya — had known vulnerabilities for years before the Shadow Brokers leak made exploitation trivial. Microsoft had provided a patch, but also offered a better solution: disable SMBv1 entirely, since no modern system requires it. The same principle applies to TLS 1.0/1.1, SSLv3, Telnet, and FTP. The safest patch for a protocol that has no legitimate current use is removal. Audit your network for legacy protocol usage and disable any that cannot be justified by a specific named business requirement.

See: EternalBlue / Shadow BrokersPatch Management
EternalBlueNSAShadow BrokersSMBv1WannaCry

More in Zero-Day Exploits

2021critical

Log4Shell: A Single Java Library Puts 3 Billion Devices at Risk

2 min readZero-Day Exploits
2023critical

MOVEit Zero-Day: One SQL Injection Flaw, 2,700 Organisations Breached

2 min readZero-Day Exploits
2010critical

Operation Aurora IE Zero-Day: China Exploits Browser Flaw to Hack Google and 34 Others

2 min readZero-Day Exploits