The Shadow Brokers released the Windows portion of their long-anticipated archive yesterday afternoon (wired.com on the April 14 dump, and the technical content is being analysed continuously since by every research team with the relevant interest). The release contains a substantial collection of exploits, implants, and operational tooling targeting Windows systems. The most consequential single item in the release is EternalBlue — a remote-code-execution exploit against the SMB v1 protocol on unpatched Windows systems, with no required authentication. EternalBlue triggers a kernel-mode execution path on the target, which makes it usable for fully-privileged remote compromise of any vulnerable Windows host reachable on TCP/445.
Microsoft patched the underlying SMB vulnerability on the 14th of March in MS17-010 (Microsoft Security Bulletin MS17-010), one month before the Shadow Brokers release. The patching followed the unusual pattern of a critical Windows update issued without a corresponding publicly-disclosed vulnerability — there was no responsible disclosure from a researcher, no obvious operational driver for the patch in the public record. The strong working hypothesis at the time was that Microsoft had been notified privately of an upcoming disclosure, and the timing of the Shadow Brokers release confirms that hypothesis. The notification source has not been confirmed publicly, but the operational evidence is consistent with Microsoft having been informed, by the US government or by an intermediary, that the EternalBlue exploit was at risk of public release.
The patching delay is the operational concern. MS17-010 was issued on the 14th of March. The patching cadence in enterprise estates for Microsoft monthly updates is, on the public reporting and on our own customer telemetry, typically several weeks for the bulk of the estate and several months for the long tail. By yesterday — one month after the patch — a substantial fraction of internet-reachable Windows hosts remain unpatched. The Shodan census against TCP/445 this morning shows several hundred thousand reachable Windows hosts, of which a large but unmeasured fraction are unpatched and therefore vulnerable to EternalBlue. The implication is that mass exploitation, possibly automated, is feasible against that population over the next several days.
Operationally, the action is straightforward and urgent. Every customer-organisation Windows host with internet exposure on TCP/445 must be patched immediately, and SMB v1 should be disabled on every Windows host where its disablement is not operationally precluded — which is most hosts, since SMB v1 has been formally deprecated by Microsoft and is rarely needed. The patching should be verified, not assumed. Hosts that cannot be patched immediately should have TCP/445 blocked at the perimeter. The customer-organisation Windows fleets — Browne Jacobson's mid-sized estate, Towry's trading-platform Windows components, Northcott's small but operationally critical Windows footprint, the manufacturer's substantial mixed estate, the new client's platform — are all being verified today and tomorrow. The OSSEC fleet has the SMB v1 detection rules pushed; the Splunk searches for EternalBlue exploitation indicators are deployed. The timeline is tight.
The wider concern is the Windows estate that is not in our customer base. Healthcare organisations running legacy Windows XP and Server 2003 systems that no longer receive Microsoft updates are unable to patch and will remain vulnerable indefinitely. Industrial-control-system environments running embedded Windows variants will face the same problem with worse operational consequences. Consumer Windows estates that are out of patch warranty (Windows XP, in particular, despite Microsoft's discontinued support) will be exploited at scale. The structural problem is the long tail of unsupported Windows in operational use, and the cost of replacing or upgrading those systems is, at the institutional level, substantial. The next several months are going to demonstrate, painfully, what happens when state-grade exploits reach that population.
The release's other contents are being analysed in parallel. EternalRomance, EternalSynergy, EternalChampion are further SMB-related exploits with similar technical character. DoublePulsar is the implant component used to maintain access on EternalBlue-compromised systems. The implant is detectable by network signature on TCP/445 and is being scanned for actively. There are estimates ranging from tens of thousands to over a hundred thousand DoublePulsar-implanted hosts already on the internet by this morning, which is consistent with the dump's contents having been used at scale by some actor — either the originator of the leak, an actor who obtained the tooling separately, or the Shadow Brokers themselves — over a period predating yesterday's release.
The customer briefings I am drafting tonight will cover the patching action items, the SMB-disablement posture, the perimeter-blocking guidance, and the post-incident hunting work. The strategic conversation about what the leak means for state-cyber, attribution, and the long-term security posture of Windows-heavy estates is for next week, when the immediate operational firefighting has settled. There is going to be a great deal of writing about EternalBlue over the coming year. I expect to be doing some of it.