PINDROP BLOG

Tens of Thousands of Machines Still Open to EternalBlue Bug

Weeks after the WannaCry and NotPetya ransomware campaigns emerged and months after Microsoft released a patch for the vulnerability the two pieces of malware used to spread, more than 60,000 machines are still vulnerable to the bug.

The vulnerability, which lies in Microsoft’s implementation of the SMB protocol, has been part of both the WannaCry and NotPetya malware outbreaks. They use it as a mechanism to spread from machine to machine once on a new network, and despite the fact that the patch for the bug has been out since March, the vulnerability, known as EternalBlue, has proven to have a long tail. The vulnerability was discovered and the exploit for it were developed by the NSA and the Shadow Brokers later published both as part of one of their dumps of information stolen from the agency.

Data compiled from scans of the Internet using a purpose-built tool called EternalBlues shows that there are still tens of thousands of hosts exposed to the web that have the EternalBlue vulnerability present.

“Unfortunately, exploitation of EternalBlue is still a very good method of invoking remote code execution. It is available in more than 50,000 hosts scanned by Eternal Blues (as for July 12, 2017). Yes, even after all the latest attacks by WannaCry and NotPetya. I’m here to remind you, sometimes it takes just 1 vulnerable machine to take you down,” said Elad Erez, director of innovation at Imperva, who wrote EternalBlues.

“Although numbers are quite high (remember, these are IPs scanned with my tool only), I feel like awareness did increase somewhat.”

The data comes from scans of more than eight million IP addresses, and in terms of the countries with the most IPs scanned, France was at the top, with more than 1.5 million hosts. The rest of the machines are spread around the world, with large concentrations in Russia and Ukraine. Though the WannaCry and NotPetya outbreaks have garnered a lot of attention, Erez said there likely are quieter attacks that are targeting the same vulnerability, too.

“Please, don’t be mistaken – recent ransomware attacks are the ones that made all the buzz, since they actually tell you when they hit you. I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to us (examples: data exfiltration or even just using your computers to join a botnet),” Erez said.