Scanner Shows EternalBlue Vulnerability Unpatched on Thousands of Machines

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Many digital trees have died for the cause of informing Windows admins about the SMBv1 vulnerability that spawned the WannaCry and ExPetr/NotPetya malware attacks. Yet a relatively small sample of data collected from a freely available tool shows that thousands have not gotten the message, or have some significant blind spots in their networks.

“There are always blind spots,” said Elad Erez, director of innovation at Imperva, who built the scanner called EternalBlues. “If you have 10,000 computers, can you really be that sure (that all hosts are patched)? You can’t. You need someone or something to help you with it.”

The scanner was made available in late June, and statistics collected from individuals and organizations that downloaded EternalBlues and ran it in their environments were published yesterday.
More than 8 million IP addresses (not hosts) were scanned by EternalBlues in 12 days, with 537,000 of those responding on port 445, the port over which SMB communication happens. Erez’s statistics show that 258,000 of those hosts were running the 30-year-old SMBv1 protocol, and 60,000 of those were vulnerable to the NSA’s EternalBlue exploit leaked by the ShadowBrokers.



WannaCry and ExPetr/NotPetya infected networks worldwide, with a heavy concentration of victimized machines in Russia and the Ukraine; Erez said one scan in the Ukraine uncovered 1,351 vulnerable hosts. WannaCry contained its own worming functionality in that once it infected machines, it began scanning the internet for other vulnerable hosts. ExPetr, meanwhile, was a wiper attack disguised as ransomware; the ransomware component of that attack was faulty and experts said it was clear the attackers never intended to decrypt compromised data or collect any money. Instead, the malware overwrote the Master Boot Record (MBR) on infected machines, leaving them useless.

Tools such as EternalBlues and others, Erez said, are vital for large networks, even those that may have applied the MS17-010 patch eradicating EternalBlue. One vulnerable endpoint is enough for either of these attacks to succeed. Erez said he built the tool for such a use case, as well as for smaller businesses that are unlikely to have IT or security teams responsible for patching or backups, the two strategies most important to countering ransomware attacks.

The results of the first 12 days of scan data surprised Erez.

“I thought it would be maybe 7 percent to 8 percent of hosts out there that would be vulnerable. It turned out to be 11 percent, a bit higher than I thought,” Erez said. “About one of nine hosts on the network is vulnerable. And who thought that more than half (53.9 percent) would still be open to this protocol?”

Awareness, however, may not be the entire cause, rather a lack of total visibility, especially into large enterprise networks, Erez said.

“People in the industry really know about the problem and are well aware that they need to mitigate it somehow. Running my tool, by definition, means they were well aware of the problem,” Erez said. “While there’s pretty good awareness from those who downloaded my tool, I don’t think [awareness] got to that second segment of users who are less sophisticated and don’t come from the tech industry—smaller businesses. I don’t think it made it to there. I really wanted to make this tool for smaller businesses who don’t have backups, who are more likely to pay, to help them before the next attack.
 
5

509322

Many digital trees have died for the cause of informing Windows admins about the SMBv1 vulnerability that spawned the WannaCry and ExPetr/NotPetya malware attacks. Yet a relatively small sample of data collected from a freely available tool shows that thousands have not gotten the message, or have some significant blind spots in their networks.

“There are always blind spots,” said Elad Erez, director of innovation at Imperva, who built the scanner called EternalBlues. “If you have 10,000 computers, can you really be that sure (that all hosts are patched)? You can’t. You need someone or something to help you with it.”

The scanner was made available in late June, and statistics collected from individuals and organizations that downloaded EternalBlues and ran it in their environments were published yesterday.

Based upon the statistics given, that means out of 2 billion active systems, approximately 15,000,000 are susceptible. That's a maximum potential infection rate of 0.75 % - based upon the statistic given and using an estimate of 2 billion active systems in the world.

Since they don't give any calculations, the figures reported don't support their claim that basically 1 in 10 systems is susceptible. That claim is both irresponsible and erroneous.

They calculated the percentage by doing this - and this additive calculation is just plain wrong:

([537,000 + 258,000 + 60,000] / 8,000,000) x 100 = 11 %

The way they did their additive (condition-based) calculation, they might as well have added the conditions to the calculations that 1) a system must be plugged into an outlet, 2) turned-on, and 3) connected to the internet and said 100 % potential infection rate.

The sole condition that matters is that a system is susceptible to the exploit and that condition is given by the last statistic of 60,000 systems actually susceptible to the exploit:

(60,000 / 8,000,000) x 100 = 0.75 % maximum potential infection rate of all systems actively connected to the internet - once again based upon the statistics given.

If a system is not susceptible to the exploit itself, then it is not going to be exploited by that specific exploit despite port 445 or SMBv1 being utilized.

What is a concern though is the percentage of systems actively using both port 445 and SMBv1 that remain susceptible to the exploit:

(60,000 / 258,000) x 100 = 23 %
 
Last edited by a moderator:
  • Like
Reactions: tonibalas and SumG

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top