What did the WannaCry and NotPetya malware outbreaks have in common? Both targeted an "EternalBlue" flaw in the server message block, or SMB, version 1 protocol in Windows to rapidly exploit large numbers of systems. So you might think enterprises have been working overtime to eradicate EternalBlue from their networks by installing patches released by Microsoft in March for supported operating systems and May for three outdated versions of Windows, including Windows XP.
If so, those efforts do not yet appear to have succeeded, according to scans conducted Wednesday by security researcher Elad Erez. Using a tool he developed called Eternal Blues, Erez scanned 8 million IP addresses and identified 50,000 internet-connected systems that have the SMB_v1 flaw.
Just three countries - France, Russia and Ukraine - accounted for 30,000 of the vulnerable hosts he counted.
Vulnerable Hosts by Country
The tool likely undercounts the problem, because the automated scans would not have been able to access some better-secured networks that might block queries from the internet, says Erez, who's director of innovation at the security firm Imperva. Some organizations might also block scans such as his by default.
Erez first made his free EternalBlue vulnerability-scanning tool available for download two weeks ago, and he has continued to refine it.
The vulnerability scanner is intended to help non-experts who need to eradicate EternalBlue from their networks, Erez says. "The majority of [the] latest WannaCry, NoPetya - Petya, GoldenEye or whatever - victims are not technical organizations and sometimes just small businesses who don't have a security team, or even just an IT team to help them mitigate this," he says in a blog post. "Running Nmap, Metasploit - not to mention more commercial products - is something they will never do. I aimed to create a simple 'one-button' tool that tells you one thing and one thing only - which systems are vulnerable in your network."
All organizations should understand that unless they run some type of vulnerability-spotting tool, they cannot expect to have eradicated SMB_v1 from their networks or otherwise mitigated the threat. For example, Erez notes that for one French network, his scans found about 10,000 compromised internet-connected systems, of which just two had the SMB_v1 flaw. "How could anyone find that without Eternal Blues?" he says.
Just to recap, EternalBlue refers to an exploit, name-dropped by the Shadow Brokers in January, that was built by the "Equation Group," which is likely the National Security Agency. On April 14, Shadow Brokers leaked the tool, which is designed to exploit the SMB vulnerability since designated as CVE-2017-0144.
Thankfully, Microsoft apparently got tipped off by the NSA and patched the flaw in March, in the form of security update MS17-010, for its supported systems. On May 12, when the WannaCry outbreak hit, Microsoft also issued emergency patches for three unsupported operating systems: Windows XP, Windows 8 and Windows Server 2003.
In cases where vulnerable systems cannot be patched, security experts have urged organizations to disable SMB_v1 or else put defenses in place that will block attempts to exploit it.
Feel the EternalBlue Power
From an attack standpoint, EternalBlue is a great exploit, because the SMB_v1 flaw remains widespread and can be attacked not just via the internet, but also local networks. And having even a single system inside an enterprise that's vulnerable to EternalBlue can be all attackers - using their own, highly automated scanning tools - need to gain access to the network.
For example, one eyewitness account of a NotPetya infection, shared by Scotland-based Colin Scott, says the initial attack vector seemed to be a single PC (see Teardown of 'NotPetya' Malware: Here's What We Know).
"Could have been a workstation admin's account, giving the virus admin rights to all PCs in the local area," Scott wrote. "Over time, it must have picked up Domain Admin rights as it spread, then hitting Domain Controllers and all other Windows servers with its PSEXEC/WMIC code. The rest is history. We lost PCs that were encrypted with McAfee Disk Encryption due to corrupted MBR; PCs that were not encrypted with McAfee showed the ransom message."
Warning: Small-Scale Attacks Likely Too
WannaCry and NotPetya brought mainstream awareness to the ransomware and malware problem. But EternalBlue isn't just about global malware outbreaks, Erez warns. "I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to us - [for example], data exfiltration or even just using your computers to join a botnet," he writes.
Scan for EternalBlue now, or pay later.