Eternal Blue 'dominates honeypot attack traffic' -- why is that?

News by Davey Winder

A little over a billion attacks were recorded by F Secure honeypots for the whole of 2018; by 2019 the total was 5.7 billion attacks - dominated by attacks hitting the Server Message Block (SMB) protocol.

Honeypots, by their very nature, attract a lot of threat actor action. But are they are good measure of threat temperature?

The latest F-Secure 'Attack Landscape' report covers the second half of 2019, and it reveals that F-Secure honeypots saw a pretty big upwards tick in attack events compared to the previous year. Across the whole of 2018 the honeypots 'only' attracted a little over one billion attacks; the 2019 total was 5.7 billion attacks. That this attack traffic was, according to F-Secure, "dominated by attacks hitting the Server Message Block (SMB) protocol," provides food for thought, does it not?

Are attackers really still that interested in exploits relating to Eternal Blue? Yes, the Eternal Blue vulnerability in the Windows OS that was exposed by the Shadowbrokers group in 2017 but which was developed by the US National Security Agency. Yes, that 'WannaCry and NotPetya' Eternal Blue.

The newly published Rapid7 quarterly threat report  would seem to back up the F-Secure findings. This report highlights the fact that SMB attacks are being seen by the Rapid7 Project Heisenberg honeypot. However, Rapid7 is reporting a levelling out of these Eternal Blue exploit attempts. But you have to remember that the vulnerability was both disclosed and patched in 2017. That attackers are still thinking it worthwhile to hunt vulnerable servers down would suggest that there's still a profit to be made from the population of such things. 

All of which leads to two questions that surely need answering? Why is Eternal Blue fallout still such a big thing, and what do enterprises need to do to mitigate against this ongoing attack risk? SC Media UK turned to the infosec industry in search of the answers.

Let's start with the 'yeah, but honeypots' question. After all, honeypots are designed to attract attackers so aren't they interesting but a bit real-world redundant? Jed Kafetz, senior security consultant at Redscan, says that "when deploying a honeypot, opening the SMB port to the Internet is a useful way of gauging the level of malicious traffic in general."

The point being that if the honeypot attracts more malicious traffic, then the chances are organisations will be exposed to similar increases in attack traffic. Zeki Turedi, a technology strategist at CrowdStrike agrees that while a honeypot isn't a true representation of what attacks are possible, it can show how opportunistic attackers will go after these "known but still highly efficient exploits."  Any threat actor, group or individual "with any type of skill level," Turedi says, "is able to harness this attack technique."

When SC Media UK contacted Oliver Pinson-Roxburgh, co-founder of Bulletproof, he ran a quick check and discovered that there were at least 1,363,603 servers on the internet with SMB exposed. "Our honeypot stats suggest that there are bots continually scanning the internet looking for vulnerable SMB services to add to their hoard," he says, adding "a good proportion of  the exposed servers running SMB are old or and out of support which demonstrates that bad hygiene is a big contributor to the hackers playground."

And, of course, as Red Sift's lead security architect, Peter Parkanyi, points out, "it's enabled on most corporate networks, and because it's so widely deployed and is present in every Windows version, a successful attack is very often easily portable across versions." Hardly a surprise then, when it's all but impossible to upgrade from outdated, unsupported, Windows environs.

So how does the enterprise best mitigate against the ongoing Eternal Blue threat? "The best, most reliable, and free tools that we have in our arsenal are network access control and endpoint hardening," Tod Beardsley, research director at Rapid7 says, "if you haven’t implemented default deny approaches to network segmentation and haven’t taken the time to harden the systems you deploy, that should be your next step." Keeping Windows up to date is the rather obvious, and correct, conclusion of Jonathan Knudsen, senior security strategist at Synopsys. He does add, however, that in those cases where patching is not possible, "placing a vulnerable system behind a firewall, or disabling the SMB-related services, could also be effective." 

Marco Essomba, founder of iCyber-Security, told SC Media UK that another best practice "is to conduct regular vulnerability assessments, especially for devices that are Internet facing, to ensure SMB services are detected and locked down." While the ever insightful Pascal Geenens, security evangelist at Radware, suspects that "most owners of exposed systems are probably not even aware their internal servers are publicly exposed." Whether these systems are vulnerable or adequately patched and hardened does not deflect from having their service exposed, he says, "the only way to assess and potentially exploit a system is by trying."

Geenens advice, therefore, is to run your external IP addresses through to see if your system has been indexed by their scanners, or "run your own nmap scan from a cloud server to ensure your branches or internet gateways are not exposing port 445." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews