Use of EternalBlue in attacks on the increase despite patch

News by Bradley Barth

Cyber-attacks leveraging the Windows Server Message Block exploit EternalBlue at historically high levels over the last few months, even though the vulnerability patched by Microsoft more than two years ago.

Cyber-attacks leveraging the Windows Server Message Block exploit known as EternalBlue have reportedly reached historically high levels over the last few months, even though the vulnerability it affects was patched by Microsoft more than two years ago.

In a 17 May blog post, ESET security evangelist Ondrej Kubovic said his company’s telemetry data has revealed hundreds of thousands of blocked EternalBlue-based attacks taking place daily.

In the two-year span ranging from 2 May 2017 through 2 May 2019, the frequency of EternalBlue detections and the total number of unique clients reporting instances of EternalBlue have markedly climbed. But ESET witnessed a massive spike between February and March 2019, during which time the company noted an all-time high in detections.

In 2016 and 2017 a mysterious hacker group known as the Shadow Brokers publicly leaked an array of cyber-weapons stolen from the "Equation Group," which is widely associated with the US National Security Agency. Among them was EternalBlue, which became a popular tool for cyber-criminals and APT to infect victims with malware programs such as trojans, cryptominers and ransomware, including the WannaCry cryptoworm spread around the world in an infamous 2017 attack.

Microsoft issued a patch to fix the SMB vulnerability on 14 March, 2017. Regardless, a recent Shodan search engine inquiry by ESET found that a million internet-connected machines continue to use the obsolete SMB v1 protocol, which remains vulnerable to EternalBlue. Of these machines, 400,757 were located in the US, with the next most based in Japan (74,634) and the Russian Federation (66,719).

"This presents an easy and juicy target for the cyber-criminals," Kubovic told SC Media in an email interview.

The reasons behind the spike in EternalBlue usage may not be entirely nefarious, however. In both the blog post and his interview, Kubovic noted that corporate security departments are increasingly using EternalBlue "as a means for vulnerability hunting within corporate networks."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews