Cyberattacks leveraging the Windows Server Message Block exploit known as EternalBlue have reportedly reached historically high levels over the last few months, even though the vulnerability it affects was patched by Microsoft more than two years ago.
In a May 17 blog post, ESET security evangelist Ondrej Kubovic said his company's telemetry data has revealed hundreds of thousands of blocked EternalBlue-based attacks taking place daily.
In the two-year span ranging from May 2, 2017 through May 2, 2019, the frequency of EternalBlue detections and the total number of unique clients reporting instances of EternalBlue have markedly climbed. But ESET witnessed a massive spike between February and March 2019, during which time the company noted an all-time high in detections.
In 2016 and 2017 a mysterious hacker group known as the Shadow Brokers publicly leaked an array of cyber weapons stolen from the "Equation Group," which is widely associated with the U.S. National Security Agency. Among them was EternalBlue, which became a popular tool for cybercriminals and APT to infect victims with malware programs such as trojans, cryptominers and ransomware, including the WannaCry cryptoworm spread around the world in an infamous 2017 attack.
Microsoft issued a patch to fix the SMB vulnerability on March 14, 2017. Regardless, a recent Shodan search engine inquiry by ESET found that 1 million internet-connected machines continue to use the obsolete SMB v1 protocol, which remains vulnerable to EternalBlue. Of these machines, 400,757 were located in the U.S., with the next most based in Japan (74,634) and the Russian Federation (66,719).
"This presents an easy and juicy target for the cybercriminals," Kubovic told SC Media in an email interview.
The reasons behind the spike in EternalBlue usage may not be entirely nefarious, however. In both the blog post and his interview, Kubovic noted that corporate security departments are increasingly using EternalBlue "as a means for vulnerability hunting within corporate networks."
