Threat Management, Malware, Vulnerability Management

Attempted cyberattacks using EternalBlue exploit soar in recent months

Cyberattacks leveraging the Windows Server Message Block exploit known as EternalBlue have reportedly reached historically high levels over the last few months, even though the vulnerability it affects was patched by Microsoft more than two years ago.

In a May 17 blog post, ESET security evangelist Ondrej Kubovic said his company's telemetry data has revealed hundreds of thousands of blocked EternalBlue-based attacks taking place daily.

In the two-year span ranging from May 2, 2017 through May 2, 2019, the frequency of EternalBlue detections and the total number of unique clients reporting instances of EternalBlue have markedly climbed. But ESET witnessed a massive spike between February and March 2019, during which time the company noted an all-time high in detections.

In 2016 and 2017 a mysterious hacker group known as the Shadow Brokers publicly leaked an array of cyber weapons stolen from the "Equation Group," which is widely associated with the U.S. National Security Agency. Among them was EternalBlue, which became a popular tool for cybercriminals and APT to infect victims with malware programs such as trojans, cryptominers and ransomware, including the WannaCry cryptoworm spread around the world in an infamous 2017 attack.

Microsoft issued a patch to fix the SMB vulnerability on March 14, 2017. Regardless, a recent Shodan search engine inquiry by ESET found that 1 million internet-connected machines continue to use the obsolete SMB v1 protocol, which remains vulnerable to EternalBlue. Of these machines, 400,757 were located in the U.S., with the next most based in Japan (74,634) and the Russian Federation (66,719).

"This presents an easy and juicy target for the cybercriminals," Kubovic told SC Media in an email interview.

The reasons behind the spike in EternalBlue usage may not be entirely nefarious, however. In both the blog post and his interview, Kubovic noted that corporate security departments are increasingly using EternalBlue "as a means for vulnerability hunting within corporate networks."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.