Network Security, Patch/Configuration Management, Vulnerability Management

Thousands of hosts still vulnerable to EternalBlue after WannaCry attacks

Researchers found just two weeks after the EternalBlue exploit was used in the WannaCry ransomware attack that 60,000 hosts are still vulnerable.

The exploit is believed to have been developed by the U.S. National Security Agency (NSA) and leaked by the Shadow Brokers haver group in April 2017.

Researchers scanned more than 8 million IP addresses across the globe and found the top three vulnerable countries had more than 30,000 vulnerable host combined. In addition, 53.82 percent of host nowadays have SMBv1 enabled, Imperva Director of Innovation Elad Erez said in a July 11 blog post.

Erez went on to say one out of nine hosts in a network is vulnerable to EternalBlue and that one network containing nearly 10,000 hosts was spotted with two vulnerable hosts.  It's also important to keep in mind that these are only the servers that were detected by Erez's custom tool and that he believes that many more are vulnerable that what were detected.

In order to combat the threats, researchers recommend users ensure their Microsoft Windows systems are fully patched, set Windows to automatic updates, Disable SMBv, and periodically assess the risk in your network with their favorite vulnerability scanner.

Erez said it's important to remember that recent attacks made a lot of buzz as they were flashy and informed victims what hit them.

“I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to us (examples: data exfiltration or even just using your computers to join a botnet),” he said. “So not seeing something like this (below), does not mean you weren't hit.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.