Pierluigi Paganini July 13, 2017

The Eternal Blues scanner allowed administrators worldwide to discover more than 50,000 computers vulnerable to the NSA-linked EternalBlue exploit.

Recently the security researcher Elad Erez developed Eternal Blues, a free EternalBlue vulnerability scanner that could be used by administrators to assess networks.

Now Elad Erez published data collected by the Eternal Blues over the two weeks, the results are disconcerting, more than 50,000 scanned hosts are still vulnerable to the exploit. The data is even more worrisome if you consider that a single vulnerable machine could expose the entire network to the attackers.

The administrator of a network composed of 10,000 hosts discovered the only two machines were still vulnerable, in information that was crucial to protect the entire network.

As of July 12, the Eternal Blues tool was used to scan more than 8 million IPs, 1.5 million are located in France.

Erez revealed that vulnerable machines were found in around 130 countries, top 3 countries had more than 30,000 vulnerable machines.

53.82% of the vulnerable hosts still have SMBv1 enabled, 1 out of 9 hosts in a network is vulnerable to EternalBlue.

Although Eternal Blues found only around 50,000 vulnerable systems,

Erez explained that the number of vulnerable machines is much higher than 50,000, he explained that issues with the tool prevented it from correctly counting the number of vulnerable hosts.

Erez issued a new release of the tool on July 2 that fixes the above problems.

Below the results of the scan:

• More than 8 million IPs were scanned. France taking the lead with 1.5 million
• The top 3 vulnerable countries (out of ~130), had more than 30,000 vulnerable hosts altogether
• The majority (53.82%) of hosts nowadays still have SMBv1 enabled
• 1 out of 9 hosts in a network is vulnerable to EternalBlue
• One network, with almost 10,000 hosts (not IPs), had 2 vulnerable hosts. How could anyone find that without Eternal Blues?

Erez is satisfied by the scanner that has increased in a significant way the level of awareness on EternalBlue exploit allowing administrators to secure their networks.

“Unfortunately, exploitation of EternalBlue is still a very good method of invoking remote code execution. It is available in more than 50,000 hosts scanned by Eternal Blues (as for July 12, 2017). Yes, even after all the latest attacks by WannaCry and NotPetya. I’m here to remind you, sometimes it takes just 1 vulnerable machine to take you down.” concluded the expert.

“Although numbers are quite high (remember, these are IPs scanned with my tool only), I feel like awareness did increase somewhat. Running Eternal Blues is, by definition, being aware of the problem. So good for you for taking responsibility and checking your network status. Now it’s patching time!”

Administrators are recommended to periodically scan their networks for Eternal Blue flaw, to apply the latest patches and disable the SMBv1 protocol.

Pierluigi Paganini 

(Security Affairs –  Eternal Blues, Eternal Blue flaw)

[adrotate banner=”5″]

[adrotate banner=”13″]