EternalBlue Exploit: Thousands of Machines Still Not Patched Against WannaCry, Petya Attacks

Tens of thousands of computers around the world still have not been updated with security patches that defend against an exploit that allowed the spread of two worldwide malware attacks.

EternalBlue, a scanner built by cybersecurity software company Imperva, found 60,000 Windows-powered machines that were still yet to install a security patch that defends against the vulnerability.

Read: Microsoft Security Patches: Company Issues Fixes For WannaCry-Like Security Vulnerabilities

The scanner looked for machines running the Microsoft Server Message Block (SMB) protocol that was vulnerable to the exploit known as EternalBlue.

Of the eight million individual IP addresses scanned over the course of 12 days, 547,000 responded through the port used by SMB communications. Just over half of those that responded—258,000 machines—were running the SMB protocol and 60,000 were still vulnerable to EternalBlue.

Other estimates have put the number of potentially unprotected machines much higher. Data provided to International Business Times by cybersecurity firm Avast showed there are at least 38 million PCs worldwide that have not yet patched their systems against Eternal Blue. Those figures come from the company’s Wi-Fi Inspector service, and the number of computers that are at risk is likely higher—potentially significantly so.

For those that remain unpatched, there is a high risk of being hit by an attack that uses the EternalBlue exploit. In just the last two months, WannaCry —ransomware attack that hit more than one million machines in 153 countries—and Petya —a wiper attack posing as ransomware that hit at least 12,500 machines in more than 60 countries—made use of the vulnerability.

Read: WannaCry Ransomware Attack: NSA Disclosed Vulnerability To Microsoft After Learning It Was Stolen By Shadow Brokers

Malware Was Stolen From NSA

The EternalBlue exploit, along with a number of other potentially damaging means of propagation for malicious software, were initially developed by the U.S. National Security Agency and made public after they were stolen by an anonymous group of hackers known as the Shadow Brokers.

The NSA disclosed the method of attack to Microsoft after the agency learned the exploits were stolen. Microsoft released a patch for the Eternal Blue vulnerability in March for current operating systems and issued an emergency patch for the exploit on outdated machines in May as WannaCry began spreading.

While attacks like WannaCry and Petya have received the most press because of the size and scale of the attacks and the high-profile targets affected, the EternalBlue exploit has also been used in lower-profile attacks and is likely being used by attackers in a number of ways that have yet to be discovered.

For example, before WannaCry even began its initial spread in May, EternalBlue was being used by a botnet attack designed to help a group of unidentified hackers use infected machines in an effort to mine for a cryptocurrency called Monero.

Companie and individuals alike are advised to patch their machines to protect against the spread of additional attacks that may make use of EternalBlue. As long as their are unpatched devices out there, attackers will continue to target them.

One needs to look no further than the recent CopyCat Android malware attack to see the effect of unpatched vulnerabilities. The attack for used exploits that had been patched for two years or more to infect more than 14 million devices that had yet to be updated.​