Tomorrow, May 12, is the one-year anniversary of the WannaCry ransomware outbreak.
Exactly one year after the biggest cyber-security incident in history, the exploit at the heart of the WannaCry attack is now more popular than ever, according to telemetry data gathered by Slovak antivirus vendor ESET.
Named EternalBlue, the exploit was supposedly developed by the cyber division of the US National Security Agency. EternalBlue was part of a large cache of tools that a hacker group known as The Shadow Brokers stole from NSA servers in 2016 and then leaked online from August 2016 to April 2017.
Many suspect the NSA might have notified Microsoft of what the Shadow Brokers stole, because in March 2017, a month before EternalBlue was released, Microsoft released MS17-010, a security bulletin containing patches for the many SMB-targeting exploits included in the Shadow Broker leak.
EternalBlue wasn’t that widespread in the beginning
What happened next is well documented, with EternalBlue being used to create a self-spreading mechanism for the WannaCry ransomware, and later for subsequent ransomware outbreaks like NotPetya and Bad Rabbit.
The impact of EternalBlue was devastating, with companies reporting total damages of over $8 billion across 150 countries just from the WannaCry incident alone, according to IBM X-Force.
But the initial version of EternalBlue wasn’t perfect. It only worked on Windows 7 and Windows Server 2008 and crashed on Windows XP.
EternalBlue did a lot of damage during WannaCry, but there were very few malware authors that knew how to use it. This is why, according to ESET, that shortly after WannaCry, EternalBlue usage declined tremendously.
“EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign,” ESET’s Ondrej Kubovič explains. “Over the following months, attempts to use the EternalBlue exploit dropped to ‘only’ hundreds of detections daily.”
EternalBlue grows beyond WannaCry into commodity malware
But things changed during the post-WannaCry and post-NotPetya incidents. For starters, security researchers ported EternalBlue to more platforms, such as Windows 8 and Server 2012, and later even Windows 10.
This broadened the exploit’s ability to infect more victims than usual and made it a commodity among malware authors.
EternalBlue lives on thanks to unpatched systems
Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don’t know that it’s still one of today’s biggest threats.
This threat doesn’t only come from malware authors continuing to weaponize it for a diverse set of operations. Malware authors wouldn’t ever bother with an inefficient exploit. ExploitBlue continues to be a threat because of the vulnerable machines still available online.
According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online.
Almost a year after WannaCry and there’s still over a million SMB servers without auth exposed to the world. At least it looks like “only” 66k of them are running Windows pic.twitter.com/ZBlPA0SJU2
— Nate Warfield (@dk_effect) May 11, 2018
EternalBlue is also most likely one of the reasons Microsoft reacted by shipping new versions of the Windows OS with SMBv1 disabled, which was the protocol that EternalBlue targets.
EternalBlue will remain a threat for years to come
Kryptos Logic, the company behind the WannaCry sinkhole also revealed the same thing a few weeks ago. The company pointed out that residual WannaCry infections are still using EternalBlue to infect new victims, even to this day, with “millions” of devices scanning the Internet for unpatched systems and deploying EternalBlue in attempts to infect them with WannaCry.
The sinkhole stops WannaCry from encrypting files, but the EternalBlue exploit used for WannaCry’s self-spreading system is still running just fine, even to this day.
The key takeaway is that organizations failing to apply the MS17-010 patch have contributed to EternalBlue’s recent success, and their vulnerable systems will keep this threat active for years to come, just like we still see worms from the early 2000s still hanging around.