EternalBlue-based attacks growing, security firm says

May 11, 2018 12:31 GMT  ·  By

EternalBlue, the stolen NSA exploit that was used to create the infamous WannaCry ransomware, is back in business, only that this time usage appears to skyrocket, according to security vendor ESET.

Researcher Ondrej Kubovič notes that while WannaCry attacks have dropped, EternalBlue is still around, and the first months of 2018 brought a worrying increase in the number of attacks based on this exploit.

EternalBlue is an exploit stolen from the NSA by hacking group Shadow Brokers in April 2016. It takes advantage of a vulnerability in the Windows Server Message Block (SMB) protocol, and Microsoft shipped patches even before the flaw went public.

But this doesn’t mean that attackers have stopped searching for targets. The researcher says cybercriminals are scanning the Internet for exposed SMB ports and are trying to compromise the host with an exploit that eventually allows for payloads deployed on the target machine and leading to different outcomes.

“Interestingly, according to ESET’s telemetry, EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily,” the researcher notes.

“Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.”

Patches already available

Kubovič speculates that this increase in the number of attacks based on EternalBlue could be caused by the Satan ransomware campaign.

With patches fixing the vulnerability are already available, attackers can only compromise a Windows host if these updates aren’t installed. Microsoft’s security fixes were released in March 2017, and up-to-date computers should already be protected.

This increasing number of attacks, however, suggests that there still are many systems out there that haven’t deployed the updates, and this can only be concerning to say the least. Patches for the WannaCry ransomware are also available, including for Windows XP, despite this OS version exiting support in April 2014.