One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (bleepingcomputer.com)

← Back to Stories (view on slashdot.org)

One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (bleepingcomputer.com)

Posted by BeauHD on Saturday May 12, 2018 @03:33PM from the still-relevant dept.

An anonymous reader quotes a report from Bleeping Computer: Exactly one year after the biggest cyber-security incident in history, the exploit at the heart of the WannaCry attack is now more popular than ever, according to telemetry data gathered by Slovak antivirus vendor ESET. Named EternalBlue, the exploit was supposedly developed by the cyber division of the U.S. National Security Agency. EternalBlue was part of a large cache of tools that a hacker group known as The Shadow Brokers stole from NSA servers in 2016 and then leaked online from August 2016 to April 2017. Many suspect the NSA might have notified Microsoft of what the Shadow Brokers stole, because in March 2017, a month before EternalBlue was released, Microsoft released MS17-010, a security bulletin containing patches for the many SMB-targeting exploits included in the Shadow Broker leak.

Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don't know that it's still one of today's biggest threats. This threat doesn't only come from malware authors continuing to weaponize it for a diverse set of operations. Malware authors wouldn't ever bother with an inefficient exploit. ExploitBlue continues to be a threat because of the vulnerable machines still available online. According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online.

46 of 62 comments (clear)

Min score:

Reason:

Sort:

Uh. ExploitBlue? Another one? by mnemotronic · 2018-05-12 15:38 · Score: 2

..ExploitBlue continues to be a threat because ...
BleepingTypo, not BleepingComputer.

--
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
No one wants the solution by Anonymous Coward · 2018-05-12 15:58 · Score: 2, Interesting

You can explain to people that to work better, live without paranoia have increased security, have stability and control go use linux.
It just does not work though, if we were logical animals out for our best interest and getting things done windows would have sank into oblivion decades ago but there is something mentally wrong with the vast majority of us and the obvious solution sitting under everyones nose is ignored to continue what we already know doesn't work.
*shrug*
Humans, weird lil monkies I must say, but unless we aerosol spray a retro virus to change our nature you can keep screaming at them full force with all the effect of a summer breeze against a mountain of stupid.
1. Re:No one wants the solution by ArchieBunker · 2018-05-12 16:04 · Score: 2
  
  If Linux had 90% of the desktop marketshare I guarantee you'd see these exact same exploits. Look how long Heartbleed was around before anyone noticed it.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
2. Re:No one wants the solution by Anonymous Coward · 2018-05-12 16:35 · Score: 1
  
  I like your justification for not doing the correct thing.
  Keep those excuses coming, you can even pretend their real if you like. I'll just keep getting stuff done while you keep having IT meltdowns every day.
3. Re:No one wants the solution by ArchieBunker · 2018-05-12 17:18 · Score: 1
  
  I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
4. Re: No one wants the solution by Anonymous Coward · 2018-05-12 17:29 · Score: 2, Insightful
  
  Why limit this discussion to desktops? There are plenty of reasons to target servers and, for that matter, high performance computing systems. A lot of potentially sensitive data could be obtained from compromising servers. And there may be even greater value from compromising high performance computing systems. Some of those systems include dedicated GPU resources. If such a system was compromised, an attacker could use those to mine cryptocurrency on someone else's bill, not to mention what other sensitive data might be stored on those systems. There are plenty of worms that attempt to target Linux systems, including exploiting vulnerable SSH servers. Part of the issue is that Linux systems typically don't run lots of potentially vulnerable services by default, whereas lots of services are running by default on Windows.
5. Re:No one wants the solution by Anonymous Coward · 2018-05-12 18:38 · Score: 2, Informative
  
  I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.
  Technically, Altium already has...
  https://www.altium.com/solution/linux-pcb-design-software
  Maybe not the product you were wishing for, though?
6. Re: No one wants the solution by phantomfive · 2018-05-12 23:28 · Score: 1
  
  Because for most people it works fine. At least, well enough. And the few times it doesn't, they buy a new computer and move on. They'd rather spend their time watching Netflix than learn a new skill.
  
  --
  "First they came for the slanderers and i said nothing."
7. Re:No one wants the solution by Ol+Olsoc · 2018-05-13 01:52 · Score: 1
  
  If Linux had 90% of the desktop marketshare I guarantee you'd see these exact same exploits. Look how long Heartbleed was around before anyone noticed it.
  Har! My operating system is best because it has the most exploits! Buy Windows - hackers can't be wrong!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
8. Re:No one wants the solution by Ol+Olsoc · 2018-05-13 02:02 · Score: 1
  
  I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.
  Are you bragging or complaining? I feel badly for people who are locked in to one OS.
  I have one stinking program that only runs on Windows, have to have a machine specifically for that one program, and I surely don't brag about it. Being a W10 machine, it takes more maintenance than all my other computers combined. Latest update took out a USB hub and mouse! Corrupted their drivers.
  I would think that using your bragging points of installed user base and Windows only monoculture programs, that hackers and malware people would be helping Microsoft fix their interminable update borks so they could have more uptime to work their bad guy stuff.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
9. Re:No one wants the solution by Ol+Olsoc · 2018-05-13 02:04 · Score: 1
  
  I agree, Linux is the safest. But after an update on my PC, it bricked my whole machine and converted my PC into an expensive paperweight.
  Windows latest update is taking out a lot of computers.
  I think it is called security through bricking. Draconian, but hey - it works!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
10. Re:No one wants the solution by ArchieBunker · 2018-05-13 03:13 · Score: 1
  
  Web based.
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
11. Re:No one wants the solution by HiThere · 2018-05-13 05:26 · Score: 1
  
  Sorry, but no. Linux isn't the most secure system, and it definitely has it's weak points. (Archives should never expand already executable, e.g.) But it's a lot better than even modern MSWind. Still, if security were your main consideration you'd either pick one of the BSDs (OpenBSD has the reputation of most secure, but I can't really judge), so something totally else. Probably something where the code can never be executed after being made executable until the next volume remount, or possibly reboot. This really needs to be addressed at a hardware level, though. If all executable code was essentially ROM, then the exploits would plummet. (Even that wouldn't suffice, however, because of virtual machines, in which category I include Interpreters, and scripting languages, and even things like UCSD Pascal, or BC-Algol, or, for that matter, MIXX.)
  The only thing that could really work and still be useful would be a checkpointed system where the checkpoints could never be edited or erased from within the system. Git does something rather like that, but without the protection of the prior versions, because it wasn't basically aimed at security, but rather at concurrent editing. This would basically mean that files could never really be deleted or altered. You'd need to specify at boot time what the last presumed good time was, and it would reboot to the checkpoint just before that time. (This also means that you need to protect whatever you're using as the time standard.)
  So. It's doable, but it would be a bit expensive. And you'd still need backups because hardware can fail.
  
  --
  
  I think we've pushed this "anyone can grow up to be president" thing too far.
12. Re:No one wants the solution by Anonymous Coward · 2018-05-13 08:14 · Score: 1
  
  Why not use a VM - no need for a physical machine these days for something like that.
13. Re:No one wants the solution by ilsaloving · 2018-05-14 06:21 · Score: 1
  
  That's because when you give people that kind of explanation, they will look at you as if you've grown an extra head, and for good reason.
  Honestly, why is this so hard for die-hard Linux people to understand? Linux is *not* a viable option for a significant number of people for a variety of reasons:
  1. The OS is only tangentially important. Concern #1 are the applications, and a lot of those applications just arn't on linux.
  2. There is a learning curve which some people arn't prepared for, ESPECIALLY if it's not work-related.
  3. People complain about Apple's walled garden. Linux has an even worse walled garden, because if you have to so much as stick your pinky toe out from the carefully cultivated experience Linux distros provide you, you are effectively screwed unless you are a techy. And even if you are a techy, you have to ask yourself "is it worth my time to screw with this?". Just because I know how to edit an xorg.conf file doesn't mean I want to waste time doing so.
  4. For the overwhelming majority of computer users, CLI is *not* an option. Period.
  Linux is the single best server OS currently available and if given the choice, I would pick it 100% of the time when setting up a server or a development workstation. The power, flexibility and control are second-to-none.
  Linux is also second-to-none in the embedded space, because you can slice and dice it to an absurd degree, making it behave exactly as you want it to.
  But all those benefits turn into flaws on the user desktop side, and until linux fans realize that, Linux will *never* succeed on the desktop. And it's not about dumbing everything down either. It's about making features as accessible as possible. And that's just to start. I won't list all the things that need to be done cause no one will listen to me anyway.
Re:Eternal Blue it's name wasn't derived from blue by AHuxley · 2018-05-12 16:30 · Score: 1

Could all be part of the National Time Sensitive Systems tasks. Along with BLUEBERRY, BLUESKY, BLUESTREAM.

--
Domestic spying is now "Benign Information Gathering"
Linux huge role in the flaw... by ELCouz · 2018-05-12 16:46 · Score: 4, Informative

From the article tweet:

Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows
Samba is still using SMB v1 by default on many configurations for legacy purpose.
1. Re: Linux huge role in the flaw... by ELCouz · 2018-05-12 17:51 · Score: 1
  
  I meant to say Samba not Linux in the title.
  Samba is the issue. It's not until late 2016 they switched to SMBv2 by default. Leaving too many servers vulnerable.
2. Re:Linux huge role in the flaw... by thomst · 2018-05-12 18:18 · Score: 1
  
  ELCouz pointed out:
  
  From the article tweet:
  
  Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows
  Samba is still using SMB v1 by default on many configurations for legacy purpose.
  If I had points, this post would get a +1 Informative upmod.
  I hope someone who has 'em agrees ...
  
  --
  Check out my novel.
3. Re: Linux huge role in the flaw... by Anonymous Coward · 2018-05-12 19:50 · Score: 1
  
  That's why I am willing to embrace A.I., your response is civil, to the point, and corteous just like any AI. I congratulate your programmer.
4. Re:Linux huge role in the flaw... by sjames · 2018-05-13 01:55 · Score: 1
  
  To be fair, without Windows, there would be zero Linux machines running Samba at all. Samba only exists because of Windows.
  And the legacy reason? Supporting Windows machines.
5. Re:Linux huge role in the flaw... by thegarbz · 2018-05-13 02:28 · Score: 2
  
  And the legacy reason? Supporting Windows machines.
  There's nothing legacy about it. Samba itself is a perfectly fine protocol and one of the few that is actually nicely cross platform which can not be said for NFS or AFS. It nicely decouples the file system attributes from the sharing protocol and allows authentication on a per share level without having to worry about matching file system permissions between the server and clients.
  Hell I used to work at a linux only shop that used samba as its primary way of sharing for exactly this reason.
6. Re: Linux huge role in the flaw... by Anonymous Coward · 2018-05-13 02:53 · Score: 1
  
  cifs.ko is a part of almost all Linux based operating systems, and actually is part of the kernel.
  Linux servers using mount -t cifs to attach to a windows file server on brand spanking new RHEL server still default to SMBv1 as far as I know. Some features like DFS were broken when you forced a higher version, until RHEL 7.5 came out I think. Who knows what else is broke, but I’m sure that’s the reason for defaulting to the oldest version of the protocol. Anyway this stuff makes it hard for shops with integrated Linux/Windows systems to disable SMBv1 entirely.
7. Re:Linux huge role in the flaw... by sjames · 2018-05-13 03:41 · Score: 2
  
  You should look at the history of it. It took the EU ordering MS to open up to get anything like complete support for the distinctly MS protocol. I wouldn't call it exactly cross platform so much as a triumph of reverse engineering.
8. Re:Linux huge role in the flaw... by Jeremy+Allison+-+Sam · 2018-05-13 04:40 · Score: 1
  
  Yes, but Samba also isn't vulnerable to WannaCry or EternalBlue, so that makes a difference.
9. Re:Linux huge role in the flaw... by thegarbz · 2018-05-13 23:38 · Score: 1
  
  I wouldn't call it exactly cross platform so much as a triumph of reverse engineering.
  What does the result have to do with the method?
10. Re:Linux huge role in the flaw... by sjames · 2018-05-14 06:44 · Score: 1
  
  If it was truly cross platform, it would be easier to update Samba to the latest standard.
  Admins would have less reluctance to do updates on a setup that more or less works.
11. Re:Linux huge role in the flaw... by thegarbz · 2018-05-14 21:09 · Score: 1
  
  Well three things.
  1) This is a red herring since ultimately the point was that there is nothing Legacy and only for supporting Windows machines about Samba.
  2) Samba has no problems adopting the latest standard. In fact the first release candidate of the Samba 4.3 which supports the current 3.1.1 protocol was released before Windows 10 (first to support 3.1.1) was. There was 5 weeks between the release of Windows 10 and Samba 4.3 Stable. Hardly a problem by any stretch of the imagination and a completely non issue if you didn't upgrade due to backwards compatibility.
  3) The protocol is incredibly stable with few major changes. The last major version change was in 2013, the one preceding it was 2006, minor incremental changes happen over a period of several years and do not introduce incompatibilities. What's my point? Admins have no technical reason to be reluctant to upgrade, and admins have no technical reasons to force the upgrade either unless their current major version ceases getting security updates (SMB2 released in 2006 is still covered, and SMB1 which is now depreciated due to fundamental flaws had a good long 20+ year life). From an administration and support point of view, Samba is more or less and ideal scenario in the IT world, far outliving the useful life of the very systems that gave birth to it (Microsoft OSes)
12. Re:Linux huge role in the flaw... by sjames · 2018-05-14 22:13 · Score: 1
  
  Apparently you haven't had to actually deal with compatibility between Linux filesystems and Windows boxes using Samba.
  It is NOT fun when an upgrade breaks some corner case. The Windows machines certainly won't hint at what is wrong. All you can do is look on the web and hope someone has already figured out the magic incantation that makes the corner case go away or randomly guess at things until you stumble over it.
13. Re:Linux huge role in the flaw... by thegarbz · 2018-05-15 19:43 · Score: 1
  
  Apparently you haven't had to actually deal with compatibility between Linux filesystems and Windows boxes using Samba.
  No I haven't. Mainly because in the past 15 years I haven't seen any.
  Actually that's a lie, I have seen a few but all have been down to the Samba team changing not some protocol level thing but rather depreciating or introducing some new settings with some default that is overwritten by an old config file.
  While you're searching across the web, just marvel at the number of "I upgraded and now this doesn't work" Samba "incompatibilities" that are fixed by starting with the default config file for the current version of samba. If you can make your corner case go away without editing and recompiling the samba code, then the problem is not in the protocol.
  Ubuntu was a classic one day upping the major version of Samba without going through the process of warning the user that the config file requirements have changed. For me, that broke authentication with Windows 10 machines.
14. Re:Linux huge role in the flaw... by sjames · 2018-05-16 03:04 · Score: 1
  
  You do know those settings affect protocol, right? Meanwhile, they are settings rather than hard coded because SMB isn't really cross platform and so there will be corner cases that need to be handled differently in different environments.
15. Re:Linux huge role in the flaw... by thegarbz · 2018-05-16 03:26 · Score: 1
  
  You do know those settings affect protocol, right?
  You missed the point. The fact that you're able to misconfigure something is not a fundamental compatibility problem in a protocol. A single configuration file will work with all flavours of Windows, Linux, and any other system with Samba installed. If you don't want security problems then you're limited with compatibility to Windows systems only in the last 12 years though.
  Windows has no hardcoded incompatibility settings anywhere, only Linux does have soft coded settings you can fuck up in its infinite quest to give users enough rope to hang themselves. You unpack a windows 10 machine it'll talk all the way to vista on its default configuration. Manually install SMBv1 in the features settings and you're going all the way back to LANManager. Samba with it's default out of the box config is the same.
  If you have a compatibility problem then you are the problem.
16. Re:Linux huge role in the flaw... by sjames · 2018-05-16 03:58 · Score: 1
  
  Consider, XP just won't die. There are plenty of admins out there who are still stuck with XP.
  If you're just shuttling a few files back and forth, it's easy. OTOH, if you're dealing with locking and shared filed, it can get "interesting".
Microsoft Windows strikes again .. by najajomo · 2018-05-12 17:16 · Score: 1, Troll

Microsoft Windows strikes again ..
1. Re:Microsoft Windows strikes again .. by thegarbz · 2018-05-12 21:26 · Score: 1
  
  I know. Right. It's like ... you're completely unable to read.
  Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows
  I mean you don't even need to read a summary, just a 170 character tweet. Too difficult for some people I guess.
Poor NSA by Anonymous Coward · 2018-05-12 18:51 · Score: 1

You got to feel sorry for the poor NSA, getting hacked by hackers and all that fake news jazz. It's almost as scary as the terrorists who terrorized us on 9-11. I sleep better at night knowing the NSA is keeping me safe and secure. And heil Hillary as mandated by law! ae911truth dot org
Isn't it time to stop exposing SMB to the world? by jonwil · 2018-05-12 20:46 · Score: 2

Isn't it time Microsoft started changing Windows so that it no longer exposes the horridly broken SMB protocol to the Internet at large (rather than the local LAN) unless you explicitly turn on the ability for the Internet at large to speak SMB to your computer?
Re:Isn't it time to stop exposing SMB to the world by Anonymous Coward · 2018-05-12 21:19 · Score: 1

I don't think it is open by default to the internet, because inbound packets on SMB port will surely be blocked by your routers firewall anyway. The problem is that some websites might attack this local SMB port on your machine and hence spread ransomwares. I am on Windows and I patched this SMB hole manually by myself. Fire up your beloved disassembler and pinpoint those hex codes responsible then replace them and then dump the original buggy file. Won't take you more than 2 hours. Verify by running netstat -ano
If you wan't an easier solution, download MS patch for SMBv1.
Re:Isn't it time to stop exposing SMB to the world by thegarbz · 2018-05-12 21:28 · Score: 4, Informative

Microsoft doesn't. It's blocked by default. SMBv1 is also disabled by default and has been for quite a while. Unfortunately there are just as many idiots in the Linux admin world as there are in the Windows world, and the vast majority of these are nothing to do with Windows.
The summary tweet in TFA:
"Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows"
Shoot... by TheZeal0t · 2018-05-13 00:29 · Score: 1

My cybersecurity company is still finding MS08-067 all over the place. IT'S ten years old, and it's "bigger than ever!" It's every burgeoning hacker's favorite, since it is so trivial to exploit.
Microsoft testified browser is embedded in core OS by raymorris · 2018-05-13 02:57 · Score: 1

Many security vulnerabilities can be exploited through multiple attack vectors. I'm more interested in where the actual flaw(s) are than which attack vectors are most convenient or popular at the moment.
If Firefox has an issue that allows JavaScript to be loaded from URLs it shouldn't load from, bad on Firefox. If Windows (or Linux) had a big in the kernel that allowed JavaScript, in any browser, to bypass the separation between processes and read memory assigned to another process, bad on Microsoft. It is the kernel's job to enforce that protection. The flaw could be exploited in any number of ways, by any program, including via JavaScript.
It is the sworn testimony of Microsoft's top executives Microsoft intertwined their browser so deep into the OS internals that it's impossible for Microsoft to make a version of Windows that can even boot without running browser code. Linux isn't designed that way. The browser isn't intertwined with the kernel or key parts of the OS. The browser (actually browsers) are completely separate applications like any other application, and the Linux OS is in no way dependant on the browser.
It is fair, I think, to take Microsoft at their word, especially given the supporting evidence. When they testify under oath that their engineers are unable to remove legacy Internet Explorer code from Windows because it's so intertwined with the OS, and we see that in fact browser-based exploits do in fact infect the Windows OS at a deep level, we can only conclude that their testimony is true and they really did embed IE code deep in the OS.
Unless we get some strong evidence that Microsoft was committing perjury, it does make sense to acknowledge that their browser is an intrinsic part of their OS. It also makes sense to acknowledge the fact that Linux is not designed that way.
Feature? by hduff · 2018-05-13 03:15 · Score: 1

"According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online."
That's a Windows feature, right?

--
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
Re:Isn't it time to stop exposing SMB to the world by Jeremy+Allison+-+Sam · 2018-05-13 04:44 · Score: 1

The SMB protocol itself isn't "horridly broken", although SMB1 doesn't support the integrity protection that prevents man-in-the-middle downgrade attacks (SMB3 does).
Specific *implementations* can be broken, but if you're fully patched there are no existing vulnerabilities here.
Re:Isn't it time to stop exposing SMB to the world by PPH · 2018-05-13 05:15 · Score: 1

will surely be blocked by your routers firewall anyway
I'll be sure to bring my router with me the next time I use my laptop at the local coffee shop.

--
Have gnu, will travel.
Re:Eternal Blue it's name wasn't derived from blue by HiThere · 2018-05-13 05:30 · Score: 1

No, because MSWind frequently failed on demos.

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Check your facts before calling someone stupid by raymorris · 2018-05-13 11:00 · Score: 1

Calling someone stupid is always rude, but calling them stupid while you spout "facts" that well-known to be completely false makes you look really silly.
For a few weeks, Microsoft TALKED ABOUT maybe releasing an "E" version of Windows 7 for Europe, which would have the IE icon removed from the desktop and such. It would still be installed, because it's required by a lot of other system components, but the shortcut to launch a pure IE window wouldn't be there by default. A few weeks later they announced they wouldn't be doing that, Europe would get Windows with IE pre-installed.
I completely agree Microsoft has changed a lot in the last ten years or so. As their Windows revenue has been falling every year for a long time, they've shifted their focus to profitable products instead.