Security Market Segment LS
Sunday, 19 May 2019 18:38

Use of EternalBlue Windows exploit growing by the day: ESET

Use of EternalBlue Windows exploit growing by the day: ESET Image by Gerd Altmann from Pixabay

The EternalBlue exploit for Windows, crafted by the NSA and leaked online by a group known as the Shadow Brokers, is being increasingly used in exploits two years after it was used to create the WannaCry ransomware, malware that took the world literally by storm.

Slovakian security firm ESET said in a blog post that the use of EternalBlue, as measured by attacks on its clients, was at the peak of its popularity, with hundreds of thousands of attacks daily.

EternalBlue was one of a number of exploits dumped by the Brokers on Good Friday in 2017, making it doubly difficult for systems administrators as all the exploits could be used against Windows systems apart from Windows 10.

The exploit targets a flaw in Microsoft's implementation of the server message block protocol through port 445. Though the flaw was patched by Microsoft well before WannaCry hit in May 2017, there are plenty of vulnerable systems exposed to the Internet today.

ESET researcher Ondrej Kubovič said according to the date from the Shodan search engine, there were about a million Windows machines using the obsolete SMB v1 protocol, with most being in the US, followed by Japan and Russia.

"Poor security practices and lack of patching are likely reasons why malicious use of the EternalBlue exploit has been growing continuously since the beginning of 2017, when it was leaked online," he wrote.

"Based on ESET telemetry, attack attempts involving EternalBlue are reaching historical peaks, with hundreds of thousands of instances being blocked every day."

But, he pointed out that EternalBlue use might also be growing due to security professionals using it within corporate networks while hunting for vulnerabilities.

Kubovič said apart from WannaCry, EternalBlue had also powered the destructive Diskcoder.C (aka Petya, NotPetya and ExPetya) campaign and the BadRabbit ransomware campaign in 2017.

"Well-known cyber-espionage actors such as Sednit (aka APT28, Fancy Bear and Sofacy) were also caught using it against hotel Wi-Fi networks," he added.

This exploit and all the cyber attacks it enabled so far highlighted the importance of timely patching, Kubovič said.

"Moreover, it emphasises the need for a reliable and multi-layered security solution that can do more than just stop the malicious payload, such as protect against the underlying mechanism." he added.


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments