EternalBlue Vulnerability Scanner Finds Exposed Hosts Worldwide (helpnetsecurity.com) 38
Orome1 quotes Help Net Security:After the recent massive WannaCry ransomware campaign, Elad Erez, Director of Innovation at Imperva, was shocked at the number of systems that still sported the Microsoft Windows SMB Server vulnerabilities that made the attack possible. So, he decided to do something about it: he created Eternal Blues, an easy-to-use vulnerability scanner that he made available for download for free... The statistics collected by the tool, as well as the total number of downloads, show that after the NotPetya attack, people's awareness of the threat did increase... Over 8 million IP addresses were scanned, and a total of 60,000 vulnerable hosts were identified (out of ~537,000 that were responsive). Of the ~537,000 responsive hosts, some 258,000 still had SMBv1 enabled.
One organization in France found two vulnerable hosts after scanning over 13,000 IP addresses, and Erez believes that without his tool, "finding those two needles in the haystack would have been an almost impossible mission... Here is a lesson for IT/Security departments: don't be so certain that you know your network well. Deploy a multi-layered stack of security tools for both risk analysis and real time enforcement."
One organization in France found two vulnerable hosts after scanning over 13,000 IP addresses, and Erez believes that without his tool, "finding those two needles in the haystack would have been an almost impossible mission... Here is a lesson for IT/Security departments: don't be so certain that you know your network well. Deploy a multi-layered stack of security tools for both risk analysis and real time enforcement."
Why not patch (Score:2, Interesting)
Why not use the scanner to exploit + patch the systems.
Re: (Score:3)
And in addition to this - segment your darn networks in your companies - that will contain any intrusion to a limited number of clients.
Re: (Score:2)
If by segment you mean have separate DC's and airgaps, then yes. Or use a less vulnerable and more robust OS.
Re: (Score:2)
At least separate DCs, not necessarily air gaps and then use a less sloppy protocol than SMB to exchange needed information between servers, possibly using gateways that sanitizes any data exchanged.
The problem with many of the Microsoft protocols is that they are a "catch-all" for any operation the user or application may perform.
Re: (Score:2)
If you segment the right way productivity won't suffer. You rarely want HR to share data with software development.
But today many company networks are world-wide monolithic networks.
Protect vs. WannaCry easily many ways (Score:3, Informative)
From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:
Disable SMBv1 on the SERVER, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SERVER, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
---
Disable SMBv1 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
---
* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ [microsoft.com]
(IMPORTANT: Finally, THIS HAS BEEN PATCHED by MS but you can protect this way too & it works...)
APK
P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.
That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)
I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ [google.com] vs. even today's threats like this one.
* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.
AND?
Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ [theregister.co.uk] ) ... apk
Re: (Score:2)
Wow, how lucky Windows users are, not having to use all sorts of obscure command line instructions!.... Oh wait...
Re: (Score:2)
Nope, I did not commit a fix and (s)he did, :-).
I was just commenting on the fact that most Windows adepts always go on about how easy Windows is supposed to be, contrary to Linux, where "everything has to be done by typing obscure stuff on the command line". That's all, no offense
Re: That's ok & did you CATCH THIS correction? (Score:1)
Re: (Score:3)
The one time I actually want to upvote an APK post, and I don't have mod points! All I can do is say thanks for your contribution.
Malware tool (Score:1)
So this free tool not only scans for vulnerabilities but it collects 'statistics' and phone homes that data to the tool maker's server where it is collected, analyzed and sold? to interested third-parties? How is this not malware itself??
Re: Malware tool (Score:2)
More incompetence (Score:1)
Here is a lesson for IT/Security departments: don't be so certain that you know your network well. Deploy a multi-layered stack of security tools for both risk analysis and real time enforcement.
A one-off vulnerability scanner does not do risk analysis or enforces policy. What it does do is make the situation worse by exposing vulnerabilities to an outside entity, anyone that breaches Imperva's security, anyone working at Imperva, and anyone listening to network traffic to and from Imperva. What Impervia managed to do is make the whole problem worse while creating news that is a thinly-veiled advertisement.
Yet another story written by people that do not understand security so other people that do n
Vulnerabilities?! (Score:2)
I know clients still running Windows 2003 for their websites and e-mail.
Re: (Score:2)
But now they're running websites for free customers they don't know they have.
Do you trust the scanner? (Score:2)
Protect vs. WannaCry The Better Version (Score:1)
2. Pick either pay for the ransom or throw out the computer
3. Repeat step 1 until ran out of cash
4. If ran out of cash, pick either file for bankruptcy or learn how to google
5. If picked learn how to google, search either how to protect against
WannaCry or how to hire high quality IT staffs
security 101 (Score:2)
just trust any tool found on the internet claiming (insert claim here).