Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Stats

EternalBlue Vulnerability Scanner Finds Exposed Hosts Worldwide (helpnetsecurity.com) 38

Orome1 quotes Help Net Security:After the recent massive WannaCry ransomware campaign, Elad Erez, Director of Innovation at Imperva, was shocked at the number of systems that still sported the Microsoft Windows SMB Server vulnerabilities that made the attack possible. So, he decided to do something about it: he created Eternal Blues, an easy-to-use vulnerability scanner that he made available for download for free... The statistics collected by the tool, as well as the total number of downloads, show that after the NotPetya attack, people's awareness of the threat did increase... Over 8 million IP addresses were scanned, and a total of 60,000 vulnerable hosts were identified (out of ~537,000 that were responsive). Of the ~537,000 responsive hosts, some 258,000 still had SMBv1 enabled.
One organization in France found two vulnerable hosts after scanning over 13,000 IP addresses, and Erez believes that without his tool, "finding those two needles in the haystack would have been an almost impossible mission... Here is a lesson for IT/Security departments: don't be so certain that you know your network well. Deploy a multi-layered stack of security tools for both risk analysis and real time enforcement."

EternalBlue Vulnerability Scanner Finds Exposed Hosts Worldwide

Comments Filter:
  • Why not patch (Score:2, Interesting)

    by Anonymous Coward

    Why not use the scanner to exploit + patch the systems.

    • by Z00L00K ( 682162 )

      And in addition to this - segment your darn networks in your companies - that will contain any intrusion to a limited number of clients.

      • If by segment you mean have separate DC's and airgaps, then yes. Or use a less vulnerable and more robust OS.

        • by Z00L00K ( 682162 )

          At least separate DCs, not necessarily air gaps and then use a less sloppy protocol than SMB to exchange needed information between servers, possibly using gateways that sanitizes any data exchanged.

          The problem with many of the Microsoft protocols is that they are a "catch-all" for any operation the user or application may perform.

  • by Anonymous Coward on Saturday July 15, 2017 @01:46PM (#54814977)

    From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via:

    Disable SMBv1 on the SERVER, configure the following registry key:

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    Enable SMBv2 on the SERVER, configure the following registry key:

    Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    ---

    Disable SMBv1 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

    sc.exe config mrxsmb10 start= disabled

    Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi

    sc.exe config mrxsmb20 start= auto

    ---

    * The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/ [microsoft.com]

    (IMPORTANT: Finally, THIS HAS BEEN PATCHED by MS but you can protect this way too & it works...)

    APK

    P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.

    That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)

    I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ [google.com] vs. even today's threats like this one.

    * This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.

    AND?

    Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ [theregister.co.uk] ) ... apk

    • Wow, how lucky Windows users are, not having to use all sorts of obscure command line instructions!.... Oh wait...

    • The one time I actually want to upvote an APK post, and I don't have mod points! All I can do is say thanks for your contribution.

  • by Anonymous Coward

    So this free tool not only scans for vulnerabilities but it collects 'statistics' and phone homes that data to the tool maker's server where it is collected, analyzed and sold? to interested third-parties? How is this not malware itself??

  • by Anonymous Coward

    Here is a lesson for IT/Security departments: don't be so certain that you know your network well. Deploy a multi-layered stack of security tools for both risk analysis and real time enforcement.

    A one-off vulnerability scanner does not do risk analysis or enforces policy. What it does do is make the situation worse by exposing vulnerabilities to an outside entity, anyone that breaches Imperva's security, anyone working at Imperva, and anyone listening to network traffic to and from Imperva. What Impervia managed to do is make the whole problem worse while creating news that is a thinly-veiled advertisement.

    Yet another story written by people that do not understand security so other people that do n

  • I know clients still running Windows 2003 for their websites and e-mail.

  • The scanner is provided as a .exe binary for Windows, how can we trust it to only scan?
  • 1. Click on random links and install ransomware
    2. Pick either pay for the ransom or throw out the computer
    3. Repeat step 1 until ran out of cash
    4. If ran out of cash, pick either file for bankruptcy or learn how to google
    5. If picked learn how to google, search either how to protect against
    WannaCry or how to hire high quality IT staffs
  • just trust any tool found on the internet claiming (insert claim here).

Suggest you just sit there and wait till life gets easier.

Working...