One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (bleepingcomputer.com) 62
An anonymous reader quotes a report from Bleeping Computer: Exactly one year after the biggest cyber-security incident in history, the exploit at the heart of the WannaCry attack is now more popular than ever, according to telemetry data gathered by Slovak antivirus vendor ESET. Named EternalBlue, the exploit was supposedly developed by the cyber division of the U.S. National Security Agency. EternalBlue was part of a large cache of tools that a hacker group known as The Shadow Brokers stole from NSA servers in 2016 and then leaked online from August 2016 to April 2017. Many suspect the NSA might have notified Microsoft of what the Shadow Brokers stole, because in March 2017, a month before EternalBlue was released, Microsoft released MS17-010, a security bulletin containing patches for the many SMB-targeting exploits included in the Shadow Broker leak.
Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don't know that it's still one of today's biggest threats. This threat doesn't only come from malware authors continuing to weaponize it for a diverse set of operations. Malware authors wouldn't ever bother with an inefficient exploit. ExploitBlue continues to be a threat because of the vulnerable machines still available online. According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online.
Even if EternalBlue is not being used anymore to help ransomware become a virulent nightmare on a global level (only on a network level), most regular users don't know that it's still one of today's biggest threats. This threat doesn't only come from malware authors continuing to weaponize it for a diverse set of operations. Malware authors wouldn't ever bother with an inefficient exploit. ExploitBlue continues to be a threat because of the vulnerable machines still available online. According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online.
Uh. ExploitBlue? Another one? (Score:3)
BleepingTypo, not BleepingComputer.
No one wants the solution (Score:2, Interesting)
You can explain to people that to work better, live without paranoia have increased security, have stability and control go use linux.
It just does not work though, if we were logical animals out for our best interest and getting things done windows would have sank into oblivion decades ago but there is something mentally wrong with the vast majority of us and the obvious solution sitting under everyones nose is ignored to continue what we already know doesn't work.
*shrug*
Humans, weird lil monkies I must say
Re: (Score:3)
If Linux had 90% of the desktop marketshare I guarantee you'd see these exact same exploits. Look how long Heartbleed was around before anyone noticed it.
Re: (Score:1)
I like your justification for not doing the correct thing.
Keep those excuses coming, you can even pretend their real if you like. I'll just keep getting stuff done while you keep having IT meltdowns every day.
Re: (Score:2)
I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.
Re: (Score:2, Informative)
I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.
Technically, Altium already has...
https://www.altium.com/solution/linux-pcb-design-software
Maybe not the product you were wishing for, though?
Re: (Score:2)
Web based.
Re: (Score:2)
I'll switch to Linux as soon as SolidWorks and Altium release builds. At least AutoCAD has a version for OSX but they didn't do that until recently.
Are you bragging or complaining? I feel badly for people who are locked in to one OS.
I have one stinking program that only runs on Windows, have to have a machine specifically for that one program, and I surely don't brag about it. Being a W10 machine, it takes more maintenance than all my other computers combined. Latest update took out a USB hub and mouse! Corrupted their drivers.
I would think that using your bragging points of installed user base and Windows only monoculture programs, that hackers
Re: (Score:1)
Why not use a VM - no need for a physical machine these days for something like that.
Re: No one wants the solution (Score:2, Insightful)
Why limit this discussion to desktops? There are plenty of reasons to target servers and, for that matter, high performance computing systems. A lot of potentially sensitive data could be obtained from compromising servers. And there may be even greater value from compromising high performance computing systems. Some of those systems include dedicated GPU resources. If such a system was compromised, an attacker could use those to mine cryptocurrency on someone else's bill, not to mention what other sensitiv
Re: (Score:2)
If Linux had 90% of the desktop marketshare I guarantee you'd see these exact same exploits. Look how long Heartbleed was around before anyone noticed it.
Har! My operating system is best because it has the most exploits! Buy Windows - hackers can't be wrong!
Re: (Score:2)
Sorry, but no. Linux isn't the most secure system, and it definitely has it's weak points. (Archives should never expand already executable, e.g.) But it's a lot better than even modern MSWind. Still, if security were your main consideration you'd either pick one of the BSDs (OpenBSD has the reputation of most secure, but I can't really judge), so something totally else. Probably something where the code can never be executed after being made executable until the next volume remount, or possibly reboo
Re: (Score:2)
I agree, Linux is the safest. But after an update on my PC, it bricked my whole machine and converted my PC into an expensive paperweight.
Windows latest update is taking out a lot of computers.
I think it is called security through bricking. Draconian, but hey - it works!
Re: No one wants the solution (Score:2)
Re: (Score:2)
That's because when you give people that kind of explanation, they will look at you as if you've grown an extra head, and for good reason.
Honestly, why is this so hard for die-hard Linux people to understand? Linux is *not* a viable option for a significant number of people for a variety of reasons:
1. The OS is only tangentially important. Concern #1 are the applications, and a lot of those applications just arn't on linux.
2. There is a learning curve which some people arn't prepared for, ESPECIALLY if it
Re: (Score:2)
Re: (Score:2)
No, because MSWind frequently failed on demos.
Linux huge role in the flaw... (Score:5, Informative)
Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows
Samba is still using SMB v1 by default on many configurations for legacy purpose.
Re: (Score:2)
Samba is the issue. It's not until late 2016 they switched to SMBv2 by default. Leaving too many servers vulnerable.
Re: (Score:1)
That's why I am willing to embrace A.I., your response is civil, to the point, and corteous just like any AI. I congratulate your programmer.
Microsoft testified browser is embedded in core OS (Score:2)
Many security vulnerabilities can be exploited through multiple attack vectors. I'm more interested in where the actual flaw(s) are than which attack vectors are most convenient or popular at the moment.
If Firefox has an issue that allows JavaScript to be loaded from URLs it shouldn't load from, bad on Firefox. If Windows (or Linux) had a big in the kernel that allowed JavaScript, in any browser, to bypass the separation between processes and read memory assigned to another process, bad on Microsoft. It is
Check your facts before calling someone stupid (Score:2)
Calling someone stupid is always rude, but calling them stupid while you spout "facts" that well-known to be completely false makes you look really silly.
For a few weeks, Microsoft TALKED ABOUT maybe releasing an "E" version of Windows 7 for Europe, which would have the IE icon removed from the desktop and such. It would still be installed, because it's required by a lot of other system components, but the shortcut to launch a pure IE window wouldn't be there by default. A few weeks later they announced the
Re: (Score:1)
cifs.ko is a part of almost all Linux based operating systems, and actually is part of the kernel.
Linux servers using mount -t cifs to attach to a windows file server on brand spanking new RHEL server still default to SMBv1 as far as I know. Some features like DFS were broken when you forced a higher version, until RHEL 7.5 came out I think. Who knows what else is broke, but I’m sure that’s the reason for defaulting to the oldest version of the protocol. Anyway this stuff makes it hard for sh
Re: (Score:2)
ELCouz pointed out:
From the article tweet:
Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows
Samba is still using SMB v1 by default on many configurations for legacy purpose.
If I had points, this post would get a +1 Informative upmod.
I hope someone who has 'em agrees ...
Re: (Score:2)
To be fair, without Windows, there would be zero Linux machines running Samba at all. Samba only exists because of Windows.
And the legacy reason? Supporting Windows machines.
Re: (Score:3)
And the legacy reason? Supporting Windows machines.
There's nothing legacy about it. Samba itself is a perfectly fine protocol and one of the few that is actually nicely cross platform which can not be said for NFS or AFS. It nicely decouples the file system attributes from the sharing protocol and allows authentication on a per share level without having to worry about matching file system permissions between the server and clients.
Hell I used to work at a linux only shop that used samba as its primary way of sharing for exactly this reason.
Re: (Score:3)
You should look at the history of it. It took the EU ordering MS to open up to get anything like complete support for the distinctly MS protocol. I wouldn't call it exactly cross platform so much as a triumph of reverse engineering.
Re: (Score:2)
I wouldn't call it exactly cross platform so much as a triumph of reverse engineering.
What does the result have to do with the method?
Re: (Score:2)
If it was truly cross platform, it would be easier to update Samba to the latest standard.
Admins would have less reluctance to do updates on a setup that more or less works.
Re: (Score:2)
Well three things.
1) This is a red herring since ultimately the point was that there is nothing Legacy and only for supporting Windows machines about Samba.
2) Samba has no problems adopting the latest standard. In fact the first release candidate of the Samba 4.3 which supports the current 3.1.1 protocol was released before Windows 10 (first to support 3.1.1) was. There was 5 weeks between the release of Windows 10 and Samba 4.3 Stable. Hardly a problem by any stretch of the imagination and a completely non
Re: (Score:2)
Apparently you haven't had to actually deal with compatibility between Linux filesystems and Windows boxes using Samba.
It is NOT fun when an upgrade breaks some corner case. The Windows machines certainly won't hint at what is wrong. All you can do is look on the web and hope someone has already figured out the magic incantation that makes the corner case go away or randomly guess at things until you stumble over it.
Re: (Score:2)
Apparently you haven't had to actually deal with compatibility between Linux filesystems and Windows boxes using Samba.
No I haven't. Mainly because in the past 15 years I haven't seen any.
Actually that's a lie, I have seen a few but all have been down to the Samba team changing not some protocol level thing but rather depreciating or introducing some new settings with some default that is overwritten by an old config file.
While you're searching across the web, just marvel at the number of "I upgraded and now this doesn't work" Samba "incompatibilities" that are fixed by starting with the default config file for the current
Re: (Score:2)
You do know those settings affect protocol, right? Meanwhile, they are settings rather than hard coded because SMB isn't really cross platform and so there will be corner cases that need to be handled differently in different environments.
Re: (Score:2)
You do know those settings affect protocol, right?
You missed the point. The fact that you're able to misconfigure something is not a fundamental compatibility problem in a protocol. A single configuration file will work with all flavours of Windows, Linux, and any other system with Samba installed. If you don't want security problems then you're limited with compatibility to Windows systems only in the last 12 years though.
Windows has no hardcoded incompatibility settings anywhere, only Linux does have soft coded settings you can fuck up in its infinite qu
Re: (Score:2)
Consider, XP just won't die. There are plenty of admins out there who are still stuck with XP.
If you're just shuttling a few files back and forth, it's easy. OTOH, if you're dealing with locking and shared filed, it can get "interesting".
Re: (Score:2)
Yes, but Samba also isn't vulnerable to WannaCry or EternalBlue, so that makes a difference.
Microsoft Windows strikes again .. (Score:2, Troll)
Re: (Score:2)
I know. Right. It's like ... you're completely unable to read.
Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows
I mean you don't even need to read a summary, just a 170 character tweet. Too difficult for some people I guess.
Poor NSA (Score:1)
You got to feel sorry for the poor NSA, getting hacked by hackers and all that fake news jazz. It's almost as scary as the terrorists who terrorized us on 9-11. I sleep better at night knowing the NSA is keeping me safe and secure. And heil Hillary as mandated by law! ae911truth dot org
Isn't it time to stop exposing SMB to the world? (Score:3)
Isn't it time Microsoft started changing Windows so that it no longer exposes the horridly broken SMB protocol to the Internet at large (rather than the local LAN) unless you explicitly turn on the ability for the Internet at large to speak SMB to your computer?
Re: (Score:1)
I don't think it is open by default to the internet, because inbound packets on SMB port will surely be blocked by your routers firewall anyway. The problem is that some websites might attack this local SMB port on your machine and hence spread ransomwares. I am on Windows and I patched this SMB hole manually by myself. Fire up your beloved disassembler and pinpoint those hex codes responsible then replace them and then dump the original buggy file. Won't take you more than 2 hours. Verify by running n
Re: (Score:2)
will surely be blocked by your routers firewall anyway
I'll be sure to bring my router with me the next time I use my laptop at the local coffee shop.
Re:Isn't it time to stop exposing SMB to the world (Score:5, Informative)
Microsoft doesn't. It's blocked by default. SMBv1 is also disabled by default and has been for quite a while. Unfortunately there are just as many idiots in the Linux admin world as there are in the Windows world, and the vast majority of these are nothing to do with Windows.
The summary tweet in TFA:
"Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows"
Re: (Score:2)
The SMB protocol itself isn't "horridly broken", although SMB1 doesn't support the integrity protection that prevents man-in-the-middle downgrade attacks (SMB3 does).
Specific *implementations* can be broken, but if you're fully patched there are no existing vulnerabilities here.
Shoot... (Score:1)
Feature? (Score:2)
"According to Nate Warfield of the Microsoft Security Response Center, there are still plenty of vulnerable Windows systems exposing their SMB service available online."
That's a Windows feature, right?