By Lucian Constantin
May 22, 2017
After all, security vendors are still seeing successful exploitation attempts today for MS08-067, the Windows vulnerability that allowed the Conficker computer worm to spread nine years ago.
"It's probably going to get worse before it gets better, as it's going to be one of the most serious threats for the following 12 months," Catalin Cosoi, Bitdefender's chief security strategist, said in a blog post about the EternalBlue vulnerability and the on-going attacks.
He believes that state-sponsored cyberespionage groups could also take advantage of the SMB flaw to plant stealthy backdoors on computers while defenders are busy dealing with the much more visible ransomware attack.
Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. The number is considerably higher than the 200,000 machines affected by WannaCry, so there is potential for more attacks and victims.
WannaCry's success showed that a large number of organizations are falling behind on patches and that many have legacy systems running old versions of Windows. To some extent, this is understandable because deploying patches in environments with a large number of systems is not an easy task. Enterprises need to test patches before installing them to ensure that they don't have compatibility issues with existing applications and break existing workflows.
In other cases, organizations might be stuck with certain systems that run unsupported Windows versions without having the financial resources to upgrade or replace them. This is the case for ATMs, medical devices, ticketing machines, electronic self-service kiosks, like those in airports, and even servers that run legacy applications that can't easily be reengineered.
However, there are measures that can be taken to protect those systems, like isolating them on network segments where access is strictly controlled or by disabling unneeded protocols and services. Microsoft has tried to convince companies to stop using SMBv1 for some time, as it has other problems aside from this flaw.
"There are certain organizations or sectors -- e.g. medical -- where patching is not a simple matter," Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. "In those cases, it's imperative they properly understand the risks and look into workarounds to limit the threat."
The success of WannaCry, at least as far as rapid distribution is concerned, has proved to cybercriminals there are many vulnerable systems on enterprise networks that can be targeted through old exploits. It is possible they will try to use other Equation/NSA exploits leaked by the Shadow Brokers or will be quicker to adopt exploits for future flaws that enable similar mass-scale attacks inside LANs.
"The EternalBlue exploit is part of a bigger leak called 'Lost In Translation' that packs multiple vulnerabilities ranging from simple annoyances to extremely severe ones," Bogdan Botezatu, senior e-threat analyst at Bitdefender, said by email. "We expect that most of these 'government-grade' exploits to make it to the public domain and get merged into commercial-grade malware, as it has happened in the past."