EternalBlue Still Infecting Endpoints as Businesses Fail to Upgrade Systems or Apply Patches

A dangerous exploit that has helped criminals carry out several major cyber attacks in the past two years continues to infect vulnerable endpoints, new research indicates.

The NSA-developed EternalBlue affects systems running Windows 7 or previous editions, which Microsoft no longer supports with security patches. Yet businesses big and small continue to rely on legacy systems that leverage the vulnerable SMB1 protocol which EternalBlue so efficiently exploits to carry malware into the targeted infrastructure.

According to research by Keysight’s ixia division, software vulnerabilities continue to make up the bulk of attack vectors, driving spam attacks and automated remote exploitation. For example, an Apache Struts weakness similar to the one used in the 2017 attack on Equifax still plagued thousands of web applications in 2018.

Businesses using Cisco’s Smart Install feature continued to offer cybercriminals an attack avenue, nearly two years after the flaw was made public. Researchers documented the vulnerability and observed an exploit tool designed to capitalize on it (identified as SIET) in the wild. In 2018, attackers revived interest in the exploit by targeting devices supporting the protocol.

“Well-known attacks and attack vectors remain successful because security personnel did not address architecture vulnerabilities and apply patches,” researchers said.

Bad actors reportedly exploited some of these weaknesses using cryptojacking scripts.

No less prolific last year was EternalBlue, which infamously helped WannaCry ransomware spread globally in 2017. Businesses relying on legacy systems are still affected.

“Many successful breaches in 2018 did not involve new versions of malware or attack methods – existing exploits targeting unpatched vulnerabilities proved to be very effective again in 2018,” researchers said.

“Despite EternalBlue’s age, it continued to gain momentum in 2018. This vulnerability only impacts hosts running Windows 7 or previous editions. Bad actors heavily scanned for vulnerable systems throughout 2018; the number of scanning attempts for this vulnerability was three times greater in December 2018 than in January 2018.”

When EternalBlue bared its teeth (following the WannaCry pandemic), Microsoft assisted victims by commissioning patch development for the affected platforms. However, due to various operational circumstances, lax IT personnel, as well as budget constraints, many businesses still rely on legacy systems and applications that expose them to risk.