One of the tenets in the manufacturing automation sector is patching does not occur on a frequent basis, and with good reason, but there appears to be another reason to look at patches is because the infamous stolen NSA exploit, EternalBlue, is back looking for more companies and devices to exploit.
While WannaCry attacks – which spawned out of the stolen NSA exploit — have declined, EternalBlue is still out there and is increasing in the number of attacks, said ESET Researcher Ondrej Kubovič,
EternalBlue is an exploit stolen from the NSA by hacking group Shadow Brokers in April 2016. It takes advantage of a vulnerability in the Windows Server Message Block (SMB) protocol, and Microsoft shipped patches even before the flaw went public.
But this doesn’t mean attackers have stopped searching for targets.
Attackers are scanning the Internet for exposed SMB ports and are trying to compromise the host with an exploit that eventually allows for payloads deployed on the target machine and leading to different outcomes, Kubovič said.
“Interestingly, according to ESET’s telemetry, EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily,” Kubovič said in a post. “Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.”
Kubovič said he feels the hike in attacks based on EternalBlue could be the result of the Satan ransomware campaign.
With patches fixing the vulnerability are already available, attackers can only compromise a Windows host if these updates aren’t installed. Microsoft’s security fixes were released in March 2017, and up-to-date computers should already be protected.
But looking at it from another perspective, means with the increase in the number of attacks, there could still be a large amount of systems out there that haven’t deployed the updates.