In March 2017, Microsoft released the MS17-010 patch to correct a flaw in Windows Server Message Block (SMB) v1 that was exploited by WannaCry ransomware two months later. That global malware attack should have served as a warning that patching the vulnerability was essential. As if that was not warning enough, soon after WannaCry came NotPetya and BadRabbit.
Yet, three years on, many computers remain vulnerable and have still not had the patch applied. Further, the vulnerability is being exploited with increasing frequency. According to ESET, hundreds of thousands of people are being targeted every day using the NSA’s EternalBlue exploit and the number of attacks has increased substantially in 2019.
Using the Shodan search engine, ESET researchers showed that there are more than 1 million machines that are still using the vulnerable SMBv1 protocol, with the United States having the highest number of vulnerable devices (400,000), followed by Japan, Russia, and Germany.
Attacks using EternalBlue have been rising steadily since late 2017, but there has been a major spike in attacks in 2019. ESET notes that not all of these attacks may be malicious. EternalBlue could be used by security departments for pen testing to determine whether their systems are vulnerable to attack, although several threat actors are using EternalBlue to attack businesses.
One group is conducting a large-scale campaign targeting users in China, not to install ransomware, but instead to spread cryptocurrency miners. Many others are conducting similar attacks to spread Trojans and cryptocurrency miners.
The failure to apply the patch to correct the flaw within three years, when the flaw is being actively exploited, is a major concern and demonstrates that despite the security risks, businesses are simply not adhering to security best practices and are leaving themselves wide open to attack. It is not just a case of not being able to patch the flaws, as Microsoft took the decision to also issue patches for unsupported Windows versions. Patch management is a best practice for HIPAA compliance.
The failure to patch a particularly dangerous flaw raises questions about what other vulnerabilities have not been addressed. Recently, Microsoft issued a patch to correct another wormable flaw in Windows, which could also be exploited in a WannaCry-style malware attack. While the flaw doesn’t appear to have been exploited yet, another major global malware attack could be imminent if businesses do not get on top of patching and update their vulnerable servers.