Parting Shots (Q2 2020 Issue)

It is now more than three years since patches were released by Microsoft to fix the vulnerability named MS17-010, and therefore three years since the exploit EternalBlue was released by Shadow Brokers, ultimately enabling the WannaCry and NotPetya attacks in 2017.

This is all old news right? Well, it seems that despite those attacks affecting a large number of businesses, in particular the NHS, and causing repair costs of around $100m, it seems we are not out of the woods just yet when it comes to getting over the issues which enabled those attacks.

According to data from security consultancy Lares, EternalBlue was still among its most frequently encountered vulnerabilities and attack vectors in the six months between Q4 of 2019 and Q1 of 2020.

Specifically, this is a remote code execution vulnerability in the way the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. If an attacker successfully exploits the vulnerabilities, they could gain the ability to execute code on the target server. Patches were initially released by Microsoft for all supported operating systems in March 2017, and after the WannaCry ransomware affected endpoints running Windows XP in May, patches were issued for XP despite it not being officially supported since 2014.

“Though this vulnerability was resolved in MS17-010, many organizations have yet to deploy this patch or disable SMBv1 within their organization,” Lares explained.

"Despite all of the headlines from the time, why does this continue to be an issue for businesses?"

Despite all of the headlines from the time, the continued reference to the attacks and advice on patch management and remediation that has come since, why does this continue to be an issue for businesses?

Brian Honan, CEO of BH Consulting, stated several reasons why businesses may not have patched against the EternalBlue exploit. These may range from: critical business systems which cannot be taken offline to patch or update; complex business systems with interdependencies on certain versions of software which cannot be updated without a costly verification process; devices deemed to be non-critical that are connected to the network; or devices with embedded versions of Windows which may not be possible to manage.

“In addition, not all patching platforms are infallible and a certain number of devices may not be configured correctly, have connectivity issues preventing them from connecting to the patching platform, may be located in remote locations with poor connectivity or may for other reasons be unable to be remotely patched,” Honan said.

So it’s not the case of people just not getting round to it, it’s that a business function may rely on SMBv1, or that there are greater priorities for external-facing issues than those within the network.

John O’Malley, director of cybersecurity for EMEA, APAC and CALA at AT&T Cybersecurity, said that SMBv1 can be difficult for organizations to completely expunge from their environments, as “fear of disabling it and potentially impacting legacy applications and clients that may still rely on this version of the protocol.”

O’Malley added: “Even when it is widely disabled, it only takes a few machines that continue to support it, and that are behind on patches, to result in a compromise of the environment. Some organizations have not completely remediated this vulnerability because they still rely on legacy equipment that should be end-of-service.”

"Even when it is widely disabled, it only takes a few machines that continue to support it, and that are behind on patches, to result in a compromise of the environment"

This all led us to wonder, how many instances of unpatched and potentially vulnerable cases are there? One source performed a scan using Shodan, and found 6844 machines to be vulnerable at the time of writing, whilst Oliver Pinson-Roxburgh, co-founder of Bulletproof, said that in a two minute search, he found over one million (1,414,436) servers hosting SMBv1 on the open internet.

“It seems the majority are systems hosted to provide access to files online,” he explained. “Many are network attached storage systems, suggesting that the larger population of assets could be home users that lack security knowledge or with default configurations allowing access to all. Many are exposing share names, which in itself can assist an attacker in gathering information on their target or help progress an attack through identifying ways to target the exposed asset.”

Pinson-Roxburgh warned that the vulnerability affects anything that runs SMBv1, and the code to exploit the vulnerability “is at this stage well tested and packaged up to make it easy for hackers and malware writers to use, which is why it is so widely used in malware now.”

The numbers may be surprising, so what is the solution? Honan recommended that companies should not rely on their patching process alone to protect against known vulnerabilities, and instead, have a robust vulnerability management process in place that enables them to manage the identified vulnerabilities and mitigate the associated risks until a patch can be applied.

“These mitigations could include segmentation of unpatched systems, enhanced monitoring of those devices to detect any suspicious activity, or applying strict access control on the affected systems.”

If these issues are not fixed and continue to be open to exploit, we should not be surprised to hear about more cases of these being detected and potentially exploited in the future.

What’s Hot on Infosecurity Magazine?