WannaCry exploit ‘still threatening businesses’

WannaCry exploit ‘still threatening businesses’ [Image: scyther5 via iStock]

The exploit that enabled the WannaCry outbreak – known as EternalBlue – is still threatening unpatched and unprotected systems, according to new research.

Security firm ESET said that despite it being a year since the initial attack happened, EternalBlue’s “popularity has been growing” over recent months, with a recent spike even surpassing the 2017 peak.

The researchers said the EternalBlue exploit targets a vulnerability in an obsolete version of Microsoft’s implementation of the Server Message Block (SMB) protocol, via port 445.

During an attack, according to the researchers, hackers scan the internet for exposed SMB ports, and launch the exploit code if they find any.

If it is vulnerable, the attacker will then run a payload on the target. According to ESET, this was the mechanism behind the effective distribution of the WannaCry ransomware across various networks.

The researchers said that immediately after the 2017 WannaCry attack, there was a “calmer period” for the EternalBlue exploit, with attempts to use it dropping to hundreds of daily detections. However, since September last year, the use of the exploit has slowly started to grow, reaching “new heights in mid-April 2018”.

ESET said that one possible explanation for the latest peak is the Satan ransomware campaign that appeared at that time, but added that it could also be connected to other malicious activities.

EternalBlue has enabled many high-profile cyberattacks, including June last year’s Diskcoder.C, which is also known as Petya, NotPetya and ExPetya. The attack affected high-profile companies such as Mondelez International and Merck. In addition, the exploit was behind the BadRabbit ransomware campaign in the fourth quarter of 2017.

The exploit has also been identified as one of the spreading mechanisms for malicious cryptominers, being deployed to distribute the Satan ransomware campaign.

EternalBlue was reportedly stolen from the National Security Agency in 2016 and leaked online on April 14th 2017 by a group known as the Shadow Brokers.