The developer of a tool named Eternal Blues that scans for computers vulnerable to the NSA’s ETERNALBLUE exploit has published statistics gathered from the app’s usage.
According to Elad Erez, the tool’s developer, the Eternal Blues app found more than 50,000 vulnerable computers around the world in the past two weeks, since the tool’s official release.
Eternal Blues works by pinging computers in a network range and attempting to identify if they are vulnerable to specially crafted SMB packets, as the ones used by the ETERNALBLUE exploit. Eternal Blues only checks for specific responses, without exploiting the actual SMB flaw, and does not run any code on the scanned computers.
Users scanned over eight million IPs
After Erez published Eternal Blues on June 28, he says that countless of users downloaded the tool and scanned local networks or Internet ranges for vulnerable systems.
The developer says that users employed Eternal Blues to scan over eight million IP addresses. Most of the scanned IPs were assigned to countries such as France, Russia, Germany, the US, and Ukraine.
Of these, 53.82% of scanned hosts still had the SMBv1 protocol enabled, even if Microsoft has recommended that users move to v2 or v3, newer and more secure versions of the protocol.
The good news is that even if so many users had SMBv1 enabled, most had applied the MS17-010 patch that protects systems against ETERNALBLUE.
Only one in nine scanned hosts was vulnerable to ETERNALBLUE
According to Erez, only one in nine of the scanned hosts were vulnerable to ETERNALBLUE, which was about 50,000 PCs, or 11% of the scanned hosts. The top 3 most vulnerable countries were France, Russia, and Ukraine.
While some Eternal Blues statistics came from bad actors looking for vulnerable systems, the good guys also used this tool, meaning that at least some part of these computers have been patched.