Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

EternalBlue 5 years after WannaCry and NotPetya

Published: 2022-07-05
Last Updated: 2022-07-05 08:37:42 UTC
by Jan Kopriva (Version: 1)
2 comment(s)

We are about two months past the 5-year anniversary of WannaCry outbreak[1] and about a week past the 5-year anniversary of NotPetya outbreak[2]. Since both WannaCry and NotPetya used the EternalBlue[3] exploit in order to spread, I thought that it might be interesting to take a look at how many internet-facing systems still remain vulnerable to it.

A quick search on Shodan Trends shows us that although the situation has gotten much better over the last few years, and it still seems to be slowly improving, more than 5,000 vulnerable machines (exactly 5,565 at the time of writing) are still accessible from the internet.

The blue line in the chart shows a more detailed view of the situation – it was created using Shodan data gathered daily using my TriOp tool[4].

At the end of May, most vulnerable systems were to be found in Russia, Taiwan, United States, Japan and India[5].

At the time of writing, these countries are still at the top when it comes to systems affected by EternalBlue, though the corresponding numbers are somewhat lower (742 externally facing systems in Russia, 735 in Taiwan, 475 in the US, 391 in Japan and 327 in India).

It should be mentioned that some of the detected systems are undoubtedly honeypots and are therefore not really vulnerable. But even half of the detected systems fell into this category (and it will probably be significantly less than that), it would still leave thousands of systems affected by a 5-years old critical vulnerability.

And not just any vulnerability – one, that was used to spread two of the most famous computer worms in history and which was therefore heavily covered even by mainstream media. One doesn’t have to be too imaginative to get a good idea of how many systems that are missing patches for less well known vulnerabilities are left exposed online. Hopefully, it won’t bite us too much when someone decides to take advantage of them...


Jan Kopriva
Nettles Consulting

2 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

7-Zip & MoW: "For Office files"
Jul 4th 2022
2 days ago by DidierStevens (0 comments)

7-Zip & MoW
Jul 3rd 2022
2 days ago by DidierStevens (0 comments)

YARA 4.2.2 Released
Jul 2nd 2022
3 days ago by DidierStevens (0 comments)

Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended
Jun 30th 2022
6 days ago by Brad (0 comments)

It's New Phone Day! Time to migrate your MFA!
Jun 29th 2022
6 days ago by Rob VandenBrink (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 year ago by Rick (0 replies)

API port data
created Apr 25th 2021
1 year ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 year ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 year ago by (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 year ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
5 months ago by Xme (0 comments)

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
5 months ago by Johannes (0 comments)

Method For String Extraction Filtering
Apr 9th 2022
2 months ago by DidierStevens (0 comments)

CinaRAT Delivered Through HTML ID Attributes
Feb 11th 2022
4 months ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
5 months ago by Xme (0 comments)