Finally, 2 weeks post launch, some worldwide statistics.
August 7, 2017 update: stats explained
But before you start, here are some useful tips:
- Read FAQ below
- Hover data to see some extra detailed tool-tips
- Click data for dynamic filtering
- CTRL+click for multi-select
- Hit the full screen button below and enjoy
Words out. Visualizations in.
Please share your feedback – your results, how it helped you – in twitter or just as comments below. If you have more ideas for cool visualizations, just let me know. Need to ask something privately? you can email me or make contact through LinkedIn.
Some surprising facts (July 12, 2017)
- More than 8 million IPs were scanned. France taking the lead with 1.5 million
- The top 3 vulnerable countries (out of ~130), had more than 30,000 vulnerable hosts altogether
- The majority (53.82%) of hosts nowadays still have SMBv1 enabled
- 1 out of 9 hosts in a network is vulnerable to EternalBlue
- One network, with almost 10,000 hosts (not IPs), had 2 vulnerable hosts. How could anyone find that without Eternal Blues?
Unfortunately, exploitation of EternalBlue is still a very good method of invoking remote code execution. It is available in more than 50,000 hosts scanned by Eternal Blues (as for July 12, 2017). Yes, even after all the latest attacks by WannaCry and NotPetya. I’m here to remind you, sometimes it takes just 1 vulnerable machine to take you down.
Although numbers are quite high (remember, these are IPs scanned with my tool only), I feel like awareness did increase somewhat. Running Eternal Blues is, by definition, being aware of the problem. So good for you for taking responsibility and checking your network status. Now it’s patching time!
- Patch Microsoft Windows
- Set Windows to automatic updates
- Disable SMBv1 (did you know Microsoft ‘shames’ vendors who still ask for SMBv1?)
- Periodically assess the risk in your network with your favorite vulnerability scanner (Eternal Blues?)
Please, don’t be mistaken – recent ransomware attacks are the ones that made all the buzz, since they actually tell you when they hit you. I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to us (examples: data exfiltration or even just using your computers to join a botnet). So not seeing something like this (below), does not mean you weren’t hit…
- Is ‘IP’ == ‘Host’?
- No. IP is IP address. It may be in use and may not
- Can someone hack your data and see our personal data?
- First, everything is hack-able. Second, there is no personal data to hack. In fact, I’ve just made it available online with the Power BI dashboard above, so, no need to hack, it’s all here!
As for what’s being collected and why there is no privacy issue, read Privacy & Reporting
- Are there any duplicates?
- Yes. Since I don’t track users/hosts, I cannot know if a user scanned the same network twice
- So, total results should be lower than mentioned?
- Actually quite the opposite. There are many cases which makes me believe the total results number is actually higher:
- Versions 0.0.0.1-0.0.0.4 included a detection issue (as mentioned here). So in order not to have even the slightest mistake with statistics, I decided to exclude all collected results from these versions (meaning, scans of 1 million IPs were completely dismissed)
- Some scans were taken on more secured environments where there is no internet access. Meaning, no statistics for me
- Some users probably disabled access to my website in order not to send statistics
- Can I use these visualizations in my website / presentations?
- Sure. Letting me know how/where it helped you can be great
- Are visualizations, or the data they’re based on, going to be updated?
- Yes. At least twice a week