Eternal Blues – stats explained

In just a month or so, scans taken by Eternal Blues users around the world from 163 countries, over 21 million scanned IPs, 875K hosts still use SMBv1. More than 17K networks had at least one EternalBlue vulnerable host. 134K identified as vulnerable to EternalBlue.

High level stats

If we take the top 6 countries, where Eternal Blues was vastly adopted – we observe that Russia, Spain, United States and France scanned over 2M IPs each. Ukraine and Germany have scanned over 1M IPs solely.

 

163 countries. No, I did not see this coming when I first made this tool available.

 

We can see the average status of a network is 1 vulnerable host out of 9. This is quite surprising.

 

Taking a look at the vulnerability ratio edges (of countries with at least 2,000 scanned hosts), we observe countries with 1 vulnerable host out of 4-5 hosts in worst case, while best case is 1 vulnerable hosts out of 20-30 hosts, which is still pretty bad if you ask me.

 

Needle in a haystack

My favorite view. It perfectly shows the great value of this tool: IT/Security teams are having hard time knowing if their network is fully patched –

One network scan taken from France, had only 2 vulnerable hosts, out of a network of almost 10,000 hosts. This is almost mission impossible finding this ‘needle’. Another example is a network scan taken from Saudi Arabia, with only one vulnerable host out of almost 4,800 active hosts. This is insane.

 

Besides, organizations which scanned their network with Eternal Blues, are by definition, well aware to the fact they may have some blind spots. I initially aimed this tool for small-medium business, but it was greatly adopted by enterprises as well. 11K-host-scan, 10K-host-scan, 9K-host-scan, lots of 4K-host-scans just demonstrate this was in use by enterprises.

Another cool piece of information – one network scan ended up with 1,351(!) vulnerable hosts. One scan. 1,351 vulnerable hosts?? This reminds me this one time my fridge was so full, I decided to look for expired products, so I can make some room. I ended up with just water in my fridge :|

 

SMBv1 view

Most of the hosts out there still use SMBv1 (seriously guys). One of my favorite tweets, by Ned Pyle, Principal PM @ Microsoft:

If you think you’re safe ‘cause you patched all your systems, think again. A great research taken by Sean Dillon and Jenna Magius, discovering SMBLoris, demonstrates yet another devastating vulnerability with SMB.

Read more about the risk with SMBv1 in a great article posted by Lucian Constantin in Forbes Magazine.

 

Final words

Eternal Blues was a great experience. Both helping users worldwide and also, hopefully, helps the security ecosystem understand the current posture of the EternalBlue vulnerability and how often you can  find a host with SMBv1 still enabled (every other host).

You should always keep in mind these statistics are collected from users who scanned using Eternal Blues. Meaning –

  • Fixed numbers (e.g. how many vulnerable hosts) are much (much) higher
  • Statistics numbers (e.g. 1 out of 9 host is vulnerable) show less vulnerable status than it really is. Although stats represent ~1.4M real hosts, you should always keep in mind the networks got scanned were networks where someone had some awareness to the problem…

You can always access (and share) the up to date statistics here:

 

For me, I’m going to have less focus on this project from now on. It will still be available to download in the meantime, but my focus is already on my next challenge ;)

 For a safer world!