Eternal Blues – Worldwide Statistics

Finally, 2 weeks post launch, some worldwide statistics.

August 7, 2017 update: stats explained

But before you start, here are some useful tips:

  • Read FAQ below
  • Hover data to see some extra detailed tool-tips
  • Click data for dynamic filtering
  • CTRL+click for multi-select
  • Hit the full screen button below and enjoy ;)

Words out. Visualizations in.

 

Please share your feedback – your results, how it helped you – in twitter or just as comments below. If you have more ideas for cool visualizations, just let me know. Need to ask something privately? you can email me or make contact through LinkedIn.

 

Some surprising facts (July 12, 2017)

  • More than 8 million IPs were scanned. France taking the lead with 1.5 million
  • The top 3 vulnerable countries (out of ~130), had more than 30,000 vulnerable hosts altogether
  • The majority (53.82%) of hosts nowadays still have SMBv1 enabled
  • 1 out of 9 hosts in a network is vulnerable to EternalBlue
  • One network, with almost 10,000 hosts (not IPs), had 2 vulnerable hosts. How could anyone find that without Eternal Blues?

 

Conclusions

Unfortunately, exploitation of EternalBlue is still a very good method of invoking remote code execution. It is available in more than 50,000 hosts scanned by Eternal Blues (as for July 12, 2017). Yes, even after all the latest attacks by WannaCry and NotPetya. I’m here to remind you, sometimes it takes just 1 vulnerable machine to take you down.

Although numbers are quite high (remember, these are IPs scanned with my tool only), I feel like awareness did increase somewhat. Running Eternal Blues is, by definition, being aware of the problem. So good for you for taking responsibility and checking your network status. Now it’s patching time!

Recommendations

 

Please, don’t be mistaken – recent ransomware attacks are the ones that made all the buzz, since they actually tell you when they hit you. I believe there are many more EternalBlue-based attacks which remain off the radar and are still unknown to us (examples: data exfiltration or even just using your computers to join a botnet). So not seeing something like this (below), does not mean you weren’t hit…

 

FAQ

  • Is ‘IP’ == ‘Host’?
  • No. IP is IP address. It may be in use and may not
  • Can someone hack your data and see our personal data?
  • First, everything is hack-able. Second, there is no personal data to hack.  In fact, I’ve just made it available online with the Power BI dashboard above, so, no need to hack, it’s all here! :D
    As for what’s being collected and why there is no privacy issue, read Privacy & Reporting
  • Are there any duplicates?
  • Yes. Since I don’t track users/hosts, I cannot know if a user scanned the same network twice
  • So, total results should be lower than mentioned?
  • Actually quite the opposite. There are many cases which makes me believe the total results number is actually higher:
    • Versions 0.0.0.1-0.0.0.4 included a detection issue (as mentioned here). So in order not to have even the slightest mistake with statistics, I decided to exclude all collected results from these versions (meaning, scans of 1 million IPs were completely dismissed)
    • Some scans were taken on more secured environments where there is no internet access. Meaning, no statistics for me
    • Some users probably disabled access to my website in order not to send statistics
  • Can I use these visualizations in my website / presentations?
  • Sure. Letting me know how/where it helped you can be great
  • Are visualizations, or the data they’re based on, going to be updated?
  • Yes. At least twice a week

6 thoughts on “Eternal Blues – Worldwide Statistics”

  1. Hello, great jobs. could you share the vulnerable ip in Saudi Arabia and Iran with me?

    for virtualization you can make interactive map.

    1. Dude, seriously, are you for real??
      It is impossible to reverse the vulnerable hosts from Eternal Blues statistics, by design. Thank god I made it this way. Read more about Privacy & Reporting.

      And… this tool is all about being good, so please, keep the karma.

Leave a Reply to Elvis Cancel reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>