Rapid7 conducts an annual scan of the Internet (about 3 billion IP Addressable devices) and found about 160 million devices with open ports that should not be exposed to the Internet. Among the ports that were scanned (a total of 30 ports according to the article) was SMB, which is the port that was [ab]used by the WannaCry ransomware that wreaked havoc in May.
What is SMB? Server Message Block or SMB is a protocol used primarily in Windows environments that allows shared access to files, printers, etc. across a network. Although newer versions of SMB have implemented features to make it more secure, it is not considered considered secure to make SMB available to the Internet.
Why should I care? On 12 May 2017, the WannaCry ransomware attack compromised more than 230,000 computers in over 150 countries. The ransomware spreads using the EternalBlue exploit in the SMB protocol. If the ransomware can ‘see’ your computer’s SMB [port] on the Internet, it (or other similar exploits) can attack and likely compromise it with no interaction at all from you. Additionally, in this type of attack, it’s possible that the attack could go completely unnoticed for some time (while the attacker is siphoning off data, attacking another target appearing to be you, etc.).
Why is this relevant? The WannaCry ransomware exploited a vulnerability that it *should not* have been able to exploit for at least two reasons. First, there is no good reason to expose SMB to the Internet. Put it behind a firewall and, if you (or your users need) access to it, use a VPN. Second, the vulnerability had already been patched by Microsoft two months prior, meaning that those infected had not installed updates in *at least* two months. Shodan.io is a publicly available search engine that can be used to search for specific types of devices or services on the Internet to gather details about it. At the time of this writing, Shodan.io was reporting 2,318,332 devices exposing SMB to the Internet.
What can I do? If you’re exposing SMB (or other insecure / unsafe / unpatched / vulnerable) services to the Internet, stop. If you aren’t (100%) certain that you aren’t exposing any of these, perhaps the quickest, easiest and most accurate way to find out is a vulnerability assessment to identify a) what you are exposing and b) quantify the risk that that exposure presents (e.g., exposing a fully patched mail server to send and receive email is a much lower risk than exposing SMB on a Windows Server 20[03|08|12|16] server). If you would like more information on securing your organization or the services that Piratica can provide, please contact us.
Misc / Eratta
- Threatpost article – https://threatpost.com/post-wannacry-5-5-million-devices-still-expose-smb-port/126249/
- SMB – https://en.wikipedia.org/wiki/Server_Message_Block
- WannaCry – https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
- EternalBlue – https://en.wikipedia.org/wiki/EternalBlue
- Shodan SMB Results – https://www.shodan.io/search?query=smb