Vulnerable Windows Server Message Block (SMB) shares central to last week's WannaCrypt outbreak are still widely deployed and frequently hunted, security researchers warn.
Rapid7 found over a million internet-connected devices that expose SMB on port 445. Of those, more than 800,000 run Windows, and – given that these are nodes running on the internet exposing SMB – it is likely that a large percentage of these are vulnerable versions of Windows with SMBv1 still enabled.
"While scanning for devices that expose port 445 has been observed for quite some time, the volume of scans on port 445 has increased since 2017-05-12 [Friday], and a majority of those scans are specifically looking to exploit MS17-010, the SMB vulnerability that the WannaCry[pt] malware looks to exploit," Rapid7 reports.
The firm, best known for the pen-testing software Metasploit, used internet scanning capabilities in Project Sonar and Project Heisenberg to gain insight into the scale of the WannaCrypt problem. The research is important because further malware strains or hacks based on the same vulnerability, patched by Microsoft in March but still widely exploitable, are more than likely. Follow-up attacks may well be less attention grabbing while still posing a severe risk to internet hygiene.
For example, earlier this week it emerged that a cryptocurrency miner was surreptitiously using the same MS17-010 vulnerability to create a compromised network days before the spectacular WannaCrypt outbreak created worldwide chaos last Friday. ®