Analyzing Post-WannaCry SMB Exposure
It's been a month since the WannaCry ransomware attack wrecked havoc across Windows networks via SMB and I'd like to take a moment to review where we're at today. Here are some numbers to kick things off:
- 2,306,820 SMB services available on the Internet at the moment
- 42% allow Guest access
- 96% support SMBv1
- 16,206 have DoublePulsar
- 91,081 are vulnerable to MS17-010
DoublePulsar and MS17-010
Initially, we observed around 100,000 services on the Internet affected by DoublePulsar. That number slowly declined over time but then took a dramatic drop once WannaCry was released.
The DoublePulsar infections are continuously going down which indicates that people aren't using the publicly-available code released by the Shadow Brokers against Internet-accessible SMB. Theoretically, all Windows devices running SMB should be patched by now and therefor no longer vulnerable to the issues in MS17-010. If that were the case it would explain the lack of DoublePulsar propagation. However, there are still at least 91,081 devices vulnerable to MS17-010 which means that there remains a significant exposure of vulnerable SMB services on the Internet.
Understanding SMB Deployments
SMB version 1 is more than 20+ years old and widely considered to be deprecated, inefficient and insecure. There are also many newer versions available of the SMB protocol that address the short-comings of the initial SMB version. At the moment, the vast majority (96%) of SMB services on the Internet support SMBv1 - only 4% require SMBv2 in order to connect.
That's not a huge surprise as SMBv1 support is enabled by default on most products and many popular tools expect SMBv1 to be running.
In terms of guest access, 42% allow anonymous access to their SMB service:
The chart only tells half the story, though. It turns out that more than 90% of them are running Samba. Basically, almost all of the instances of SMB on the Internet that allow guest access are running Samba - i.e. not the Windows SMB service. By default, neither SMB service allows guest access. I speculated that there might be a packaged release of Samba somewhere that may allow guest access by default but once I looked at the distribution of results the issue became clear:
Of the Samba instances that allow guests 50% are located on the network of Etisalat. Even though there are many systems on the Internet that expose guest access the numbers show the exposure is largely caused by a single Internet provider.
Finally, while there was an initial drop in total SMB exposure on the Internet after DoublePulsar/ WannaCry we've since started seeing a steady increase again.
PS: Shodan has been keeping track of SMB on the Internet since January, 2013.