WannaCry caused chaos on thousands of networks, cost billions in damages, and represents a new chapter in cybercrime. 6 months after the attack, system administrators and security specialists still haven’t disabled the archaic software which caused it. Using Shodan I searched for devices which are still running public SMB services at the time of writing.
- 1,719,610 devices with SMB services still publicly available
- 87% of those devices still allow connection via SMBv1
Obviously there are services which expect SMBv1 to function properly, and the list is so extensive that it looks like a significant amount of the world’s computers would be affected if they suddenly stopped working. Microsoft released a full list of programs that require SMBv1 here. It includes printers by Xerox, networking equipment by Cisco, the vSphere hypervisor, Red Hat Enterprise Linux versions 5 and 6, and a multitude of other enterprise level software and services. I know if we disabled SMBv1 in my company’s environment and vSphere stopped working, we’re screwed. Our environment is 99% virtualized within vSphere, among other cloud providers.
It is pretty clear that we rely on SMBv1, a 20+ year old broken technology widely considered to be inefficient and insecure, to make so much of our technology work. Most instances have been patched to protect from the DoublePulsar/EternalBlue vulnerabilities used to spread WannaCry and NotPetya but since it is so old there could be many more vulnerabilities hiding in the code, waiting to be exploited.