In the roughly two weeks since I first compiled my list of top, most vulnerable ISPs that have the SMB Port 445 open, leaving those public facing computers vulnerable to recently leaked NSA Cyber Weapons, some ISPs have made commendable progress in containment of the total number of exposed devices. Without insider knowledge, I don’t know if this reduction in attack surface is a direct result of proactive defensive lock downs of those devices by the ISPs I reported on, or a result of some other force, such as the Adylkuzz Peer to Peer mining malware that closes port 445 once it takes over a target.

Here is the list of 10 ISPs that showed the greatest percentage reduction in exposed computers comparing 5/30/2017 vs. 5/14/2017 counts of devices with the exploitable port open.  Many of these ISPs have Chinese affiliations as reported previously.

1. eSited Solutions – 2,955 -> 7 = Total Reduction of 2,948 -99.7%
2. EGIHosting – 13,621 -> 665 = Total Reduction of 12,956 -95.1%
3. Global Frag – 17,710 -> 1,221 = Total Reduction of 16,489 -93.1%
4. Peg Tech – 12,435 -> 1,686 = Total Reduction of 10,749 -86.4%
5. Krypt Technologies – 2,795 -> 423 = Total Reduction of 2,372 -84.9%
6. Cloudddos Technology Co. – 1,179 -> 420 = Total Reduction of 759 -64.4%
7. YHSRV – 5,695 -> 1,928 = Total Reduction of 3,767 -66.1%
8. SpeedVM Network Group LLC – 30,547 -> 12,301 = Total Reduction of 18,246 -59.7%
9. Take 2 Hosting – 6,392 -> 2,852 = Total Reduction of 3,540 -55.4%
10. Nobis Technology Group LLC – 35,449 -> 15,948 = Total Reduction of 19,501 -55.0%

These ISP’s all appear to have made commendable progress reducing their attack surface exposure.

Now for the bad news.

Here are the list of Top 10 ISPs taken from my original list of top 25 most vulnerable ISPs that have increased their attack surface based on having more computer devices exposed since my original post counting total vulnerable devices by ISP.  Most of these appear to be US Owned Entities, unlike the list of Most Improved ISPs.  I noticed traffic from China on my blog. Perhaps they read my post and decided to close up those devices before the NSA takes them over??  Or maybe the NSA listened to my recommendation and took out many of those vulnerable devices…

Top 10 Percentage Degraded Since My Original Post

1. Amazon / Amazon.com – 10,200 -> 21,917 = Total Increase of 11,717 +114.9%
2. Singlehop – 3,006 -> 4,848 = Total Increase of 1,842 +61.3%
3. SoftLayer Technologies – 7,293 -> 11,566 = Total Increase of 4,273 +58.6%
4. CenturyLink – 1,360 -> 2,140 = Total Increase of 780 +57.4%
5. MicroSoft Azure – 5,462 -> 8,108 = Total Increase of 2,646 +48.4%
6. ColoCrossing – 13,176 -> 19,317 = Total Increase of 6,141 +46.6%
7. Time Warner Cable – 2,700 -> 3,605 = Total Increase of 905 +33.5%
8. MegaPath Corporation – 2,077 -> 2,531 = Total Increase of 454 +21.9%
9. Fairpoint Communications –  1,772 -> 2,030 = Total Increase of 258 +14.6%
10. University of Washington – 2,451 -> 2,619 = Total Increase of 168 +6.9%

New Entrants Into the Top List of Most Vulnerable ISPs Include the Following:

1. Liquid Web, L.L.C  – 2,201
2. Rackspace Cloud Servers – 2,103
3. Cogent Communications – 2,069
4. Interserver –  1,905
5. 1&1 Internet AG – 1,722

It seems as if the threat has morphed and shifted to U.S. affiliated entities.