INTELLIGENT BRANDS // Enterprise Security
67 % of enterprise environments still run protocol exploited by WannaCry and NotPetya
Four years after devastating ransomware attacks , SMBv1 and other vulnerable protocols are still running in IT environments around the world .
ExtraHop , a leader in cloud-native network detection and response , has released a security advisory about the prevalence of insecure protocols in enterprise IT environments . The report details the on-going use of deprecated and insecure protocols , including Server Message Block version one ( SMBv1 ), which was exploited by the WannaCry ransomware variant to encrypt nearly a quarter of a million machines worldwide four years ago .
In early 2021 , the ExtraHop threat research team conducted primary research examining the prevalence of insecure protocols in enterprise environments , specifically SMBv1 , Link-Local Multicast Name Resolution ( LLMNR ), NT Lan Manager ( NTLMv1 ) and Hypertext Transfer Protocol ( HTTP ). The research uncovered alarming usage of these protocols that expose organizations and their customers to considerable risk .
• SMBv1 : This protocol has been exploited for attacks like WannaCry and NotPetya and can quickly spread malware to other unpatched servers across a network . ExtraHop research shows that SMBv1 is still found in 67 % of environments in 2021 , more than four years after the EternalBlue and related vulnerabilities came to light .
• LLMNR : LLMNR can be exploited to gain access to the user credential hashes . These credential hashes can be cracked to expose actual login information that gives malicious actors access to sensitive personal and business data . ExtraHop research found that 70 % of environments are still running LLMNR .
• NTLM : Despite the recommendation from Microsoft that organizations cease use of NTLM in favor of the much more secure Kerberos authentication protocol , NTLM is still quite common . Thirty-four percent of enterprise environments have at least 10 clients running NTLMv1 .
• HTTP : When plaintext credentials are transmitted over HTTP , those credentials are left exposed – the Internet equivalent of shouting passwords across a crowded room . Despite the risks , data from ExtraHop shows that 81 % of enterprise environments still use insecure HTTP plaintext credentials .
“ It ’ s easy to say that organizations should get rid of these protocols in their environments , but often it ’ s not that simple . Migrating off SMBv1 and other deprecated protocols may not be an option for legacy systems , and even when it is an option , the migration can trigger disruptive outages .
“ Many IT and security organizations will choose to try and contain the deprecated protocol instead of risking an outage ,” said Ted Driggs , Head of Product , ExtraHop .
“ Organizations need an accurate and upto-date inventory of their assets ' behavior to assess risk posture as it relates to insecure protocols . Only then can they decide how to remediate the issue or limit the reach of vulnerable systems on the network .” p
ORGANIZATIONS NEED AN ACCURATE AND UP-TO-DATE INVENTORY OF THEIR ASSETS ’ BEHAVIOR TO ASSESS RISK POSTURE .
68 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com