67% of enterprise environments still run protocol exploited by WannaCry and NotPetya

67% of enterprise environments still run protocol exploited by WannaCry and NotPetya

Four years after devastating ransomware attacks, SMBv1 and other vulnerable protocols are still running in IT environments around the world.

ExtraHop, a leader in cloud-native network detection and response, has released a security advisory about the prevalence of insecure protocols in enterprise IT environments.

The report details the on-going use of deprecated and insecure protocols, including Server Message Block version one (SMBv1), which was exploited by the WannaCry ransomware variant to encrypt nearly a quarter of a million machines world-wide four years ago.

In early 2021, the ExtraHop threat research team conducted primary research examining the prevalence of insecure protocols in enterprise environments, specifically SMBv1, Link-Local Multicast Name Resolution (LLMNR), NT Lan Manager (NTLMv1) and Hypertext Transfer Protocol (HTTP). The research uncovered alarming usage of these protocols that expose organizations and their customers to considerable risk.

  • SMBv1: This protocol has been exploited for attacks like WannaCry and NotPetya and can quickly spread malware to other unpatched servers across a network. ExtraHop research shows that SMBv1 is still found in 67% of environments in 2021, more than four years after the EternalBlue and related vulnerabilities came to light.
  • LLMNR: LLMNR can be exploited to gain access to the user credential hashes. These credential hashes can be cracked to expose actual login information that gives malicious actors access to sensitive personal and business data. ExtraHop research found that 70% of environments are still running LLMNR.
  • NTLM: Despite the recommendation from Microsoft that organizations cease use of NTLM in favor of the much more secure Kerberos authentication protocol, NTLM is still quite common. Thirty-four percent of enterprise environments have at least 10 clients running NTLMv1.
  • HTTP: When plaintext credentials are transmitted over HTTP, those credentials are left exposed – the Internet equivalent of shouting passwords across a crowded room. Despite the risks, data from ExtraHop shows that 81% of enterprise environments still use insecure HTTP plaintext credentials.

“It’s easy to say that organizations should get rid of these protocols in their environments, but often it’s not that simple. Migrating off SMBv1 and other deprecated protocols may not be an option for legacy systems, and even when it is an option, the migration can trigger disruptive outages. Many IT and security organizations will choose to try and contain the deprecated protocol instead of risking an outage,” said Ted Driggs, Head of Product, ExtraHop.

“Organizations need an accurate and up-to-date inventory of their assets’ behavior to assess risk posture as it relates to insecure protocols. Only then can they decide how to remediate the issue or limit the reach of vulnerable systems on the network.”

Browse our latest issue

Intelligent CIO North America

View Magazine Archive