SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
ExtraHop reveals common insecure protocols used in enterprise IT
Mon, 17th May 2021
FYI, this story is more than a year old

A significant amount of enterprise environments still run protocols exploited by prevalent ransomware, new research finds.

This is according to the latest ExtraHop security advisory about the prevalence of insecure protocols in enterprise IT environments.

The report details the ongoing use of deprecated and insecure protocols, including Server Message Block version one (SMBv1), which was exploited by the WannaCry ransomware variant to encrypt nearly a quarter of a million machines world-wide four years ago today.

In early 2021, the ExtraHop threat research team conducted primary research examining the prevalence of insecure protocols in enterprise environments, specifically SMBv1, Link-Local Multicast Name Resolution (LLMNR), NT Lan Manager (NTLMv1), and Hypertext Transfer Protocol (HTTP).

The research uncovered alarming usage of these protocols that expose organisations and their customers to considerable risk.

SMBv1: This protocol has been exploited for attacks like WannaCry and NotPetya and can quickly spread malware to other unpatched servers across a network. ExtraHop research shows that SMBv1 is still found in 67% of environments in 2021, more than four years after the EternalBlue and related vulnerabilities came to light.

LLMNR: LLMNR can be exploited to gain access to the user credential hashes. These credential hashes can be cracked to expose actual login information that gives malicious actors access to sensitive personal and business data.

ExtraHop research found that 70% of environments are still running LLMNR.

NTLM: Despite the recommendation from Microsoft that organisations cease use of NTLM in favour of the much more secure Kerberos authentication protocol, NTLM is still quite common.

34% of enterprise environments have at least 10 clients running NTLMv1.

HTTP: When plaintext credentials are transmitted over HTTP, those credentials are left exposed the internet equivalent of shouting passwords across a crowded room.

Despite the risks, data from ExtraHop shows that 81% of enterprise environments still use insecure HTTP plaintext credentials.

ExtraHop head of product Ted Driggs says, “It's easy to say that organisations should get rid of these protocols in their environments, but often it's not that simple.

"Migrating off SMBv1 and other deprecated protocols may not be an option for legacy systems, and even when it is an option, the migration can trigger disruptive outages.

"Many IT and security organisations will choose to try and contain the deprecated protocol instead of risking an outage. Organisations need an accurate and up-to-date inventory of their assets' behaviour to assess risk posture as it relates to insecure protocols.

"Only then can they decide how to remediate the issue or limit the reach of vulnerable systems on the network.