This year alone, there have been some of the biggest and most damaging ransomware attacks to date. In the space of just five days in May, there were two major cyber-attacks that rattled governments and private sector organizations around the world. The first, on Colonial Pipeline, forced a week-long shutdown of a major petrol supply line and pushed U.S. petrol prices to their highest since 2014. The second attack, on the Irish healthcare system, resulted in thousands of appointments, cancer treatments, and surgeries being canceled or delayed and patient data shared online.
Most recently, IT company Kaseya was targeted with ‘the biggest ransomware attack on record’, with cyber criminals demanding over $70 million to restore systems and unlock data. In this case, the attackers targeted a well-established but little-known software firm that would give them access to hundreds of other environments and the full extent of the damage is yet to be determined.
As the scope, severity, and frequency of cyberattacks increases, organizations are searching for new ways to shore up their cyber defenses. One of the easiest places to start is by eliminating the use of insecure protocols in the environment. Yet, insecure protocols, including those associated with some of the costliest cyber attacks in history, remain surprisingly common.
Old, risky protocols leave businesses vulnerable
In 2017, EternalBlue, the zero-day exploit of a protocol known as Server Message Block version 1 (SMBv1), was used to perpetrate two devastating ransomware attacks in the span of six weeks — WannaCry and NotPetya. The WannaCry and NotPetya attacks infected millions of computers in over 150 countries, crippling healthcare systems, critical infrastructure, and global shipping. The WannaCry attack alone cost £92 million for the UK and £4 billion worldwide.
But four years after EternalBlue was first disclosed, new research found that 67 percent of enterprise environments still have at least 10 devices running SMBv1. While 10 devices might seem like a relatively small number, the remote code execution enabled by Eternal(x) exploits makes any device running SMBv1 an easy pivot point from which to launch a large-scale attack. These 10 devices might be a tiny fraction of the assets in an environment, but defense is a zero-fail mission. SMBv1 doesn’t need to be installed on every device in the environment to be used to launch a catastrophic attack. It only needs to be on one.
The protocol behind the WannaCry and NotPetya attacks is not the only well-known, high-risk protocol that is still present in IT environments.
Seventy percent of environments still have at least 10 devices running the Link-Local Multicast Name Resolution (LLMNR) protocol, which has been used in spoofing attacks since 2007. With LLMNR, an attacker can use the protocol to trick a victim into revealing user credentials by leveraging LLMNR to gain access to the user credential hashes. These user credentials can then be cracked to reveal actual credentials, especially if older MS password techniques like LANMAN are not disabled. Credentials can feed lateral movement, giving cybercriminals the ability to go where they want within a network.
Even more shocking, 34 percent of environments have at least 10 clients running the New Technology LAN Manager (NTLM) protocol, a simple authentication method that can be easily compromised to steal credentials in a matter of hours.
In 2012, it was demonstrated that every possible permutation of NTLM’s eight-byte hash could be cracked in under six hours. In 2019, an open-source password recovery tool known as HashCat demonstrated that it could crack any eight-byte hash in under two and a half hours.
A skilled attacker can easily intercept NTLM hashes that are equivalent to passwords or crack NTLMv1 passwords offline. A successful exploit against NTLMv1 authentication can enable an attacker to launch machine-in-the-middle (MITM) attacks or take complete control of a domain.
It’s not just the use of insecure protocols that’s problematic. It’s also how common protocols are regularly used––and misused––in enterprise environments.
Take the Hypertext Transfer Protocol (HTTP), for example. HTTP is the lingua franca of the internet. Whilst HTTP is not naturally problematic, its usage to transfer sensitive data poses a high risk. When data is transmitted over HTTP, the credentials are left exposed, making it a perfect target for hackers to intercept and steal confidential information. To combat this, a more secure version was created called HTTPS, which allows companies to securely process information over the internet by encrypting the communication between clients and servers. Google has taken major steps to phase out the insecure HTTP protocol by marking all non-HTTPS sites as insecure. However, research found that 81 of 100 enterprise environments still use insecure HTTP credentials, making themselves and their employees sitting ducks, waiting to be attacked.
Weeding out insecure protocols
The increase in distributed workforces and hybrid environments with both on-premises and cloud components has multiplied the number of ways in which insecure protocols can be introduced into networks and also made it difficult to maintain an accurate inventory.
Manual audits only provide a snapshot of the network at that time, making monitoring of network traffic for protocol identification and threat and response imperative. By monitoring and analyzing network traffic with network detection and response software, businesses can discover each protocol used in a network and identify any which can be used for malicious purposes. Also, network data analyzed by cloud-scale machine learning helps secure networks against third-party compromises by building profiles around what would be considered normal access. This allows IT teams to develop lists and recognize what threats and abnormalities to look out for in the future.
While cyber threats are becoming increasingly sophisticated, a number of attacks are still carried out via years-old exploits and methods. Organizations need to focus on the basics of IT hygiene to remove insecure protocol use. By making sure their windows and doors are locked, their cybersecurity teams can spend time being proactive rather than reactive with their defense strategy and leverage systems that allow them to monitor the past, present, and future to keep their business safe.
Mike Campfield, Head of EMEA Operations, ExtraHop