The risk of insecure protocols in corporate environments.Riad Nassou, ExtraHop

This year has seen some of the largest and most damaging ransomware attacks to date. In the space of just five days last May, two large-scale cyberattacks rocked public and private companies around the world. The first, directed against Colonial Pipeline, paralyzed one of the main oil pipelines for a week and drove up the price of gasoline in the United States to a level not seen since 2014. The second attack, aimed at the Irish public health system , has led to the cancellation or postponement of thousands of appointments, cancer treatments and surgeries, as well as putting patient data online.

More recently, IT company Kaseya fell victim to the biggest ransomware attack on record. Cybercriminals were demanding more than $70 million to restore systems and unlock customer data. In this case, the attackers targeted a well-established but little-known software company, giving them access to hundreds of other environments to cause damage, the extent of which remains to be determined.

As the scale, severity, and frequency of cyberattacks increase, organizations are looking for new ways to bolster their cyber defenses. One of the simplest is to eliminate insecure protocols from their environment. Yet these, particularly linked to some of the costliest cyberattacks in history, remain in surprisingly common use.

Old and risky protocols leave businesses vulnerable

In 2017, exploitation of the Zero Day EternalBlue flaw in the Server Message Block version 1 (SMBv1) protocol was used to perpetrate two ransomware attacks devastating within six weeks: WannaCry and NotPetya. These have infected millions of computers in more than 150 countries, crippling healthcare systems, critical infrastructure and international transport. The WannaCry attack alone cost $4.7 billion globally.

Yet four years after the EternalBlue update, a new study found that 67% of enterprise environments still have ten or more devices running SMBv1. While the latter number may seem relatively low, the remote code execution enabled by Eternal(x) vulnerabilities makes any device that uses SMBv1 a springboard for launching a large-scale attack. Even though these ten pieces of equipment represent only a fraction of the fleet, cyber defense admits of no flaw. SMBv1 does not have to be present on every device in the computing environment to be used to launch a catastrophic attack. One is enough.

The protocol exploited by the WannaCry and NotPetya attacks is not the only one notoriously high risk and still present in computing environments.

70% of environments still have at least ten devices using the LLMNR (Link-Local Multicast Name Resolution) protocol, which has been used in spoofing attacks since 2007. LLMNR can trick a victim into revealing their credentials by giving access to the corresponding hashcode. This will allow the attacker to obtain the identifiers, in particular if old techniques related to the management of passwords in the Microsoft environment such as LANMAN have not been deactivated. Identifiers allow cybercriminals to make lateral movements, in order to move at will within a network.

We're one today! And in our first year, we’ve helped you switch over *£150million lifetime deposits out of banks an… https://t.co/pZN2qQrz8Z

— Switch It Fri Apr 23 14:54:44 +0000 2021

An even more disturbing statistic is that 34% of environments have ten or more endpoints running New Technology LAN Manager (NTLM), a simple authentication method that can be easily exploited within hours to obtain valid credentials.

In 2012, it was demonstrated that any possible permutation of the 8-byte hashcode in the NTLM protocol could be cracked in less than six hours. In 2019, HashCat, an open-source password recovery tool, was shown to crack any 8-byte hashcode in less than two and a half hours.

A seasoned hacker can easily intercept NTLM hashcodes equivalent to as many passwords or even crack offline NTLMv1 passwords. Exploiting an NTLMv1 authentication flaw can allow an attacker to launch MITM (Machine in the Middle) type attacks or even take full control of a domain.

The problem is not only the use of insecure protocols but also the frequency of — misuse — of common protocols in enterprise environments.

Take the example of HTTP (Hypertext Transfer Protocol), which is the universal protocol of the Internet. While HTTP is not inherently problematic, its use for transferring sensitive data is high risk. When data is transmitted over HTTP, credentials are exposed, making it an ideal target for hackers to intercept and steal confidential information. In order to remedy this, a more secure version has been created, HTTPS, allowing companies to process information securely on the Internet by encrypting communications between client workstations and servers. Google has taken decisive steps to gradually replace HTTP with HTTPS by marking all sites that do not use the latter as insecure. However, a study reveals that 81% of enterprise environments still use insecure HTTP credentials, making these companies and their employees vulnerable to attacks.

Eliminate insecure protocols

The proliferation of distributed workforces and hybrid environments, mixing on-premises and cloud components, has further increased the opportunities for insecure protocols to be introduced into networks, as well as the difficulty of keeping an accurate inventory of them.

Manual audits only provide a picture of the network at the moment T, which makes it imperative to monitor traffic in order to identify protocols and threats to counter. By monitoring and analyzing traffic using network detection and response (NDR) software, organizations can discover all the protocols in use on their network and identify those that could be exploited for malicious purposes. In addition, cloud-scale machine learning analysis of network data helps protect networks against hacks by profiling what accesses should be considered normal. This will allow IT teams to build lists and determine which threats and anomalies to look for in the future.

While cyber threats are ever-increasing in complexity, a number of attacks are still carried out through the exploitation of flaws and techniques that are years old. Companies must therefore focus on the basic aspects of IT hygiene in order to eliminate insecure protocols. By making sure to lock down their entry points, cybersecurity teams can focus their time on a proactive rather than reactive defense strategy and rely on systems that allow them to monitor the past, present and future to ensure company security.___________________

by Riad Nassou, Regional Sales Manager at ExtraHop