The protocol that was leveraged by the WannaCry ransomware to encrypt nearly a quarter of a million systems worldwide four years ago is still used in corporate computing environments, according to a new study from ExtraHop. The network detection and response company's threat research team began examining the prevalence of insecure protocols such as Server Message Block version one (SMBv1), Link-Local Multicast Name Resolutions (LLMNR), NT Lan Manager (NTLMv1 ) and Hypertext Transfer Protocol (HTTP). ) in corporate IT environments earlier this year. ExtraHop has now released a new security advisory based on its research results, revealing that these protocols that put organizations and their customers at considerable risk are still in use today.
insecure protocols
According to ExtraHop research, SMBv1, which has been exploited for attacks like WannaCry and NotPetya and rapidly spreads malware to other unpatched servers on a network, is still found in 67% of computing environments in 2021. The research also found that 70% of environments still run LLMNR despite the fact that this protocol can be exploited to access user credential hashes. These credential hashes can be hacked to expose real login information that malicious actors can use to gain access to sensitive personal and business data. Although Microsoft has recommended that organizations stop using NTLM and move to the more secure Kerberos authentication protocol, NTLM is still fairly common, with 34% of enterprise environments having at least 10 clients running NTLMv1. Ultimately, ExtraHop found that 81% of corporate environments still use clear, insecure HTTP credentials. ExtraHop product manager Ted Driggs provided additional information on the company's research findings in a press release, saying, "It's easy to say that organizations should get rid of these protocols in their environments, but many times they don't." it's so simple. Migration from SMBv1 and other deprecated protocols may not be an option for legacy systems, and while it is an option, migration can cause downtime. Many IT and security organizations will choose to try to contain the deprecated protocol rather than risk disruption. Organizations need an accurate and up-to-date inventory of the behavior of their assets to assess their risk posture in the event of insecurity. Only then can they decide how to fix the problem or limit the reach of vulnerable systems on the network. "