Glen Maloney from ExtraHop flags risks associated with the use of insecure protocols in the heightened threat environment.
Like organisations around the world, Australian businesses are battling an alarming increase in damaging ransomware attacks. Frustratingly, it’s a trend that appears set to continue.
Victims include anything from small businesses to some of the nation’s largest companies. During 2020, logistics company Toll Holdings suffered two attacks that disrupted operations. This year, Nine Entertainment fell victim in an incident that left the company struggling to produce newspapers or televise bulletins.
In June, global meat supplier JBS Foods was targeted in an attack that affected more than 40 facilities across Australia. Many other attacks have gone unreported.
As the severity and frequency of cyber attacks grows, organisations are urgently searching for ways to boost their defences. They understand that one successful attack can result in crippling disruption and losses.
The risks of insecure protocols
One of the easiest places to start improving security is through elimination of the use of insecure protocols within an IT environment. Yet despite this fact, insecure protocols — including those associated with some of the most costly cyberattacks of all time — remain in widespread use.
Back in 2017 EternalBlue, the zero-day exploit of a protocol known as Server Message Block version 1 (SMBv1), was used to perform two devastating ransomware attacks in the space of just six weeks.
Dubbed WannaCry and NotPetya, the attacks infected millions of computers in more than 150 countries. These attacks crippled everything from healthcare systems and critical infrastructure to global shipping operations, and it is estimated that the WannaCry attack alone cost more than $7 billion worldwide.
However, four years after the EternalBlue threat was first disclosed, research has found 67 per cent of enterprise IT environments still have at least 10 devices running SMBv1. While this may appear to be a relatively small number, remote code execution makes any device running SMBv1 an easy pivot point from which to launch a large-scale attack.
While 10 devices may just be a tiny fraction of total IT assets, effective defence is a zero-fail mission. SMBv1 doesn’t need to be installed on every device in an environment to be used to launch a catastrophic attack – just one.
The protocol behind the WannaCry and NotPetya attacks is not the only well-known, high-risk protocol still present in IT environments.
Some 70 per cent of infrastructures still have at least 10 devices running the Link-Local Multicast Name Resolution (LLMNR) protocol, which has been used in spoofing attacks since 2007. With LLMNR, an attacker can use the protocol to trick a victim into revealing user credentials by leveraging LLMNR to gain access to credential hashes.
These hashes can then be cracked to reveal actual credentials, especially if older MS password techniques like LANMAN have not been disabled. Credentials can feed lateral movement, giving cyber criminals the ability to go anywhere they want within a network.
Even more worryingly, 34 per cent of IT environments have at least 10 clients running the New Technology LAN Manager (NTLM) protocol. This is a simple authentication method that can be easily compromised to steal credentials in a matter of just hours.
In 2012, it was demonstrated that every possible permutation of NTLM’s eight-byte hash could be cracked in under six hours. In 2019, an open-source password recovery tool known as HashCat demonstrated that it could crack any eight-byte hash in under two and a half hours.
Removing the risks
The increase in distributed working brought about by the COVID-19 pandemic, together with the growth of hybrid IT infrastructures, has significantly increased the number of ways that insecure protocols can be introduced into networks. It has also made it more difficult to maintain an accurate inventory of all components.
Manual audits are only able to provide a snapshot of a network at a particular time. This makes the monitoring of network traffic for protocol identification and threat and response vital.
By monitoring and analysing network traffic with detection and response software, businesses can discover each protocol present and identify any that could potentially be used for malicious purposes. Network data analysed by cloud-scale machine learning can also help to secure networks against third-party compromises by building profiles around what would be considered normal access.
Cyber threats such as ransomware are becoming increasingly sophisticated, but many are still taking advantage of weaknesses in IT infrastructures that have been known for a long time. It’s important for organisations to take stock of all the protocols they are using and ensure that any known vulnerabilities are removed as quickly as possible.
Glen Maloney is the ANZ regional sales manager at ExtraHop.