Four years after the global WannaCry and NotPetya ransomware attacks, two-thirds of companies still haven't patched the vulnerabilities that caused them, according to cloud network detection and response company ExtraHop.
The company investigated data from its Reveal(x) security platform in the first quarter of 2021 to determine which protocols its customers were running. It found that 88% of them were still running at least one device using SMBv1, which was a pivotal attack vector for the EternalBlue exploit used in the two ransomware attacks.
Although a single device could mean a company is maintaining it just for use by an attack team, a more worrying statistic was that 67% of companies are running over 10 SMBv1-enabled devices. Over two-thirds (37%) were running more than 50, and 31% of companies checked had over 100 SMBv1 devices on their networks.
The report also highlighted heavy use of two other protocols in Windows servers. The first, called Local Loop Multicast Name Resolution (LLMNR), is an alternative to DNS for resolving basic names within a private network. It has a similar problem to Windows' old NetBIOS naming service, in that it communicates with all clients on the network rather than a specific server.
That enables an attacker to listen for and reply to access requests, creating a race condition to harvest the client's hashed credentials if it establishes a conversation quickly enough. It can then decrypt those credentials, giving an attacker access to a client's network account, or use them in a pass-the-hash attack.
The other protocol, New Technology LAN Manager (NTLM) v1, is a decades-old network authentication mechanism that has long been obsolete. Nevertheless, over a third (34%) of companies have over 10 devices using it, ExtraHop said. Almost one in five (19%) had over 100 devices using the protocol, despite Microsoft advising people to stop using it altogether in favor of the more secure Kerberos system.
The report also found that few companies had embraced using TLS encryption over HTTP (HTTPS), which browser vendors have aggressively enforced. It found that 81% of enterprise environments were still using HTTP to send access credentials in plain text.
ExtraHop said it analyzed over four petabytes of traffic each day in its investigation of online protocol usage.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
