Four Years On: Two-thirds of Global Firms Still Exposed to WannaCry

Written by

Over two-thirds (67%) of organizations are still running an insecure Windows protocol largely responsible for the infamous WannaCry and NotPetya attacks of 2017 and 2018, according to new research.

Security vendor ExtraHop used its network detection and response (NDR) capabilities to analyze anonymized metadata from an unspecified number of customer networks, in order to better understand where they may be vulnerable to outdated protocols.

The resulting security advisory report revealed widespread use of Server Message Block version one (SMBv1), which contained a buffer overflow vulnerability which was exploited by the NSA-developed EternalBlue and related attack tools.

These were subsequently used by North Korean threat actors for WannaCry and Russian state operatives for their NotPetya operation.

This wasn’t the only insecure protocol ExtraHop found. It discovered that 81% of enterprises still use HTTP plaintext credentials, and a third (34%) have at least 10 clients running NTLMv1, which could enable attackers to launch machine-in-the-middle (MITM) attacks or take complete control of a domain.

The report also warned that 70% of enterprises are also running LLMNR, which can be exploited to access users’ credential hashes. These in turn could be cracked to expose log-in information, ExtraHop claimed.

Ted Driggs, head of product at ExtraHop, argued that it’s not always easy for organizations to upgrade to newer, more secure protocols.

“Migrating off SMBv1 and other deprecated protocols may not be an option for legacy systems, and even when it is an option, the migration can trigger disruptive outages. Many IT and security organizations will choose to try and contain the deprecated protocol instead of risking an outage,” he explained.

“Organizations need an accurate and up-to-date inventory of their assets' behavior to assess risk posture as it relates to insecure protocols. Only then can they decide how to remediate the issue or limit the reach of vulnerable systems on the network.”

Wednesday represented the fourth anniversary of the WannaCry attack that impacted hundreds of thousands of users in 150 countries.

What’s hot on Infosecurity Magazine?