Keep an Open Mind on Open Ports

Written by

The recent WannaCry and NotPetya attacks were made possible by gross IT negligence. That they used a purportedly US-developed cyber weapon (which was released by a hacking group called Shadow Brokers) is a poor excuse for a lack of basic security measures.

This has been an embarrassing couple of months for many IT teams. The WannaCry and NotPeya attacks, which both used the same attack vector, were the biggest blows yet in the ransomware war. WannaCry was initially thought to have started via the usual malicious link in an email message.

However, that theory was quickly dispelled when researchers pinned its origin to an exploit called EternalBlue. I won’t dig into the details of the exploit, in fact the details don’t really matter. The problem with EternalBlue is that in affected organizations, it was IT that left the front door open.

Firewalls are based on the premise of allowing certain traffic into the network and keeping other traffic out. With the dynamic nature of web content and sophistication of IT systems, there are thousands of possible ports and protocols that a firewall needs to control.

The problem in the EternalBlue exploit and the WannaCry explosion was that it used a port that had no good reason being open to the public internet in the first place. Every web service connects via a particular network port, and many of these ports are standardized.

Certain ports are critical to keep the business running. For example, email uses port 25, the web uses 80 or 443, and depending on your organization, additional open ports are required to keep the business - or business applications running.

Port 445 (and its relative 139) support Server Message Block - SMB - services, which basically allow for file and print data to be exchanged between resources, like a computer and a server or a printer. This is definitely a critical port for business operation, but not something that should be accessible from outside the network. Why would you want an external device to connect to your local file server or printer, unless connected over a VPN (but then it wouldn’t be port 445)?

EternalBlue exploited organizations that left ports 445 or 139 open, and dropped its payload, WannaCry, on the targeted machine. Once inside the network, WannaCry and NotPetya moved laterally in the organization with alarming speed.  

Ports 445 and 139 should be blocked at the firewall. If an outsider needs access to file and print services, they can connect over a VPN. This isn’t a new suggestion, it’s been discussed in IT forums forever.

Even if the organization wasn’t sophisticated enough to know they should close these ports to external access, they could still have taken better care of their assets. Had they kept current with patches, EternalBlue/WannaCry would not have been able to breach the local network. Microsoft had released a patch in March 2017 to prevent remote code execution on an SMB server.

I’m sure there will be post-mortem reviews in a lot of organizations to make sure they’ve applied patches and can fully rationalize their exposure. These reviews may make management feel better for now, but unless something changes, these types of exploits will continue.

I suggest these three simple steps to help prevent open port exploits:

  1. Close all firewall ports. Open only those needed to keep your business running.
  2. Patch. Immediately.
  3. Assume the mindset of the hacker to identify vulnerabilities before it’s too late.

IT needs to know where they’re vulnerable on their own schedule, rather than letting the bad actor set the agenda. The tools that hackers use to identify system weaknesses are readily available and simple to use.

A Google search for penetration test toolkits will reveal numerous automated, open source utilities for scanning ports, checking OS versions and patch levels, and identifying other vulnerabilities. If you’d rather leave the testing to the professionals, there are plenty of services that will perform pen tests and security assessments for you.

The time has come for IT to think like that persistent outsider and increase their understanding of their vulnerabilities first. 

What’s hot on Infosecurity Magazine?